diff --git a/CMakeLists.txt b/CMakeLists.txt index 243582ed..1e401fb5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -219,6 +219,76 @@ define_kem_alg(kyber512_clean if(${ARCH} STREQUAL "ARCH_x86_64") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -march=haswell") + +set( + SRC_AVX2_DILITHIUM2 + crypto_sign/dilithium2/avx2/consts.c + crypto_sign/dilithium2/avx2/f1600x4.S + crypto_sign/dilithium2/avx2/fips202x4.c + crypto_sign/dilithium2/avx2/invntt.S + crypto_sign/dilithium2/avx2/ntt.S + crypto_sign/dilithium2/avx2/packing.c + crypto_sign/dilithium2/avx2/pointwise.S + crypto_sign/dilithium2/avx2/poly.c + crypto_sign/dilithium2/avx2/polyvec.c + crypto_sign/dilithium2/avx2/rejsample.c + crypto_sign/dilithium2/avx2/rounding.c + crypto_sign/dilithium2/avx2/shuffle.S + crypto_sign/dilithium2/avx2/sign.c + crypto_sign/dilithium2/avx2/symmetric-shake.c) +set( + INC_AVX2_DILITHIUM2 + crypto_sign/dilithium2/avx2 +) +define_sig_alg(dilithium2_avx2 + PQCLEAN_DILITHIUM2_AVX2 "${SRC_AVX2_DILITHIUM2}" "${INC_AVX2_DILITHIUM2}") + +set( + SRC_AVX2_DILITHIUM3 + crypto_sign/dilithium3/avx2/consts.c + crypto_sign/dilithium3/avx2/f1600x4.S + crypto_sign/dilithium3/avx2/fips202x4.c + crypto_sign/dilithium3/avx2/invntt.S + crypto_sign/dilithium3/avx2/ntt.S + crypto_sign/dilithium3/avx2/packing.c + crypto_sign/dilithium3/avx2/pointwise.S + crypto_sign/dilithium3/avx2/poly.c + crypto_sign/dilithium3/avx2/polyvec.c + crypto_sign/dilithium3/avx2/rejsample.c + crypto_sign/dilithium3/avx2/rounding.c + crypto_sign/dilithium3/avx2/shuffle.S + crypto_sign/dilithium3/avx2/sign.c + crypto_sign/dilithium3/avx2/symmetric-shake.c) +set( + INC_AVX2_DILITHIUM3 + crypto_sign/dilithium3/avx2 +) +define_sig_alg(dilithium3_avx2 + PQCLEAN_DILITHIUM3_AVX2 "${SRC_AVX2_DILITHIUM3}" "${INC_AVX2_DILITHIUM3}") + +set( + SRC_AVX2_DILITHIUM5 + crypto_sign/dilithium5/avx2/consts.c + crypto_sign/dilithium5/avx2/f1600x4.S + crypto_sign/dilithium5/avx2/fips202x4.c + crypto_sign/dilithium5/avx2/invntt.S + crypto_sign/dilithium5/avx2/ntt.S + crypto_sign/dilithium5/avx2/packing.c + crypto_sign/dilithium5/avx2/pointwise.S + crypto_sign/dilithium5/avx2/poly.c + crypto_sign/dilithium5/avx2/polyvec.c + crypto_sign/dilithium5/avx2/rejsample.c + crypto_sign/dilithium5/avx2/rounding.c + crypto_sign/dilithium5/avx2/shuffle.S + crypto_sign/dilithium5/avx2/sign.c + crypto_sign/dilithium5/avx2/symmetric-shake.c) +set( + INC_AVX2_DILITHIUM5 + crypto_sign/dilithium5/avx2 +) +define_sig_alg(dilithium5_avx2 + PQCLEAN_DILITHIUM5_AVX2 "${SRC_AVX2_DILITHIUM5}" "${INC_AVX2_DILITHIUM5}") + set( SRC_AVX2_KYBER512 crypto_kem/kyber512/avx2/cbd.c diff --git a/crypto_kem/frodokem1344aes/META.yml b/crypto_kem/frodokem1344aes/META.yml deleted file mode 100644 index 4f77bf69..00000000 --- a/crypto_kem/frodokem1344aes/META.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: FrodoKEM-1344-AES -type: kem -claimed-nist-level: 5 -claimed-security: IND-CCA2 -length-public-key: 21520 -length-secret-key: 43088 -length-ciphertext: 21632 -length-shared-secret: 32 -nistkat-sha256: 2f4f1c352c1b343cce386c54234ca39fe29b48e45c66300f7311f5d3060d82b3 -principal-submitters: - - Michael Naehrig, Microsoft Research -auxiliary-submitters: -- Erdem Alkim -- Joppe W. Bos, NXP Semiconductors -- Léo Ducas, CWI -- Patrick Longa, Microsoft Research -- Ilya Mironov, Google -- Valeria Nikolaenko -- Chris Peikert, University of Michigan -- Ananth Raghunathan, Google -- Douglas Stebila, University of Waterloo -- Karen Easterbrook, Microsoft Research -- Brian LaMacchia, Microsoft Research -implementations: -- name: clean - version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db -- name: opt - version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db diff --git a/crypto_kem/frodokem1344aes/clean/LICENSE b/crypto_kem/frodokem1344aes/clean/LICENSE deleted file mode 100644 index 5cf7c8db..00000000 --- a/crypto_kem/frodokem1344aes/clean/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) Microsoft Corporation. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE diff --git a/crypto_kem/frodokem1344aes/clean/Makefile.Microsoft_nmake b/crypto_kem/frodokem1344aes/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 7a0f5683..00000000 --- a/crypto_kem/frodokem1344aes/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libfrodokem1344aes_clean.lib -OBJECTS=kem.obj matrix_aes.obj noise.obj util.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/frodokem1344aes/clean/api.h b/crypto_kem/frodokem1344aes/clean/api.h deleted file mode 100644 index d7b783c2..00000000 --- a/crypto_kem/frodokem1344aes/clean/api.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_FRODOKEM1344AES_CLEAN_API_H -#define PQCLEAN_FRODOKEM1344AES_CLEAN_API_H - -#include -#include - -#define PQCLEAN_FRODOKEM1344AES_CLEAN_CRYPTO_SECRETKEYBYTES 43088 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH -#define PQCLEAN_FRODOKEM1344AES_CLEAN_CRYPTO_PUBLICKEYBYTES 21520 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 -#define PQCLEAN_FRODOKEM1344AES_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_FRODOKEM1344AES_CLEAN_CRYPTO_CIPHERTEXTBYTES 21632 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8 - -#define PQCLEAN_FRODOKEM1344AES_CLEAN_CRYPTO_ALGNAME "FrodoKEM-1344-AES" - -int PQCLEAN_FRODOKEM1344AES_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_FRODOKEM1344AES_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_FRODOKEM1344AES_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/frodokem1344aes/clean/common.h b/crypto_kem/frodokem1344aes/clean/common.h deleted file mode 100644 index 524370f0..00000000 --- a/crypto_kem/frodokem1344aes/clean/common.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef COMMON_H -#define COMMON_H - -int PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -int PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -void PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(uint16_t *s, size_t n); -void PQCLEAN_FRODOKEM1344AES_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s); -void PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e); -void PQCLEAN_FRODOKEM1344AES_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM1344AES_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM1344AES_CLEAN_key_encode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM1344AES_CLEAN_key_decode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM1344AES_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb); -void PQCLEAN_FRODOKEM1344AES_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb); -int8_t PQCLEAN_FRODOKEM1344AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len); -void PQCLEAN_FRODOKEM1344AES_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector); -void PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(uint8_t *mem, size_t n); -uint16_t PQCLEAN_FRODOKEM1344AES_CLEAN_LE_TO_UINT16(uint16_t n); -uint16_t PQCLEAN_FRODOKEM1344AES_CLEAN_UINT16_TO_LE(uint16_t n); - -#endif diff --git a/crypto_kem/frodokem1344aes/clean/kem.c b/crypto_kem/frodokem1344aes/clean/kem.c deleted file mode 100644 index fcef3ee4..00000000 --- a/crypto_kem/frodokem1344aes/clean/kem.c +++ /dev/null @@ -1,237 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: Key Encapsulation Mechanism (KEM) based on Frodo -*********************************************************************************************/ - -#include -#include - -#include "fips202.h" -#include "randombytes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM1344AES_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - // FrodoKEM's key generation - // Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes) - // secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes) - uint8_t *pk_seedA = &pk[0]; - uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *sk_s = &sk[0]; - uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data - uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE - uint8_t *randomness_s = &randomness[0]; // contains secret data - uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data - uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES]; - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key - randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A); - shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A); - - // Generate S and E, and compute B = A*S + E. Generate A on-the-fly - shake_input_seedSE[0] = 0x5F; - memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES); - shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM1344AES_CLEAN_LE_TO_UINT16(S[i]); - } - PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(S, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(E, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_as_plus_e(B, S, E, pk); - - // Encode the second part of the public key - PQCLEAN_FRODOKEM1344AES_CLEAN_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Add s, pk and S to the secret key - memcpy(sk_s, randomness_s, CRYPTO_BYTES); - memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES); - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM1344AES_CLEAN_UINT16_TO_LE(S[i]); - } - memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR); - - // Add H(pk) to the secret key - shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - - // Cleanup: - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(randomness, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM1344AES_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - // FrodoKEM's key encapsulation - const uint8_t *pk_seedA = &pk[0]; - const uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *ct_c1 = &ct[0]; - uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu - uint8_t *pkh = &G2in[0]; - uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSE = &G2out[0]; // contains secret data - uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu) - shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - randombytes(mu, BYTES_MU); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSE[0] = 0x96; - memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM1344AES_CLEAN_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA); - PQCLEAN_FRODOKEM1344AES_CLEAN_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Generate Epp, and compute V = Sp*B + Epp - PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_sb_plus_e(V, B, Sp, Epp); - - // Encode mu, and compute C = V + enc(mu) (mod q) - PQCLEAN_FRODOKEM1344AES_CLEAN_key_encode(C, (uint16_t *)mu); - PQCLEAN_FRODOKEM1344AES_CLEAN_add(C, V, C); - PQCLEAN_FRODOKEM1344AES_CLEAN_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ); - - // Compute ss = F(ct||KK) - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - memcpy(Fin_k, k, CRYPTO_BYTES); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(mu, BYTES_MU); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM1344AES_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - // FrodoKEM's key decapsulation - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *ct_c1 = &ct[0]; - const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - const uint8_t *sk_s = &sk[0]; - const uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - const uint8_t *pk_seedA = &sk_pk[0]; - const uint8_t *pk_b = &sk_pk[BYTES_SEED_A]; - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime - uint8_t *pkh = &G2in[0]; - uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSEprime = &G2out[0]; // contains secret data - uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data - - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8); - } - - // Compute W = C - Bp*S (mod q), and decode the randomness mu - PQCLEAN_FRODOKEM1344AES_CLEAN_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM1344AES_CLEAN_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM1344AES_CLEAN_mul_bs(W, Bp, S); - PQCLEAN_FRODOKEM1344AES_CLEAN_sub(W, C, W); - PQCLEAN_FRODOKEM1344AES_CLEAN_key_decode((uint16_t *)muprime, W); - - // Generate (seedSE' || k') = G_2(pkh || mu') - memcpy(pkh, sk_pkh, BYTES_PKHASH); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSEprime[0] = 0x96; - memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM1344AES_CLEAN_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA); - - // Generate Epp, and compute W = Sp*B + Epp - PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_sb_plus_e(W, B, Sp, Epp); - - // Encode mu, and compute CC = W + enc(mu') (mod q) - PQCLEAN_FRODOKEM1344AES_CLEAN_key_encode(CC, (uint16_t *)muprime); - PQCLEAN_FRODOKEM1344AES_CLEAN_add(CC, W, CC); - - // Prepare input to F - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - - // Reducing BBp modulo q - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1); - } - - // If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s) - // Needs to avoid branching on secret data as per: - // Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum - // primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020. - int8_t selector = PQCLEAN_FRODOKEM1344AES_CLEAN_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM1344AES_CLEAN_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR); - // If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s) - PQCLEAN_FRODOKEM1344AES_CLEAN_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(muprime, BYTES_MU); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES); - return 0; -} diff --git a/crypto_kem/frodokem1344aes/clean/matrix_aes.c b/crypto_kem/frodokem1344aes/clean/matrix_aes.c deleted file mode 100644 index 40747b58..00000000 --- a/crypto_kem/frodokem1344aes/clean/matrix_aes.c +++ /dev/null @@ -1,95 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: matrix arithmetic functions used by the KEM -*********************************************************************************************/ - -#include -#include - -#include "aes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right. - // Inputs: s, e (N x N_BAR) - // Output: out = A*s + e (N x N_BAR) - int i, j, k; - int16_t A[PARAMS_N * PARAMS_N] = {0}; - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - for (i = 0; i < PARAMS_N; i++) { - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { - A[i * PARAMS_N + j] = (int16_t) i; // Loading values in the little-endian order - A[i * PARAMS_N + j + 1] = (int16_t) j; - } - } - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM1344AES_CLEAN_UINT16_TO_LE(A[i]); - } - - aes128_ecb((uint8_t *) A, (uint8_t *) A, PARAMS_N * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - aes128_ctx_release(&ctx128); - - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM1344AES_CLEAN_LE_TO_UINT16(A[i]); - } - memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); - - for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e - for (k = 0; k < PARAMS_NBAR; k++) { - uint16_t sum = 0; - for (j = 0; j < PARAMS_N; j++) { - sum += A[i * PARAMS_N + j] * s[k * PARAMS_N + j]; - } - out[i * PARAMS_NBAR + k] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. - } - } - - return 1; -} - - -int PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left. - // Inputs: s', e' (N_BAR x N) - // Output: out = s'*A + e' (N_BAR x N) - int i, j, k; - int16_t A[PARAMS_N * PARAMS_N] = {0}; - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - for (i = 0; i < PARAMS_N; i++) { - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { - A[i * PARAMS_N + j] = (int16_t) i; // Loading values in the little-endian order - A[i * PARAMS_N + j + 1] = (int16_t) j; - } - } - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM1344AES_CLEAN_UINT16_TO_LE(A[i]); - } - - aes128_ecb((uint8_t *) A, (uint8_t *) A, PARAMS_N * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - aes128_ctx_release(&ctx128); - - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM1344AES_CLEAN_LE_TO_UINT16(A[i]); - } - memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); - - for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e - for (k = 0; k < PARAMS_NBAR; k++) { - uint16_t sum = 0; - for (j = 0; j < PARAMS_N; j++) { - sum += A[j * PARAMS_N + i] * s[k * PARAMS_N + j]; - } - out[k * PARAMS_N + i] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. - } - } - - return 1; -} diff --git a/crypto_kem/frodokem1344aes/clean/noise.c b/crypto_kem/frodokem1344aes/clean/noise.c deleted file mode 100644 index 535e2f3f..00000000 --- a/crypto_kem/frodokem1344aes/clean/noise.c +++ /dev/null @@ -1,35 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: noise sampling functions -*********************************************************************************************/ - -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA; - -void PQCLEAN_FRODOKEM1344AES_CLEAN_sample_n(uint16_t *s, size_t n) { - // Fills vector s with n samples from the noise distribution which requires 16 bits to sample. - // The distribution is specified by its CDF. - // Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output. - size_t i; - unsigned int j; - - for (i = 0; i < n; ++i) { - uint16_t sample = 0; - uint16_t prnd = s[i] >> 1; // Drop the least significant bit - uint16_t sign = s[i] & 0x1; // Pick the least significant bit - - // No need to compare with the last value. - for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) { - // Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits. - sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15; - } - // Assuming that sign is either 0 or 1, flips sample iff sign = 1 - s[i] = ((-sign) ^ sample) + sign; - } -} diff --git a/crypto_kem/frodokem1344aes/clean/params.h b/crypto_kem/frodokem1344aes/clean/params.h deleted file mode 100644 index 1bda8a84..00000000 --- a/crypto_kem/frodokem1344aes/clean/params.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - -#define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM1344AES_CLEAN_CRYPTO_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM1344AES_CLEAN_CRYPTO_PUBLICKEYBYTES -#define CRYPTO_BYTES PQCLEAN_FRODOKEM1344AES_CLEAN_CRYPTO_BYTES -#define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM1344AES_CLEAN_CRYPTO_CIPHERTEXTBYTES - -#define PARAMS_N 1344 -#define PARAMS_NBAR 8 -#define PARAMS_LOGQ 16 -#define PARAMS_Q (1 << PARAMS_LOGQ) -#define PARAMS_EXTRACTED_BITS 4 -#define PARAMS_STRIPE_STEP 8 -#define PARAMS_PARALLEL 4 -#define BYTES_SEED_A 16 -#define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8) -#define BYTES_PKHASH CRYPTO_BYTES - -// Selecting SHAKE XOF function for the KEM and noise sampling -#define shake shake256 - -// CDF table -#define CDF_TABLE_DATA {9142, 23462, 30338, 32361, 32725, 32765, 32767} -#define CDF_TABLE_LEN 7 - -#endif diff --git a/crypto_kem/frodokem1344aes/clean/util.c b/crypto_kem/frodokem1344aes/clean/util.c deleted file mode 100644 index 1bf08bc7..00000000 --- a/crypto_kem/frodokem1344aes/clean/util.c +++ /dev/null @@ -1,264 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: additional functions for FrodoKEM -*********************************************************************************************/ - -#include -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static inline uint8_t min(uint8_t x, uint8_t y) { - if (x < y) { - return x; - } - return y; -} - -uint16_t PQCLEAN_FRODOKEM1344AES_CLEAN_LE_TO_UINT16(uint16_t n) { - return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8)); -} - -uint16_t PQCLEAN_FRODOKEM1344AES_CLEAN_UINT16_TO_LE(uint16_t n) { - uint16_t y; - uint8_t *z = (uint8_t *) &y; - z[0] = n & 0xFF; - z[1] = (n & 0xFF00) >> 8; - return y; -} - -void PQCLEAN_FRODOKEM1344AES_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) { - // Multiply by s on the right - // Inputs: b (N_BAR x N), s (N x N_BAR) - // Output: out = b*s (N_BAR x N_BAR) - int i, j, k; - - for (i = 0; i < PARAMS_NBAR; i++) { - for (j = 0; j < PARAMS_NBAR; j++) { - out[i * PARAMS_NBAR + j] = 0; - for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); - } - out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) { - // Multiply by s on the left - // Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR) - // Output: out = s*b + e (N_BAR x N_BAR) - int i, j, k; - - for (k = 0; k < PARAMS_NBAR; k++) { - for (i = 0; i < PARAMS_NBAR; i++) { - out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i]; - for (j = 0; j < PARAMS_N; j++) { - out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]); - } - out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Add a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a + b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM1344AES_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Subtract a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a - b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM1344AES_CLEAN_key_encode(uint16_t *out, const uint16_t *in) { - // Encoding - unsigned int i, j, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1; - uint16_t *pos = out; - - for (i = 0; i < nwords; i++) { - temp = 0; - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j); - } - for (j = 0; j < npieces_word; j++) { - *pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS)); - temp >>= PARAMS_EXTRACTED_BITS; - pos++; - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_CLEAN_key_decode(uint16_t *out, const uint16_t *in) { - // Decoding - unsigned int i, j, index = 0, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1; - uint8_t *pos = (uint8_t *)out; - uint64_t templong; - - for (i = 0; i < nwords; i++) { - templong = 0; - for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5) - temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS); - templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j); - index++; - } - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF; - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) { - // Pack the input uint16 vector into a char output vector, copying lsb bits from each input element. - // If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied. - memset(out, 0, outlen); - - size_t i = 0; // whole bytes already filled in - size_t j = 0; // whole uint16_t already copied - uint16_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb in w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | |********|********| - ^ - j - w : | ****| - ^ - bits - out:|**|**|**|**|**|**|**|**|* | - ^^ - ib - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < 8) { - int nbits = min(8 - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out - out[i] = out[i] + (t << (8 - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = lsb; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == 8) { // out[i] is filled in - i++; - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) { - // Unpack the input char vector into a uint16_t output vector, copying lsb bits - // for each output element from input. outlen must be at least ceil(inlen * 8 / lsb). - memset(out, 0, outlen * sizeof(uint16_t)); - - size_t i = 0; // whole uint16_t already filled in - size_t j = 0; // whole bytes already copied - uint8_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb bits of w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | | | | | |**|**|... - ^ - j - w : | *| - ^ - bits - out:| *****| *****| *** | |... - ^ ^ - i b - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < lsb) { - int nbits = min(lsb - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out - out[i] = out[i] + (t << (lsb - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = 8; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == lsb) { // out[i] is filled in - i++; - } - } -} - - -int8_t PQCLEAN_FRODOKEM1344AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) { - // Compare two arrays in constant time. - // Returns 0 if the byte arrays are equal, -1 otherwise. - uint16_t r = 0; - - for (size_t i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); - return (int8_t)r; -} - - -void PQCLEAN_FRODOKEM1344AES_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) { - // Select one of the two input arrays to be moved to r - // If (selector == 0) then load r with a, else if (selector == -1) load r with b - - for (size_t i = 0; i < len; i++) { - r[i] = (~selector & a[i]) | (selector & b[i]); - } -} - - -void PQCLEAN_FRODOKEM1344AES_CLEAN_clear_bytes(uint8_t *mem, size_t n) { - // Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed. - // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. - volatile uint8_t *v = mem; - - for (size_t i = 0; i < n; i++) { - v[i] = 0; - } -} diff --git a/crypto_kem/frodokem1344aes/opt/LICENSE b/crypto_kem/frodokem1344aes/opt/LICENSE deleted file mode 100644 index 5cf7c8db..00000000 --- a/crypto_kem/frodokem1344aes/opt/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) Microsoft Corporation. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE diff --git a/crypto_kem/frodokem1344aes/opt/Makefile.Microsoft_nmake b/crypto_kem/frodokem1344aes/opt/Makefile.Microsoft_nmake deleted file mode 100644 index f8a24bfd..00000000 --- a/crypto_kem/frodokem1344aes/opt/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libfrodokem1344aes_opt.lib -OBJECTS=kem.obj matrix_aes.obj noise.obj util.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/frodokem1344aes/opt/api.h b/crypto_kem/frodokem1344aes/opt/api.h deleted file mode 100644 index d164186c..00000000 --- a/crypto_kem/frodokem1344aes/opt/api.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_FRODOKEM1344AES_OPT_API_H -#define PQCLEAN_FRODOKEM1344AES_OPT_API_H - -#include -#include - -#define PQCLEAN_FRODOKEM1344AES_OPT_CRYPTO_SECRETKEYBYTES 43088 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH -#define PQCLEAN_FRODOKEM1344AES_OPT_CRYPTO_PUBLICKEYBYTES 21520 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 -#define PQCLEAN_FRODOKEM1344AES_OPT_CRYPTO_BYTES 32 -#define PQCLEAN_FRODOKEM1344AES_OPT_CRYPTO_CIPHERTEXTBYTES 21632 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8 - -#define PQCLEAN_FRODOKEM1344AES_OPT_CRYPTO_ALGNAME "FrodoKEM-1344-AES" - -int PQCLEAN_FRODOKEM1344AES_OPT_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_FRODOKEM1344AES_OPT_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_FRODOKEM1344AES_OPT_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/frodokem1344aes/opt/common.h b/crypto_kem/frodokem1344aes/opt/common.h deleted file mode 100644 index e00eef0b..00000000 --- a/crypto_kem/frodokem1344aes/opt/common.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef COMMON_H -#define COMMON_H - -int PQCLEAN_FRODOKEM1344AES_OPT_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -int PQCLEAN_FRODOKEM1344AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -void PQCLEAN_FRODOKEM1344AES_OPT_sample_n(uint16_t *s, size_t n); -void PQCLEAN_FRODOKEM1344AES_OPT_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s); -void PQCLEAN_FRODOKEM1344AES_OPT_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e); -void PQCLEAN_FRODOKEM1344AES_OPT_add(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM1344AES_OPT_sub(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM1344AES_OPT_key_encode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM1344AES_OPT_key_decode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM1344AES_OPT_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb); -void PQCLEAN_FRODOKEM1344AES_OPT_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb); -int8_t PQCLEAN_FRODOKEM1344AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b, size_t len); -void PQCLEAN_FRODOKEM1344AES_OPT_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector); -void PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(uint8_t *mem, size_t n); -uint16_t PQCLEAN_FRODOKEM1344AES_OPT_LE_TO_UINT16(uint16_t n); -uint16_t PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(uint16_t n); - -#endif diff --git a/crypto_kem/frodokem1344aes/opt/kem.c b/crypto_kem/frodokem1344aes/opt/kem.c deleted file mode 100644 index 89c94adc..00000000 --- a/crypto_kem/frodokem1344aes/opt/kem.c +++ /dev/null @@ -1,237 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: Key Encapsulation Mechanism (KEM) based on Frodo -*********************************************************************************************/ - -#include -#include - -#include "fips202.h" -#include "randombytes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM1344AES_OPT_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - // FrodoKEM's key generation - // Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes) - // secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes) - uint8_t *pk_seedA = &pk[0]; - uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *sk_s = &sk[0]; - uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data - uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE - uint8_t *randomness_s = &randomness[0]; // contains secret data - uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data - uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES]; - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key - randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A); - shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A); - - // Generate S and E, and compute B = A*S + E. Generate A on-the-fly - shake_input_seedSE[0] = 0x5F; - memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES); - shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM1344AES_OPT_LE_TO_UINT16(S[i]); - } - PQCLEAN_FRODOKEM1344AES_OPT_sample_n(S, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_OPT_sample_n(E, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_OPT_mul_add_as_plus_e(B, S, E, pk); - - // Encode the second part of the public key - PQCLEAN_FRODOKEM1344AES_OPT_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Add s, pk and S to the secret key - memcpy(sk_s, randomness_s, CRYPTO_BYTES); - memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES); - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(S[i]); - } - memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR); - - // Add H(pk) to the secret key - shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - - // Cleanup: - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(randomness, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM1344AES_OPT_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - // FrodoKEM's key encapsulation - const uint8_t *pk_seedA = &pk[0]; - const uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *ct_c1 = &ct[0]; - uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu - uint8_t *pkh = &G2in[0]; - uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSE = &G2out[0]; // contains secret data - uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu) - shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - randombytes(mu, BYTES_MU); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSE[0] = 0x96; - memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM1344AES_OPT_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM1344AES_OPT_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_OPT_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_OPT_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA); - PQCLEAN_FRODOKEM1344AES_OPT_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Generate Epp, and compute V = Sp*B + Epp - PQCLEAN_FRODOKEM1344AES_OPT_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_OPT_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM1344AES_OPT_mul_add_sb_plus_e(V, B, Sp, Epp); - - // Encode mu, and compute C = V + enc(mu) (mod q) - PQCLEAN_FRODOKEM1344AES_OPT_key_encode(C, (uint16_t *)mu); - PQCLEAN_FRODOKEM1344AES_OPT_add(C, V, C); - PQCLEAN_FRODOKEM1344AES_OPT_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ); - - // Compute ss = F(ct||KK) - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - memcpy(Fin_k, k, CRYPTO_BYTES); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(mu, BYTES_MU); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM1344AES_OPT_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - // FrodoKEM's key decapsulation - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *ct_c1 = &ct[0]; - const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - const uint8_t *sk_s = &sk[0]; - const uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - const uint8_t *pk_seedA = &sk_pk[0]; - const uint8_t *pk_b = &sk_pk[BYTES_SEED_A]; - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime - uint8_t *pkh = &G2in[0]; - uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSEprime = &G2out[0]; // contains secret data - uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data - - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8); - } - - // Compute W = C - Bp*S (mod q), and decode the randomness mu - PQCLEAN_FRODOKEM1344AES_OPT_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM1344AES_OPT_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM1344AES_OPT_mul_bs(W, Bp, S); - PQCLEAN_FRODOKEM1344AES_OPT_sub(W, C, W); - PQCLEAN_FRODOKEM1344AES_OPT_key_decode((uint16_t *)muprime, W); - - // Generate (seedSE' || k') = G_2(pkh || mu') - memcpy(pkh, sk_pkh, BYTES_PKHASH); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSEprime[0] = 0x96; - memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM1344AES_OPT_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM1344AES_OPT_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_OPT_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_OPT_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA); - - // Generate Epp, and compute W = Sp*B + Epp - PQCLEAN_FRODOKEM1344AES_OPT_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM1344AES_OPT_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM1344AES_OPT_mul_add_sb_plus_e(W, B, Sp, Epp); - - // Encode mu, and compute CC = W + enc(mu') (mod q) - PQCLEAN_FRODOKEM1344AES_OPT_key_encode(CC, (uint16_t *)muprime); - PQCLEAN_FRODOKEM1344AES_OPT_add(CC, W, CC); - - // Prepare input to F - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - - // Reducing BBp modulo q - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1); - } - - // If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s) - // Needs to avoid branching on secret data as per: - // Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum - // primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020. - int8_t selector = PQCLEAN_FRODOKEM1344AES_OPT_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM1344AES_OPT_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR); - // If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s) - PQCLEAN_FRODOKEM1344AES_OPT_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(muprime, BYTES_MU); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES); - return 0; -} diff --git a/crypto_kem/frodokem1344aes/opt/matrix_aes.c b/crypto_kem/frodokem1344aes/opt/matrix_aes.c deleted file mode 100644 index ca461c99..00000000 --- a/crypto_kem/frodokem1344aes/opt/matrix_aes.c +++ /dev/null @@ -1,127 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: matrix arithmetic functions used by the KEM -*********************************************************************************************/ - -#include -#include - -#include "aes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM1344AES_OPT_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right. - // Inputs: s, e (N x N_BAR) - // Output: out = A*s + e (N x N_BAR) - int k; - uint16_t i, j; - int16_t a_row[4 * PARAMS_N]; - - for (i = 0; i < (PARAMS_N * PARAMS_NBAR); i += 2) { - *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]); - } - - int16_t a_row_temp[4 * PARAMS_N] = {0}; // Take four lines of A at once - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { - a_row_temp[j + 1 + 0 * PARAMS_N] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(j); // Loading values in the little-endian order - a_row_temp[j + 1 + 1 * PARAMS_N] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(j); - a_row_temp[j + 1 + 2 * PARAMS_N] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(j); - a_row_temp[j + 1 + 3 * PARAMS_N] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(j); - } - - for (i = 0; i < PARAMS_N; i += 4) { - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { // Go through A, four rows at a time - a_row_temp[j + 0 * PARAMS_N] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(i + 0); // Loading values in the little-endian order - a_row_temp[j + 1 * PARAMS_N] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(i + 1); - a_row_temp[j + 2 * PARAMS_N] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(i + 2); - a_row_temp[j + 3 * PARAMS_N] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(i + 3); - } - aes128_ecb((uint8_t *)a_row, (uint8_t *)a_row_temp, 4 * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - for (k = 0; k < 4 * PARAMS_N; k++) { - a_row[k] = PQCLEAN_FRODOKEM1344AES_OPT_LE_TO_UINT16(a_row[k]); - } - for (k = 0; k < PARAMS_NBAR; k++) { - uint16_t sum[4] = {0}; - for (j = 0; j < PARAMS_N; j++) { // Matrix-vector multiplication - uint16_t sp = s[k * PARAMS_N + j]; - sum[0] += a_row[0 * PARAMS_N + j] * sp; // Go through four lines with same s - sum[1] += a_row[1 * PARAMS_N + j] * sp; - sum[2] += a_row[2 * PARAMS_N + j] * sp; - sum[3] += a_row[3 * PARAMS_N + j] * sp; - } - out[(i + 0)*PARAMS_NBAR + k] += sum[0]; - out[(i + 2)*PARAMS_NBAR + k] += sum[2]; - out[(i + 1)*PARAMS_NBAR + k] += sum[1]; - out[(i + 3)*PARAMS_NBAR + k] += sum[3]; - } - } - aes128_ctx_release(&ctx128); - return 1; -} - - - - -int PQCLEAN_FRODOKEM1344AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left. - // Inputs: s', e' (N_BAR x N) - // Output: out = s'*A + e' (N_BAR x N) - int j; - uint16_t i, kk; - for (i = 0; i < (PARAMS_N * PARAMS_NBAR); i += 2) { - *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]); - } - - int k; - uint16_t a_cols[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; - uint16_t a_cols_t[PARAMS_N * PARAMS_STRIPE_STEP]; - uint16_t a_cols_temp[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - - for (i = 0, j = 0; i < PARAMS_N; i++, j += PARAMS_STRIPE_STEP) { - a_cols_temp[j] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(i); // Loading values in the little-endian order - } - - for (kk = 0; kk < PARAMS_N; kk += PARAMS_STRIPE_STEP) { // Go through A's columns, 8 (== PARAMS_STRIPE_STEP) columns at a time. - for (i = 0; i < (PARAMS_N * PARAMS_STRIPE_STEP); i += PARAMS_STRIPE_STEP) { - a_cols_temp[i + 1] = PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(kk); // Loading values in the little-endian order - } - - aes128_ecb((uint8_t *)a_cols, (uint8_t *)a_cols_temp, PARAMS_N * PARAMS_STRIPE_STEP * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - - for (i = 0; i < PARAMS_N; i++) { // Transpose a_cols to have access to it in the column-major order. - for (k = 0; k < PARAMS_STRIPE_STEP; k++) { - a_cols_t[k * PARAMS_N + i] = PQCLEAN_FRODOKEM1344AES_OPT_LE_TO_UINT16(a_cols[i * PARAMS_STRIPE_STEP + k]); - } - } - - for (i = 0; i < PARAMS_NBAR; i++) { - for (k = 0; k < PARAMS_STRIPE_STEP; k += PARAMS_PARALLEL) { - uint16_t sum[PARAMS_PARALLEL] = {0}; - for (j = 0; j < PARAMS_N; j++) { // Matrix-vector multiplication - uint16_t sp = s[i * PARAMS_N + j]; - sum[0] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 0) * PARAMS_N + j]); - sum[1] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 1) * PARAMS_N + j]); - sum[2] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 2) * PARAMS_N + j]); - sum[3] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 3) * PARAMS_N + j]); - } - out[i * PARAMS_N + kk + k + 0] += sum[0]; - out[i * PARAMS_N + kk + k + 2] += sum[2]; - out[i * PARAMS_N + kk + k + 1] += sum[1]; - out[i * PARAMS_N + kk + k + 3] += sum[3]; - } - } - } - aes128_ctx_release(&ctx128); - return 1; -} diff --git a/crypto_kem/frodokem1344aes/opt/noise.c b/crypto_kem/frodokem1344aes/opt/noise.c deleted file mode 100644 index 8e8720ad..00000000 --- a/crypto_kem/frodokem1344aes/opt/noise.c +++ /dev/null @@ -1,35 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: noise sampling functions -*********************************************************************************************/ - -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA; - -void PQCLEAN_FRODOKEM1344AES_OPT_sample_n(uint16_t *s, size_t n) { - // Fills vector s with n samples from the noise distribution which requires 16 bits to sample. - // The distribution is specified by its CDF. - // Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output. - size_t i; - unsigned int j; - - for (i = 0; i < n; ++i) { - uint16_t sample = 0; - uint16_t prnd = s[i] >> 1; // Drop the least significant bit - uint16_t sign = s[i] & 0x1; // Pick the least significant bit - - // No need to compare with the last value. - for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) { - // Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits. - sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15; - } - // Assuming that sign is either 0 or 1, flips sample iff sign = 1 - s[i] = ((-sign) ^ sample) + sign; - } -} diff --git a/crypto_kem/frodokem1344aes/opt/params.h b/crypto_kem/frodokem1344aes/opt/params.h deleted file mode 100644 index 08e6d4bb..00000000 --- a/crypto_kem/frodokem1344aes/opt/params.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - -#define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM1344AES_OPT_CRYPTO_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM1344AES_OPT_CRYPTO_PUBLICKEYBYTES -#define CRYPTO_BYTES PQCLEAN_FRODOKEM1344AES_OPT_CRYPTO_BYTES -#define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM1344AES_OPT_CRYPTO_CIPHERTEXTBYTES - -#define PARAMS_N 1344 -#define PARAMS_NBAR 8 -#define PARAMS_LOGQ 16 -#define PARAMS_Q (1 << PARAMS_LOGQ) -#define PARAMS_EXTRACTED_BITS 4 -#define PARAMS_STRIPE_STEP 8 -#define PARAMS_PARALLEL 4 -#define BYTES_SEED_A 16 -#define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8) -#define BYTES_PKHASH CRYPTO_BYTES - -// Selecting SHAKE XOF function for the KEM and noise sampling -#define shake shake256 - -// CDF table -#define CDF_TABLE_DATA {9142, 23462, 30338, 32361, 32725, 32765, 32767} -#define CDF_TABLE_LEN 7 - -#endif diff --git a/crypto_kem/frodokem1344aes/opt/util.c b/crypto_kem/frodokem1344aes/opt/util.c deleted file mode 100644 index 0fdc6757..00000000 --- a/crypto_kem/frodokem1344aes/opt/util.c +++ /dev/null @@ -1,264 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: additional functions for FrodoKEM -*********************************************************************************************/ - -#include -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static inline uint8_t min(uint8_t x, uint8_t y) { - if (x < y) { - return x; - } - return y; -} - -uint16_t PQCLEAN_FRODOKEM1344AES_OPT_LE_TO_UINT16(uint16_t n) { - return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8)); -} - -uint16_t PQCLEAN_FRODOKEM1344AES_OPT_UINT16_TO_LE(uint16_t n) { - uint16_t y; - uint8_t *z = (uint8_t *) &y; - z[0] = n & 0xFF; - z[1] = (n & 0xFF00) >> 8; - return y; -} - -void PQCLEAN_FRODOKEM1344AES_OPT_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) { - // Multiply by s on the right - // Inputs: b (N_BAR x N), s (N x N_BAR) - // Output: out = b*s (N_BAR x N_BAR) - int i, j, k; - - for (i = 0; i < PARAMS_NBAR; i++) { - for (j = 0; j < PARAMS_NBAR; j++) { - out[i * PARAMS_NBAR + j] = 0; - for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); - } - out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_OPT_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) { - // Multiply by s on the left - // Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR) - // Output: out = s*b + e (N_BAR x N_BAR) - int i, j, k; - - for (k = 0; k < PARAMS_NBAR; k++) { - for (i = 0; i < PARAMS_NBAR; i++) { - out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i]; - for (j = 0; j < PARAMS_N; j++) { - out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]); - } - out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_OPT_add(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Add a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a + b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM1344AES_OPT_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Subtract a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a - b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM1344AES_OPT_key_encode(uint16_t *out, const uint16_t *in) { - // Encoding - unsigned int i, j, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1; - uint16_t *pos = out; - - for (i = 0; i < nwords; i++) { - temp = 0; - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j); - } - for (j = 0; j < npieces_word; j++) { - *pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS)); - temp >>= PARAMS_EXTRACTED_BITS; - pos++; - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_OPT_key_decode(uint16_t *out, const uint16_t *in) { - // Decoding - unsigned int i, j, index = 0, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1; - uint8_t *pos = (uint8_t *)out; - uint64_t templong; - - for (i = 0; i < nwords; i++) { - templong = 0; - for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5) - temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS); - templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j); - index++; - } - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF; - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_OPT_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) { - // Pack the input uint16 vector into a char output vector, copying lsb bits from each input element. - // If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied. - memset(out, 0, outlen); - - size_t i = 0; // whole bytes already filled in - size_t j = 0; // whole uint16_t already copied - uint16_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb in w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | |********|********| - ^ - j - w : | ****| - ^ - bits - out:|**|**|**|**|**|**|**|**|* | - ^^ - ib - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < 8) { - int nbits = min(8 - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out - out[i] = out[i] + (t << (8 - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = lsb; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == 8) { // out[i] is filled in - i++; - } - } -} - - -void PQCLEAN_FRODOKEM1344AES_OPT_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) { - // Unpack the input char vector into a uint16_t output vector, copying lsb bits - // for each output element from input. outlen must be at least ceil(inlen * 8 / lsb). - memset(out, 0, outlen * sizeof(uint16_t)); - - size_t i = 0; // whole uint16_t already filled in - size_t j = 0; // whole bytes already copied - uint8_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb bits of w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | | | | | |**|**|... - ^ - j - w : | *| - ^ - bits - out:| *****| *****| *** | |... - ^ ^ - i b - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < lsb) { - int nbits = min(lsb - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out - out[i] = out[i] + (t << (lsb - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = 8; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == lsb) { // out[i] is filled in - i++; - } - } -} - - -int8_t PQCLEAN_FRODOKEM1344AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) { - // Compare two arrays in constant time. - // Returns 0 if the byte arrays are equal, -1 otherwise. - uint16_t r = 0; - - for (size_t i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); - return (int8_t)r; -} - - -void PQCLEAN_FRODOKEM1344AES_OPT_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) { - // Select one of the two input arrays to be moved to r - // If (selector == 0) then load r with a, else if (selector == -1) load r with b - - for (size_t i = 0; i < len; i++) { - r[i] = (~selector & a[i]) | (selector & b[i]); - } -} - - -void PQCLEAN_FRODOKEM1344AES_OPT_clear_bytes(uint8_t *mem, size_t n) { - // Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed. - // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. - volatile uint8_t *v = mem; - - for (size_t i = 0; i < n; i++) { - v[i] = 0; - } -} diff --git a/crypto_kem/frodokem640aes/META.yml b/crypto_kem/frodokem640aes/META.yml deleted file mode 100644 index b4763752..00000000 --- a/crypto_kem/frodokem640aes/META.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: FrodoKEM-640-AES -type: kem -claimed-nist-level: 1 -claimed-security: IND-CCA2 -length-public-key: 9616 -length-secret-key: 19888 -length-ciphertext: 9720 -length-shared-secret: 16 -nistkat-sha256: c1f006531583896c47416e10707d1c8e487fe549df304d7a9c43155d5e47b8b6 -principal-submitters: - - Michael Naehrig, Microsoft Research -auxiliary-submitters: -- Erdem Alkim -- Joppe W. Bos, NXP Semiconductors -- Léo Ducas, CWI -- Patrick Longa, Microsoft Research -- Ilya Mironov, Google -- Valeria Nikolaenko -- Chris Peikert, University of Michigan -- Ananth Raghunathan, Google -- Douglas Stebila, University of Waterloo -- Karen Easterbrook, Microsoft Research -- Brian LaMacchia, Microsoft Research -implementations: -- name: clean - version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db -- name: opt - version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db diff --git a/crypto_kem/frodokem640aes/clean/LICENSE b/crypto_kem/frodokem640aes/clean/LICENSE deleted file mode 100644 index 5cf7c8db..00000000 --- a/crypto_kem/frodokem640aes/clean/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) Microsoft Corporation. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE diff --git a/crypto_kem/frodokem640aes/clean/Makefile.Microsoft_nmake b/crypto_kem/frodokem640aes/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 4f19a731..00000000 --- a/crypto_kem/frodokem640aes/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libfrodokem640aes_clean.lib -OBJECTS=kem.obj matrix_aes.obj noise.obj util.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/frodokem640aes/clean/api.h b/crypto_kem/frodokem640aes/clean/api.h deleted file mode 100644 index 6b688108..00000000 --- a/crypto_kem/frodokem640aes/clean/api.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_FRODOKEM640AES_CLEAN_API_H -#define PQCLEAN_FRODOKEM640AES_CLEAN_API_H - -#include -#include - -#define PQCLEAN_FRODOKEM640AES_CLEAN_CRYPTO_SECRETKEYBYTES 19888 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH -#define PQCLEAN_FRODOKEM640AES_CLEAN_CRYPTO_PUBLICKEYBYTES 9616 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 -#define PQCLEAN_FRODOKEM640AES_CLEAN_CRYPTO_BYTES 16 -#define PQCLEAN_FRODOKEM640AES_CLEAN_CRYPTO_CIPHERTEXTBYTES 9720 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8 - -#define PQCLEAN_FRODOKEM640AES_CLEAN_CRYPTO_ALGNAME "FrodoKEM-640-AES" - -int PQCLEAN_FRODOKEM640AES_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_FRODOKEM640AES_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_FRODOKEM640AES_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/frodokem640aes/clean/common.h b/crypto_kem/frodokem640aes/clean/common.h deleted file mode 100644 index f30d5835..00000000 --- a/crypto_kem/frodokem640aes/clean/common.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef COMMON_H -#define COMMON_H - -int PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -int PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -void PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(uint16_t *s, size_t n); -void PQCLEAN_FRODOKEM640AES_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s); -void PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e); -void PQCLEAN_FRODOKEM640AES_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM640AES_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM640AES_CLEAN_key_encode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM640AES_CLEAN_key_decode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM640AES_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb); -void PQCLEAN_FRODOKEM640AES_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb); -int8_t PQCLEAN_FRODOKEM640AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len); -void PQCLEAN_FRODOKEM640AES_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector); -void PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(uint8_t *mem, size_t n); -uint16_t PQCLEAN_FRODOKEM640AES_CLEAN_LE_TO_UINT16(uint16_t n); -uint16_t PQCLEAN_FRODOKEM640AES_CLEAN_UINT16_TO_LE(uint16_t n); - -#endif diff --git a/crypto_kem/frodokem640aes/clean/kem.c b/crypto_kem/frodokem640aes/clean/kem.c deleted file mode 100644 index 3572ee59..00000000 --- a/crypto_kem/frodokem640aes/clean/kem.c +++ /dev/null @@ -1,237 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: Key Encapsulation Mechanism (KEM) based on Frodo -*********************************************************************************************/ - -#include -#include - -#include "fips202.h" -#include "randombytes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM640AES_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - // FrodoKEM's key generation - // Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes) - // secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes) - uint8_t *pk_seedA = &pk[0]; - uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *sk_s = &sk[0]; - uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data - uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE - uint8_t *randomness_s = &randomness[0]; // contains secret data - uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data - uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES]; - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key - randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A); - shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A); - - // Generate S and E, and compute B = A*S + E. Generate A on-the-fly - shake_input_seedSE[0] = 0x5F; - memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES); - shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM640AES_CLEAN_LE_TO_UINT16(S[i]); - } - PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(S, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(E, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_as_plus_e(B, S, E, pk); - - // Encode the second part of the public key - PQCLEAN_FRODOKEM640AES_CLEAN_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Add s, pk and S to the secret key - memcpy(sk_s, randomness_s, CRYPTO_BYTES); - memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES); - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM640AES_CLEAN_UINT16_TO_LE(S[i]); - } - memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR); - - // Add H(pk) to the secret key - shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - - // Cleanup: - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(randomness, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM640AES_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - // FrodoKEM's key encapsulation - const uint8_t *pk_seedA = &pk[0]; - const uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *ct_c1 = &ct[0]; - uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu - uint8_t *pkh = &G2in[0]; - uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSE = &G2out[0]; // contains secret data - uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu) - shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - randombytes(mu, BYTES_MU); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSE[0] = 0x96; - memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM640AES_CLEAN_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA); - PQCLEAN_FRODOKEM640AES_CLEAN_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Generate Epp, and compute V = Sp*B + Epp - PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_sb_plus_e(V, B, Sp, Epp); - - // Encode mu, and compute C = V + enc(mu) (mod q) - PQCLEAN_FRODOKEM640AES_CLEAN_key_encode(C, (uint16_t *)mu); - PQCLEAN_FRODOKEM640AES_CLEAN_add(C, V, C); - PQCLEAN_FRODOKEM640AES_CLEAN_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ); - - // Compute ss = F(ct||KK) - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - memcpy(Fin_k, k, CRYPTO_BYTES); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(mu, BYTES_MU); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM640AES_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - // FrodoKEM's key decapsulation - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *ct_c1 = &ct[0]; - const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - const uint8_t *sk_s = &sk[0]; - const uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - const uint8_t *pk_seedA = &sk_pk[0]; - const uint8_t *pk_b = &sk_pk[BYTES_SEED_A]; - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime - uint8_t *pkh = &G2in[0]; - uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSEprime = &G2out[0]; // contains secret data - uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data - - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8); - } - - // Compute W = C - Bp*S (mod q), and decode the randomness mu - PQCLEAN_FRODOKEM640AES_CLEAN_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM640AES_CLEAN_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM640AES_CLEAN_mul_bs(W, Bp, S); - PQCLEAN_FRODOKEM640AES_CLEAN_sub(W, C, W); - PQCLEAN_FRODOKEM640AES_CLEAN_key_decode((uint16_t *)muprime, W); - - // Generate (seedSE' || k') = G_2(pkh || mu') - memcpy(pkh, sk_pkh, BYTES_PKHASH); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSEprime[0] = 0x96; - memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM640AES_CLEAN_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA); - - // Generate Epp, and compute W = Sp*B + Epp - PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_sb_plus_e(W, B, Sp, Epp); - - // Encode mu, and compute CC = W + enc(mu') (mod q) - PQCLEAN_FRODOKEM640AES_CLEAN_key_encode(CC, (uint16_t *)muprime); - PQCLEAN_FRODOKEM640AES_CLEAN_add(CC, W, CC); - - // Prepare input to F - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - - // Reducing BBp modulo q - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1); - } - - // If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s) - // Needs to avoid branching on secret data as per: - // Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum - // primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020. - int8_t selector = PQCLEAN_FRODOKEM640AES_CLEAN_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM640AES_CLEAN_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR); - // If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s) - PQCLEAN_FRODOKEM640AES_CLEAN_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(muprime, BYTES_MU); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES); - return 0; -} diff --git a/crypto_kem/frodokem640aes/clean/matrix_aes.c b/crypto_kem/frodokem640aes/clean/matrix_aes.c deleted file mode 100644 index f2c95176..00000000 --- a/crypto_kem/frodokem640aes/clean/matrix_aes.c +++ /dev/null @@ -1,95 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: matrix arithmetic functions used by the KEM -*********************************************************************************************/ - -#include -#include - -#include "aes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right. - // Inputs: s, e (N x N_BAR) - // Output: out = A*s + e (N x N_BAR) - int i, j, k; - int16_t A[PARAMS_N * PARAMS_N] = {0}; - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - for (i = 0; i < PARAMS_N; i++) { - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { - A[i * PARAMS_N + j] = (int16_t) i; // Loading values in the little-endian order - A[i * PARAMS_N + j + 1] = (int16_t) j; - } - } - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM640AES_CLEAN_UINT16_TO_LE(A[i]); - } - - aes128_ecb((uint8_t *) A, (uint8_t *) A, PARAMS_N * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - aes128_ctx_release(&ctx128); - - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM640AES_CLEAN_LE_TO_UINT16(A[i]); - } - memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); - - for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e - for (k = 0; k < PARAMS_NBAR; k++) { - uint16_t sum = 0; - for (j = 0; j < PARAMS_N; j++) { - sum += A[i * PARAMS_N + j] * s[k * PARAMS_N + j]; - } - out[i * PARAMS_NBAR + k] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. - } - } - - return 1; -} - - -int PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left. - // Inputs: s', e' (N_BAR x N) - // Output: out = s'*A + e' (N_BAR x N) - int i, j, k; - int16_t A[PARAMS_N * PARAMS_N] = {0}; - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - for (i = 0; i < PARAMS_N; i++) { - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { - A[i * PARAMS_N + j] = (int16_t) i; // Loading values in the little-endian order - A[i * PARAMS_N + j + 1] = (int16_t) j; - } - } - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM640AES_CLEAN_UINT16_TO_LE(A[i]); - } - - aes128_ecb((uint8_t *) A, (uint8_t *) A, PARAMS_N * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - aes128_ctx_release(&ctx128); - - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM640AES_CLEAN_LE_TO_UINT16(A[i]); - } - memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); - - for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e - for (k = 0; k < PARAMS_NBAR; k++) { - uint16_t sum = 0; - for (j = 0; j < PARAMS_N; j++) { - sum += A[j * PARAMS_N + i] * s[k * PARAMS_N + j]; - } - out[k * PARAMS_N + i] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. - } - } - - return 1; -} diff --git a/crypto_kem/frodokem640aes/clean/noise.c b/crypto_kem/frodokem640aes/clean/noise.c deleted file mode 100644 index 1dc752a7..00000000 --- a/crypto_kem/frodokem640aes/clean/noise.c +++ /dev/null @@ -1,35 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: noise sampling functions -*********************************************************************************************/ - -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA; - -void PQCLEAN_FRODOKEM640AES_CLEAN_sample_n(uint16_t *s, size_t n) { - // Fills vector s with n samples from the noise distribution which requires 16 bits to sample. - // The distribution is specified by its CDF. - // Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output. - size_t i; - unsigned int j; - - for (i = 0; i < n; ++i) { - uint16_t sample = 0; - uint16_t prnd = s[i] >> 1; // Drop the least significant bit - uint16_t sign = s[i] & 0x1; // Pick the least significant bit - - // No need to compare with the last value. - for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) { - // Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits. - sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15; - } - // Assuming that sign is either 0 or 1, flips sample iff sign = 1 - s[i] = ((-sign) ^ sample) + sign; - } -} diff --git a/crypto_kem/frodokem640aes/clean/params.h b/crypto_kem/frodokem640aes/clean/params.h deleted file mode 100644 index 08d6df39..00000000 --- a/crypto_kem/frodokem640aes/clean/params.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - -#define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM640AES_CLEAN_CRYPTO_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM640AES_CLEAN_CRYPTO_PUBLICKEYBYTES -#define CRYPTO_BYTES PQCLEAN_FRODOKEM640AES_CLEAN_CRYPTO_BYTES -#define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM640AES_CLEAN_CRYPTO_CIPHERTEXTBYTES - -#define PARAMS_N 640 -#define PARAMS_NBAR 8 -#define PARAMS_LOGQ 15 -#define PARAMS_Q (1 << PARAMS_LOGQ) -#define PARAMS_EXTRACTED_BITS 2 -#define PARAMS_STRIPE_STEP 8 -#define PARAMS_PARALLEL 4 -#define BYTES_SEED_A 16 -#define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8) -#define BYTES_PKHASH CRYPTO_BYTES - -// Selecting SHAKE XOF function for the KEM and noise sampling -#define shake shake128 - -// CDF table -#define CDF_TABLE_DATA {4643, 13363, 20579, 25843, 29227, 31145, 32103, 32525, 32689, 32745, 32762, 32766, 32767} -#define CDF_TABLE_LEN 13 - -#endif diff --git a/crypto_kem/frodokem640aes/clean/util.c b/crypto_kem/frodokem640aes/clean/util.c deleted file mode 100644 index 9889025e..00000000 --- a/crypto_kem/frodokem640aes/clean/util.c +++ /dev/null @@ -1,264 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: additional functions for FrodoKEM -*********************************************************************************************/ - -#include -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static inline uint8_t min(uint8_t x, uint8_t y) { - if (x < y) { - return x; - } - return y; -} - -uint16_t PQCLEAN_FRODOKEM640AES_CLEAN_LE_TO_UINT16(uint16_t n) { - return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8)); -} - -uint16_t PQCLEAN_FRODOKEM640AES_CLEAN_UINT16_TO_LE(uint16_t n) { - uint16_t y; - uint8_t *z = (uint8_t *) &y; - z[0] = n & 0xFF; - z[1] = (n & 0xFF00) >> 8; - return y; -} - -void PQCLEAN_FRODOKEM640AES_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) { - // Multiply by s on the right - // Inputs: b (N_BAR x N), s (N x N_BAR) - // Output: out = b*s (N_BAR x N_BAR) - int i, j, k; - - for (i = 0; i < PARAMS_NBAR; i++) { - for (j = 0; j < PARAMS_NBAR; j++) { - out[i * PARAMS_NBAR + j] = 0; - for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); - } - out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM640AES_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) { - // Multiply by s on the left - // Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR) - // Output: out = s*b + e (N_BAR x N_BAR) - int i, j, k; - - for (k = 0; k < PARAMS_NBAR; k++) { - for (i = 0; i < PARAMS_NBAR; i++) { - out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i]; - for (j = 0; j < PARAMS_N; j++) { - out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]); - } - out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM640AES_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Add a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a + b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM640AES_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Subtract a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a - b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM640AES_CLEAN_key_encode(uint16_t *out, const uint16_t *in) { - // Encoding - unsigned int i, j, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1; - uint16_t *pos = out; - - for (i = 0; i < nwords; i++) { - temp = 0; - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j); - } - for (j = 0; j < npieces_word; j++) { - *pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS)); - temp >>= PARAMS_EXTRACTED_BITS; - pos++; - } - } -} - - -void PQCLEAN_FRODOKEM640AES_CLEAN_key_decode(uint16_t *out, const uint16_t *in) { - // Decoding - unsigned int i, j, index = 0, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1; - uint8_t *pos = (uint8_t *)out; - uint64_t templong; - - for (i = 0; i < nwords; i++) { - templong = 0; - for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5) - temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS); - templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j); - index++; - } - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF; - } - } -} - - -void PQCLEAN_FRODOKEM640AES_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) { - // Pack the input uint16 vector into a char output vector, copying lsb bits from each input element. - // If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied. - memset(out, 0, outlen); - - size_t i = 0; // whole bytes already filled in - size_t j = 0; // whole uint16_t already copied - uint16_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb in w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | |********|********| - ^ - j - w : | ****| - ^ - bits - out:|**|**|**|**|**|**|**|**|* | - ^^ - ib - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < 8) { - int nbits = min(8 - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out - out[i] = out[i] + (t << (8 - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = lsb; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == 8) { // out[i] is filled in - i++; - } - } -} - - -void PQCLEAN_FRODOKEM640AES_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) { - // Unpack the input char vector into a uint16_t output vector, copying lsb bits - // for each output element from input. outlen must be at least ceil(inlen * 8 / lsb). - memset(out, 0, outlen * sizeof(uint16_t)); - - size_t i = 0; // whole uint16_t already filled in - size_t j = 0; // whole bytes already copied - uint8_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb bits of w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | | | | | |**|**|... - ^ - j - w : | *| - ^ - bits - out:| *****| *****| *** | |... - ^ ^ - i b - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < lsb) { - int nbits = min(lsb - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out - out[i] = out[i] + (t << (lsb - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = 8; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == lsb) { // out[i] is filled in - i++; - } - } -} - - -int8_t PQCLEAN_FRODOKEM640AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) { - // Compare two arrays in constant time. - // Returns 0 if the byte arrays are equal, -1 otherwise. - uint16_t r = 0; - - for (size_t i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); - return (int8_t)r; -} - - -void PQCLEAN_FRODOKEM640AES_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) { - // Select one of the two input arrays to be moved to r - // If (selector == 0) then load r with a, else if (selector == -1) load r with b - - for (size_t i = 0; i < len; i++) { - r[i] = (~selector & a[i]) | (selector & b[i]); - } -} - - -void PQCLEAN_FRODOKEM640AES_CLEAN_clear_bytes(uint8_t *mem, size_t n) { - // Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed. - // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. - volatile uint8_t *v = mem; - - for (size_t i = 0; i < n; i++) { - v[i] = 0; - } -} diff --git a/crypto_kem/frodokem640aes/opt/LICENSE b/crypto_kem/frodokem640aes/opt/LICENSE deleted file mode 100644 index 5cf7c8db..00000000 --- a/crypto_kem/frodokem640aes/opt/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) Microsoft Corporation. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE diff --git a/crypto_kem/frodokem640aes/opt/Makefile.Microsoft_nmake b/crypto_kem/frodokem640aes/opt/Makefile.Microsoft_nmake deleted file mode 100644 index 24e94b14..00000000 --- a/crypto_kem/frodokem640aes/opt/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libfrodokem640aes_opt.lib -OBJECTS=kem.obj matrix_aes.obj noise.obj util.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/frodokem640aes/opt/api.h b/crypto_kem/frodokem640aes/opt/api.h deleted file mode 100644 index 896e73c2..00000000 --- a/crypto_kem/frodokem640aes/opt/api.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_FRODOKEM640AES_OPT_API_H -#define PQCLEAN_FRODOKEM640AES_OPT_API_H - -#include -#include - -#define PQCLEAN_FRODOKEM640AES_OPT_CRYPTO_SECRETKEYBYTES 19888 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH -#define PQCLEAN_FRODOKEM640AES_OPT_CRYPTO_PUBLICKEYBYTES 9616 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 -#define PQCLEAN_FRODOKEM640AES_OPT_CRYPTO_BYTES 16 -#define PQCLEAN_FRODOKEM640AES_OPT_CRYPTO_CIPHERTEXTBYTES 9720 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8 - -#define PQCLEAN_FRODOKEM640AES_OPT_CRYPTO_ALGNAME "FrodoKEM-640-AES" - -int PQCLEAN_FRODOKEM640AES_OPT_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_FRODOKEM640AES_OPT_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_FRODOKEM640AES_OPT_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/frodokem640aes/opt/common.h b/crypto_kem/frodokem640aes/opt/common.h deleted file mode 100644 index aead8777..00000000 --- a/crypto_kem/frodokem640aes/opt/common.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef COMMON_H -#define COMMON_H - -int PQCLEAN_FRODOKEM640AES_OPT_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -int PQCLEAN_FRODOKEM640AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -void PQCLEAN_FRODOKEM640AES_OPT_sample_n(uint16_t *s, size_t n); -void PQCLEAN_FRODOKEM640AES_OPT_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s); -void PQCLEAN_FRODOKEM640AES_OPT_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e); -void PQCLEAN_FRODOKEM640AES_OPT_add(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM640AES_OPT_sub(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM640AES_OPT_key_encode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM640AES_OPT_key_decode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM640AES_OPT_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb); -void PQCLEAN_FRODOKEM640AES_OPT_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb); -int8_t PQCLEAN_FRODOKEM640AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b, size_t len); -void PQCLEAN_FRODOKEM640AES_OPT_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector); -void PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(uint8_t *mem, size_t n); -uint16_t PQCLEAN_FRODOKEM640AES_OPT_LE_TO_UINT16(uint16_t n); -uint16_t PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(uint16_t n); - -#endif diff --git a/crypto_kem/frodokem640aes/opt/kem.c b/crypto_kem/frodokem640aes/opt/kem.c deleted file mode 100644 index d65a08ac..00000000 --- a/crypto_kem/frodokem640aes/opt/kem.c +++ /dev/null @@ -1,237 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: Key Encapsulation Mechanism (KEM) based on Frodo -*********************************************************************************************/ - -#include -#include - -#include "fips202.h" -#include "randombytes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM640AES_OPT_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - // FrodoKEM's key generation - // Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes) - // secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes) - uint8_t *pk_seedA = &pk[0]; - uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *sk_s = &sk[0]; - uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data - uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE - uint8_t *randomness_s = &randomness[0]; // contains secret data - uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data - uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES]; - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key - randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A); - shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A); - - // Generate S and E, and compute B = A*S + E. Generate A on-the-fly - shake_input_seedSE[0] = 0x5F; - memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES); - shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM640AES_OPT_LE_TO_UINT16(S[i]); - } - PQCLEAN_FRODOKEM640AES_OPT_sample_n(S, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_OPT_sample_n(E, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_OPT_mul_add_as_plus_e(B, S, E, pk); - - // Encode the second part of the public key - PQCLEAN_FRODOKEM640AES_OPT_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Add s, pk and S to the secret key - memcpy(sk_s, randomness_s, CRYPTO_BYTES); - memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES); - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(S[i]); - } - memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR); - - // Add H(pk) to the secret key - shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - - // Cleanup: - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(randomness, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM640AES_OPT_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - // FrodoKEM's key encapsulation - const uint8_t *pk_seedA = &pk[0]; - const uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *ct_c1 = &ct[0]; - uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu - uint8_t *pkh = &G2in[0]; - uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSE = &G2out[0]; // contains secret data - uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu) - shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - randombytes(mu, BYTES_MU); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSE[0] = 0x96; - memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM640AES_OPT_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM640AES_OPT_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_OPT_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_OPT_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA); - PQCLEAN_FRODOKEM640AES_OPT_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Generate Epp, and compute V = Sp*B + Epp - PQCLEAN_FRODOKEM640AES_OPT_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_OPT_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM640AES_OPT_mul_add_sb_plus_e(V, B, Sp, Epp); - - // Encode mu, and compute C = V + enc(mu) (mod q) - PQCLEAN_FRODOKEM640AES_OPT_key_encode(C, (uint16_t *)mu); - PQCLEAN_FRODOKEM640AES_OPT_add(C, V, C); - PQCLEAN_FRODOKEM640AES_OPT_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ); - - // Compute ss = F(ct||KK) - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - memcpy(Fin_k, k, CRYPTO_BYTES); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(mu, BYTES_MU); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM640AES_OPT_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - // FrodoKEM's key decapsulation - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *ct_c1 = &ct[0]; - const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - const uint8_t *sk_s = &sk[0]; - const uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - const uint8_t *pk_seedA = &sk_pk[0]; - const uint8_t *pk_b = &sk_pk[BYTES_SEED_A]; - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime - uint8_t *pkh = &G2in[0]; - uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSEprime = &G2out[0]; // contains secret data - uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data - - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8); - } - - // Compute W = C - Bp*S (mod q), and decode the randomness mu - PQCLEAN_FRODOKEM640AES_OPT_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM640AES_OPT_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM640AES_OPT_mul_bs(W, Bp, S); - PQCLEAN_FRODOKEM640AES_OPT_sub(W, C, W); - PQCLEAN_FRODOKEM640AES_OPT_key_decode((uint16_t *)muprime, W); - - // Generate (seedSE' || k') = G_2(pkh || mu') - memcpy(pkh, sk_pkh, BYTES_PKHASH); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSEprime[0] = 0x96; - memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM640AES_OPT_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM640AES_OPT_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_OPT_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_OPT_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA); - - // Generate Epp, and compute W = Sp*B + Epp - PQCLEAN_FRODOKEM640AES_OPT_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM640AES_OPT_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM640AES_OPT_mul_add_sb_plus_e(W, B, Sp, Epp); - - // Encode mu, and compute CC = W + enc(mu') (mod q) - PQCLEAN_FRODOKEM640AES_OPT_key_encode(CC, (uint16_t *)muprime); - PQCLEAN_FRODOKEM640AES_OPT_add(CC, W, CC); - - // Prepare input to F - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - - // Reducing BBp modulo q - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1); - } - - // If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s) - // Needs to avoid branching on secret data as per: - // Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum - // primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020. - int8_t selector = PQCLEAN_FRODOKEM640AES_OPT_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM640AES_OPT_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR); - // If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s) - PQCLEAN_FRODOKEM640AES_OPT_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(muprime, BYTES_MU); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES); - return 0; -} diff --git a/crypto_kem/frodokem640aes/opt/matrix_aes.c b/crypto_kem/frodokem640aes/opt/matrix_aes.c deleted file mode 100644 index 3f245fcf..00000000 --- a/crypto_kem/frodokem640aes/opt/matrix_aes.c +++ /dev/null @@ -1,127 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: matrix arithmetic functions used by the KEM -*********************************************************************************************/ - -#include -#include - -#include "aes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM640AES_OPT_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right. - // Inputs: s, e (N x N_BAR) - // Output: out = A*s + e (N x N_BAR) - int k; - uint16_t i, j; - int16_t a_row[4 * PARAMS_N]; - - for (i = 0; i < (PARAMS_N * PARAMS_NBAR); i += 2) { - *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]); - } - - int16_t a_row_temp[4 * PARAMS_N] = {0}; // Take four lines of A at once - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { - a_row_temp[j + 1 + 0 * PARAMS_N] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(j); // Loading values in the little-endian order - a_row_temp[j + 1 + 1 * PARAMS_N] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(j); - a_row_temp[j + 1 + 2 * PARAMS_N] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(j); - a_row_temp[j + 1 + 3 * PARAMS_N] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(j); - } - - for (i = 0; i < PARAMS_N; i += 4) { - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { // Go through A, four rows at a time - a_row_temp[j + 0 * PARAMS_N] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(i + 0); // Loading values in the little-endian order - a_row_temp[j + 1 * PARAMS_N] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(i + 1); - a_row_temp[j + 2 * PARAMS_N] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(i + 2); - a_row_temp[j + 3 * PARAMS_N] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(i + 3); - } - aes128_ecb((uint8_t *)a_row, (uint8_t *)a_row_temp, 4 * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - for (k = 0; k < 4 * PARAMS_N; k++) { - a_row[k] = PQCLEAN_FRODOKEM640AES_OPT_LE_TO_UINT16(a_row[k]); - } - for (k = 0; k < PARAMS_NBAR; k++) { - uint16_t sum[4] = {0}; - for (j = 0; j < PARAMS_N; j++) { // Matrix-vector multiplication - uint16_t sp = s[k * PARAMS_N + j]; - sum[0] += a_row[0 * PARAMS_N + j] * sp; // Go through four lines with same s - sum[1] += a_row[1 * PARAMS_N + j] * sp; - sum[2] += a_row[2 * PARAMS_N + j] * sp; - sum[3] += a_row[3 * PARAMS_N + j] * sp; - } - out[(i + 0)*PARAMS_NBAR + k] += sum[0]; - out[(i + 2)*PARAMS_NBAR + k] += sum[2]; - out[(i + 1)*PARAMS_NBAR + k] += sum[1]; - out[(i + 3)*PARAMS_NBAR + k] += sum[3]; - } - } - aes128_ctx_release(&ctx128); - return 1; -} - - - - -int PQCLEAN_FRODOKEM640AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left. - // Inputs: s', e' (N_BAR x N) - // Output: out = s'*A + e' (N_BAR x N) - int j; - uint16_t i, kk; - for (i = 0; i < (PARAMS_N * PARAMS_NBAR); i += 2) { - *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]); - } - - int k; - uint16_t a_cols[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; - uint16_t a_cols_t[PARAMS_N * PARAMS_STRIPE_STEP]; - uint16_t a_cols_temp[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - - for (i = 0, j = 0; i < PARAMS_N; i++, j += PARAMS_STRIPE_STEP) { - a_cols_temp[j] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(i); // Loading values in the little-endian order - } - - for (kk = 0; kk < PARAMS_N; kk += PARAMS_STRIPE_STEP) { // Go through A's columns, 8 (== PARAMS_STRIPE_STEP) columns at a time. - for (i = 0; i < (PARAMS_N * PARAMS_STRIPE_STEP); i += PARAMS_STRIPE_STEP) { - a_cols_temp[i + 1] = PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(kk); // Loading values in the little-endian order - } - - aes128_ecb((uint8_t *)a_cols, (uint8_t *)a_cols_temp, PARAMS_N * PARAMS_STRIPE_STEP * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - - for (i = 0; i < PARAMS_N; i++) { // Transpose a_cols to have access to it in the column-major order. - for (k = 0; k < PARAMS_STRIPE_STEP; k++) { - a_cols_t[k * PARAMS_N + i] = PQCLEAN_FRODOKEM640AES_OPT_LE_TO_UINT16(a_cols[i * PARAMS_STRIPE_STEP + k]); - } - } - - for (i = 0; i < PARAMS_NBAR; i++) { - for (k = 0; k < PARAMS_STRIPE_STEP; k += PARAMS_PARALLEL) { - uint16_t sum[PARAMS_PARALLEL] = {0}; - for (j = 0; j < PARAMS_N; j++) { // Matrix-vector multiplication - uint16_t sp = s[i * PARAMS_N + j]; - sum[0] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 0) * PARAMS_N + j]); - sum[1] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 1) * PARAMS_N + j]); - sum[2] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 2) * PARAMS_N + j]); - sum[3] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 3) * PARAMS_N + j]); - } - out[i * PARAMS_N + kk + k + 0] += sum[0]; - out[i * PARAMS_N + kk + k + 2] += sum[2]; - out[i * PARAMS_N + kk + k + 1] += sum[1]; - out[i * PARAMS_N + kk + k + 3] += sum[3]; - } - } - } - aes128_ctx_release(&ctx128); - return 1; -} diff --git a/crypto_kem/frodokem640aes/opt/noise.c b/crypto_kem/frodokem640aes/opt/noise.c deleted file mode 100644 index 96bf9240..00000000 --- a/crypto_kem/frodokem640aes/opt/noise.c +++ /dev/null @@ -1,35 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: noise sampling functions -*********************************************************************************************/ - -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA; - -void PQCLEAN_FRODOKEM640AES_OPT_sample_n(uint16_t *s, size_t n) { - // Fills vector s with n samples from the noise distribution which requires 16 bits to sample. - // The distribution is specified by its CDF. - // Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output. - size_t i; - unsigned int j; - - for (i = 0; i < n; ++i) { - uint16_t sample = 0; - uint16_t prnd = s[i] >> 1; // Drop the least significant bit - uint16_t sign = s[i] & 0x1; // Pick the least significant bit - - // No need to compare with the last value. - for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) { - // Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits. - sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15; - } - // Assuming that sign is either 0 or 1, flips sample iff sign = 1 - s[i] = ((-sign) ^ sample) + sign; - } -} diff --git a/crypto_kem/frodokem640aes/opt/params.h b/crypto_kem/frodokem640aes/opt/params.h deleted file mode 100644 index f5fbb743..00000000 --- a/crypto_kem/frodokem640aes/opt/params.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - -#define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM640AES_OPT_CRYPTO_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM640AES_OPT_CRYPTO_PUBLICKEYBYTES -#define CRYPTO_BYTES PQCLEAN_FRODOKEM640AES_OPT_CRYPTO_BYTES -#define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM640AES_OPT_CRYPTO_CIPHERTEXTBYTES - -#define PARAMS_N 640 -#define PARAMS_NBAR 8 -#define PARAMS_LOGQ 15 -#define PARAMS_Q (1 << PARAMS_LOGQ) -#define PARAMS_EXTRACTED_BITS 2 -#define PARAMS_STRIPE_STEP 8 -#define PARAMS_PARALLEL 4 -#define BYTES_SEED_A 16 -#define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8) -#define BYTES_PKHASH CRYPTO_BYTES - -// Selecting SHAKE XOF function for the KEM and noise sampling -#define shake shake128 - -// CDF table -#define CDF_TABLE_DATA {4643, 13363, 20579, 25843, 29227, 31145, 32103, 32525, 32689, 32745, 32762, 32766, 32767} -#define CDF_TABLE_LEN 13 - -#endif diff --git a/crypto_kem/frodokem640aes/opt/util.c b/crypto_kem/frodokem640aes/opt/util.c deleted file mode 100644 index d7b42b00..00000000 --- a/crypto_kem/frodokem640aes/opt/util.c +++ /dev/null @@ -1,264 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: additional functions for FrodoKEM -*********************************************************************************************/ - -#include -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static inline uint8_t min(uint8_t x, uint8_t y) { - if (x < y) { - return x; - } - return y; -} - -uint16_t PQCLEAN_FRODOKEM640AES_OPT_LE_TO_UINT16(uint16_t n) { - return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8)); -} - -uint16_t PQCLEAN_FRODOKEM640AES_OPT_UINT16_TO_LE(uint16_t n) { - uint16_t y; - uint8_t *z = (uint8_t *) &y; - z[0] = n & 0xFF; - z[1] = (n & 0xFF00) >> 8; - return y; -} - -void PQCLEAN_FRODOKEM640AES_OPT_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) { - // Multiply by s on the right - // Inputs: b (N_BAR x N), s (N x N_BAR) - // Output: out = b*s (N_BAR x N_BAR) - int i, j, k; - - for (i = 0; i < PARAMS_NBAR; i++) { - for (j = 0; j < PARAMS_NBAR; j++) { - out[i * PARAMS_NBAR + j] = 0; - for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); - } - out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM640AES_OPT_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) { - // Multiply by s on the left - // Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR) - // Output: out = s*b + e (N_BAR x N_BAR) - int i, j, k; - - for (k = 0; k < PARAMS_NBAR; k++) { - for (i = 0; i < PARAMS_NBAR; i++) { - out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i]; - for (j = 0; j < PARAMS_N; j++) { - out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]); - } - out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM640AES_OPT_add(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Add a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a + b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM640AES_OPT_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Subtract a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a - b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM640AES_OPT_key_encode(uint16_t *out, const uint16_t *in) { - // Encoding - unsigned int i, j, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1; - uint16_t *pos = out; - - for (i = 0; i < nwords; i++) { - temp = 0; - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j); - } - for (j = 0; j < npieces_word; j++) { - *pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS)); - temp >>= PARAMS_EXTRACTED_BITS; - pos++; - } - } -} - - -void PQCLEAN_FRODOKEM640AES_OPT_key_decode(uint16_t *out, const uint16_t *in) { - // Decoding - unsigned int i, j, index = 0, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1; - uint8_t *pos = (uint8_t *)out; - uint64_t templong; - - for (i = 0; i < nwords; i++) { - templong = 0; - for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5) - temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS); - templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j); - index++; - } - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF; - } - } -} - - -void PQCLEAN_FRODOKEM640AES_OPT_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) { - // Pack the input uint16 vector into a char output vector, copying lsb bits from each input element. - // If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied. - memset(out, 0, outlen); - - size_t i = 0; // whole bytes already filled in - size_t j = 0; // whole uint16_t already copied - uint16_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb in w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | |********|********| - ^ - j - w : | ****| - ^ - bits - out:|**|**|**|**|**|**|**|**|* | - ^^ - ib - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < 8) { - int nbits = min(8 - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out - out[i] = out[i] + (t << (8 - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = lsb; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == 8) { // out[i] is filled in - i++; - } - } -} - - -void PQCLEAN_FRODOKEM640AES_OPT_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) { - // Unpack the input char vector into a uint16_t output vector, copying lsb bits - // for each output element from input. outlen must be at least ceil(inlen * 8 / lsb). - memset(out, 0, outlen * sizeof(uint16_t)); - - size_t i = 0; // whole uint16_t already filled in - size_t j = 0; // whole bytes already copied - uint8_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb bits of w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | | | | | |**|**|... - ^ - j - w : | *| - ^ - bits - out:| *****| *****| *** | |... - ^ ^ - i b - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < lsb) { - int nbits = min(lsb - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out - out[i] = out[i] + (t << (lsb - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = 8; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == lsb) { // out[i] is filled in - i++; - } - } -} - - -int8_t PQCLEAN_FRODOKEM640AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) { - // Compare two arrays in constant time. - // Returns 0 if the byte arrays are equal, -1 otherwise. - uint16_t r = 0; - - for (size_t i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); - return (int8_t)r; -} - - -void PQCLEAN_FRODOKEM640AES_OPT_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) { - // Select one of the two input arrays to be moved to r - // If (selector == 0) then load r with a, else if (selector == -1) load r with b - - for (size_t i = 0; i < len; i++) { - r[i] = (~selector & a[i]) | (selector & b[i]); - } -} - - -void PQCLEAN_FRODOKEM640AES_OPT_clear_bytes(uint8_t *mem, size_t n) { - // Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed. - // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. - volatile uint8_t *v = mem; - - for (size_t i = 0; i < n; i++) { - v[i] = 0; - } -} diff --git a/crypto_kem/frodokem976aes/META.yml b/crypto_kem/frodokem976aes/META.yml deleted file mode 100644 index ea9b5811..00000000 --- a/crypto_kem/frodokem976aes/META.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: FrodoKEM-976-AES -type: kem -claimed-nist-level: 3 -claimed-security: IND-CCA2 -length-public-key: 15632 -length-secret-key: 31296 -length-ciphertext: 15744 -length-shared-secret: 24 -nistkat-sha256: 7e415ab659d0d08d8f43135e1e9d75a8b342f52b65e8326ebf8135521b987615 -principal-submitters: - - Michael Naehrig, Microsoft Research -auxiliary-submitters: -- Erdem Alkim -- Joppe W. Bos, NXP Semiconductors -- Léo Ducas, CWI -- Patrick Longa, Microsoft Research -- Ilya Mironov, Google -- Valeria Nikolaenko -- Chris Peikert, University of Michigan -- Ananth Raghunathan, Google -- Douglas Stebila, University of Waterloo -- Karen Easterbrook, Microsoft Research -- Brian LaMacchia, Microsoft Research -implementations: -- name: clean - version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db -- name: opt - version: https://github.com/microsoft/PQCrypto-LWEKE/commit/669522db63850fa64d1a24a47e138e80a59349db diff --git a/crypto_kem/frodokem976aes/clean/LICENSE b/crypto_kem/frodokem976aes/clean/LICENSE deleted file mode 100644 index 5cf7c8db..00000000 --- a/crypto_kem/frodokem976aes/clean/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) Microsoft Corporation. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE diff --git a/crypto_kem/frodokem976aes/clean/Makefile.Microsoft_nmake b/crypto_kem/frodokem976aes/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 2a663c7b..00000000 --- a/crypto_kem/frodokem976aes/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libfrodokem976aes_clean.lib -OBJECTS=kem.obj matrix_aes.obj noise.obj util.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/frodokem976aes/clean/api.h b/crypto_kem/frodokem976aes/clean/api.h deleted file mode 100644 index 4317bc69..00000000 --- a/crypto_kem/frodokem976aes/clean/api.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_FRODOKEM976AES_CLEAN_API_H -#define PQCLEAN_FRODOKEM976AES_CLEAN_API_H - -#include -#include - -#define PQCLEAN_FRODOKEM976AES_CLEAN_CRYPTO_SECRETKEYBYTES 31296 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH -#define PQCLEAN_FRODOKEM976AES_CLEAN_CRYPTO_PUBLICKEYBYTES 15632 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 -#define PQCLEAN_FRODOKEM976AES_CLEAN_CRYPTO_BYTES 24 -#define PQCLEAN_FRODOKEM976AES_CLEAN_CRYPTO_CIPHERTEXTBYTES 15744 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8 - -#define PQCLEAN_FRODOKEM976AES_CLEAN_CRYPTO_ALGNAME "FrodoKEM-976-AES" - -int PQCLEAN_FRODOKEM976AES_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_FRODOKEM976AES_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_FRODOKEM976AES_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/frodokem976aes/clean/common.h b/crypto_kem/frodokem976aes/clean/common.h deleted file mode 100644 index 6480b837..00000000 --- a/crypto_kem/frodokem976aes/clean/common.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef COMMON_H -#define COMMON_H - -int PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -int PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -void PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(uint16_t *s, size_t n); -void PQCLEAN_FRODOKEM976AES_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s); -void PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e); -void PQCLEAN_FRODOKEM976AES_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM976AES_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM976AES_CLEAN_key_encode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM976AES_CLEAN_key_decode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM976AES_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb); -void PQCLEAN_FRODOKEM976AES_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb); -int8_t PQCLEAN_FRODOKEM976AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len); -void PQCLEAN_FRODOKEM976AES_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector); -void PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(uint8_t *mem, size_t n); -uint16_t PQCLEAN_FRODOKEM976AES_CLEAN_LE_TO_UINT16(uint16_t n); -uint16_t PQCLEAN_FRODOKEM976AES_CLEAN_UINT16_TO_LE(uint16_t n); - -#endif diff --git a/crypto_kem/frodokem976aes/clean/kem.c b/crypto_kem/frodokem976aes/clean/kem.c deleted file mode 100644 index 125463c5..00000000 --- a/crypto_kem/frodokem976aes/clean/kem.c +++ /dev/null @@ -1,237 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: Key Encapsulation Mechanism (KEM) based on Frodo -*********************************************************************************************/ - -#include -#include - -#include "fips202.h" -#include "randombytes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM976AES_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - // FrodoKEM's key generation - // Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes) - // secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes) - uint8_t *pk_seedA = &pk[0]; - uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *sk_s = &sk[0]; - uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data - uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE - uint8_t *randomness_s = &randomness[0]; // contains secret data - uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data - uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES]; - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key - randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A); - shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A); - - // Generate S and E, and compute B = A*S + E. Generate A on-the-fly - shake_input_seedSE[0] = 0x5F; - memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES); - shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM976AES_CLEAN_LE_TO_UINT16(S[i]); - } - PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(S, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(E, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_as_plus_e(B, S, E, pk); - - // Encode the second part of the public key - PQCLEAN_FRODOKEM976AES_CLEAN_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Add s, pk and S to the secret key - memcpy(sk_s, randomness_s, CRYPTO_BYTES); - memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES); - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM976AES_CLEAN_UINT16_TO_LE(S[i]); - } - memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR); - - // Add H(pk) to the secret key - shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - - // Cleanup: - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(randomness, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM976AES_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - // FrodoKEM's key encapsulation - const uint8_t *pk_seedA = &pk[0]; - const uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *ct_c1 = &ct[0]; - uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu - uint8_t *pkh = &G2in[0]; - uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSE = &G2out[0]; // contains secret data - uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu) - shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - randombytes(mu, BYTES_MU); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSE[0] = 0x96; - memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM976AES_CLEAN_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA); - PQCLEAN_FRODOKEM976AES_CLEAN_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Generate Epp, and compute V = Sp*B + Epp - PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_sb_plus_e(V, B, Sp, Epp); - - // Encode mu, and compute C = V + enc(mu) (mod q) - PQCLEAN_FRODOKEM976AES_CLEAN_key_encode(C, (uint16_t *)mu); - PQCLEAN_FRODOKEM976AES_CLEAN_add(C, V, C); - PQCLEAN_FRODOKEM976AES_CLEAN_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ); - - // Compute ss = F(ct||KK) - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - memcpy(Fin_k, k, CRYPTO_BYTES); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(mu, BYTES_MU); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM976AES_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - // FrodoKEM's key decapsulation - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *ct_c1 = &ct[0]; - const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - const uint8_t *sk_s = &sk[0]; - const uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - const uint8_t *pk_seedA = &sk_pk[0]; - const uint8_t *pk_b = &sk_pk[BYTES_SEED_A]; - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime - uint8_t *pkh = &G2in[0]; - uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSEprime = &G2out[0]; // contains secret data - uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data - - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8); - } - - // Compute W = C - Bp*S (mod q), and decode the randomness mu - PQCLEAN_FRODOKEM976AES_CLEAN_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM976AES_CLEAN_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM976AES_CLEAN_mul_bs(W, Bp, S); - PQCLEAN_FRODOKEM976AES_CLEAN_sub(W, C, W); - PQCLEAN_FRODOKEM976AES_CLEAN_key_decode((uint16_t *)muprime, W); - - // Generate (seedSE' || k') = G_2(pkh || mu') - memcpy(pkh, sk_pkh, BYTES_PKHASH); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSEprime[0] = 0x96; - memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM976AES_CLEAN_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA); - - // Generate Epp, and compute W = Sp*B + Epp - PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_CLEAN_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_sb_plus_e(W, B, Sp, Epp); - - // Encode mu, and compute CC = W + enc(mu') (mod q) - PQCLEAN_FRODOKEM976AES_CLEAN_key_encode(CC, (uint16_t *)muprime); - PQCLEAN_FRODOKEM976AES_CLEAN_add(CC, W, CC); - - // Prepare input to F - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - - // Reducing BBp modulo q - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1); - } - - // If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s) - // Needs to avoid branching on secret data as per: - // Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum - // primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020. - int8_t selector = PQCLEAN_FRODOKEM976AES_CLEAN_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM976AES_CLEAN_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR); - // If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s) - PQCLEAN_FRODOKEM976AES_CLEAN_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(muprime, BYTES_MU); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES); - return 0; -} diff --git a/crypto_kem/frodokem976aes/clean/matrix_aes.c b/crypto_kem/frodokem976aes/clean/matrix_aes.c deleted file mode 100644 index ae0a8a0c..00000000 --- a/crypto_kem/frodokem976aes/clean/matrix_aes.c +++ /dev/null @@ -1,95 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: matrix arithmetic functions used by the KEM -*********************************************************************************************/ - -#include -#include - -#include "aes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right. - // Inputs: s, e (N x N_BAR) - // Output: out = A*s + e (N x N_BAR) - int i, j, k; - int16_t A[PARAMS_N * PARAMS_N] = {0}; - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - for (i = 0; i < PARAMS_N; i++) { - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { - A[i * PARAMS_N + j] = (int16_t) i; // Loading values in the little-endian order - A[i * PARAMS_N + j + 1] = (int16_t) j; - } - } - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM976AES_CLEAN_UINT16_TO_LE(A[i]); - } - - aes128_ecb((uint8_t *) A, (uint8_t *) A, PARAMS_N * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - aes128_ctx_release(&ctx128); - - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM976AES_CLEAN_LE_TO_UINT16(A[i]); - } - memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); - - for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e - for (k = 0; k < PARAMS_NBAR; k++) { - uint16_t sum = 0; - for (j = 0; j < PARAMS_N; j++) { - sum += A[i * PARAMS_N + j] * s[k * PARAMS_N + j]; - } - out[i * PARAMS_NBAR + k] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. - } - } - - return 1; -} - - -int PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left. - // Inputs: s', e' (N_BAR x N) - // Output: out = s'*A + e' (N_BAR x N) - int i, j, k; - int16_t A[PARAMS_N * PARAMS_N] = {0}; - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - for (i = 0; i < PARAMS_N; i++) { - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { - A[i * PARAMS_N + j] = (int16_t) i; // Loading values in the little-endian order - A[i * PARAMS_N + j + 1] = (int16_t) j; - } - } - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM976AES_CLEAN_UINT16_TO_LE(A[i]); - } - - aes128_ecb((uint8_t *) A, (uint8_t *) A, PARAMS_N * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - aes128_ctx_release(&ctx128); - - for (i = 0; i < PARAMS_N * PARAMS_N; i++) { - A[i] = PQCLEAN_FRODOKEM976AES_CLEAN_LE_TO_UINT16(A[i]); - } - memcpy(out, e, PARAMS_NBAR * PARAMS_N * sizeof(uint16_t)); - - for (i = 0; i < PARAMS_N; i++) { // Matrix multiplication-addition A*s + e - for (k = 0; k < PARAMS_NBAR; k++) { - uint16_t sum = 0; - for (j = 0; j < PARAMS_N; j++) { - sum += A[j * PARAMS_N + i] * s[k * PARAMS_N + j]; - } - out[k * PARAMS_N + i] += sum; // Adding e. No need to reduce modulo 2^15, extra bits are taken care of during packing later on. - } - } - - return 1; -} diff --git a/crypto_kem/frodokem976aes/clean/noise.c b/crypto_kem/frodokem976aes/clean/noise.c deleted file mode 100644 index dcd674cb..00000000 --- a/crypto_kem/frodokem976aes/clean/noise.c +++ /dev/null @@ -1,35 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: noise sampling functions -*********************************************************************************************/ - -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA; - -void PQCLEAN_FRODOKEM976AES_CLEAN_sample_n(uint16_t *s, size_t n) { - // Fills vector s with n samples from the noise distribution which requires 16 bits to sample. - // The distribution is specified by its CDF. - // Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output. - size_t i; - unsigned int j; - - for (i = 0; i < n; ++i) { - uint16_t sample = 0; - uint16_t prnd = s[i] >> 1; // Drop the least significant bit - uint16_t sign = s[i] & 0x1; // Pick the least significant bit - - // No need to compare with the last value. - for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) { - // Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits. - sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15; - } - // Assuming that sign is either 0 or 1, flips sample iff sign = 1 - s[i] = ((-sign) ^ sample) + sign; - } -} diff --git a/crypto_kem/frodokem976aes/clean/params.h b/crypto_kem/frodokem976aes/clean/params.h deleted file mode 100644 index 1e4147e8..00000000 --- a/crypto_kem/frodokem976aes/clean/params.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - -#define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM976AES_CLEAN_CRYPTO_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM976AES_CLEAN_CRYPTO_PUBLICKEYBYTES -#define CRYPTO_BYTES PQCLEAN_FRODOKEM976AES_CLEAN_CRYPTO_BYTES -#define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM976AES_CLEAN_CRYPTO_CIPHERTEXTBYTES - -#define PARAMS_N 976 -#define PARAMS_NBAR 8 -#define PARAMS_LOGQ 16 -#define PARAMS_Q (1 << PARAMS_LOGQ) -#define PARAMS_EXTRACTED_BITS 3 -#define PARAMS_STRIPE_STEP 8 -#define PARAMS_PARALLEL 4 -#define BYTES_SEED_A 16 -#define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8) -#define BYTES_PKHASH CRYPTO_BYTES - -// Selecting SHAKE XOF function for the KEM and noise sampling -#define shake shake256 - -// CDF table -#define CDF_TABLE_DATA {5638, 15915, 23689, 28571, 31116, 32217, 32613, 32731, 32760, 32766, 32767} -#define CDF_TABLE_LEN 11 - -#endif diff --git a/crypto_kem/frodokem976aes/clean/util.c b/crypto_kem/frodokem976aes/clean/util.c deleted file mode 100644 index 81e46ca4..00000000 --- a/crypto_kem/frodokem976aes/clean/util.c +++ /dev/null @@ -1,264 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: additional functions for FrodoKEM -*********************************************************************************************/ - -#include -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static inline uint8_t min(uint8_t x, uint8_t y) { - if (x < y) { - return x; - } - return y; -} - -uint16_t PQCLEAN_FRODOKEM976AES_CLEAN_LE_TO_UINT16(uint16_t n) { - return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8)); -} - -uint16_t PQCLEAN_FRODOKEM976AES_CLEAN_UINT16_TO_LE(uint16_t n) { - uint16_t y; - uint8_t *z = (uint8_t *) &y; - z[0] = n & 0xFF; - z[1] = (n & 0xFF00) >> 8; - return y; -} - -void PQCLEAN_FRODOKEM976AES_CLEAN_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) { - // Multiply by s on the right - // Inputs: b (N_BAR x N), s (N x N_BAR) - // Output: out = b*s (N_BAR x N_BAR) - int i, j, k; - - for (i = 0; i < PARAMS_NBAR; i++) { - for (j = 0; j < PARAMS_NBAR; j++) { - out[i * PARAMS_NBAR + j] = 0; - for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); - } - out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM976AES_CLEAN_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) { - // Multiply by s on the left - // Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR) - // Output: out = s*b + e (N_BAR x N_BAR) - int i, j, k; - - for (k = 0; k < PARAMS_NBAR; k++) { - for (i = 0; i < PARAMS_NBAR; i++) { - out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i]; - for (j = 0; j < PARAMS_N; j++) { - out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]); - } - out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM976AES_CLEAN_add(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Add a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a + b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM976AES_CLEAN_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Subtract a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a - b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM976AES_CLEAN_key_encode(uint16_t *out, const uint16_t *in) { - // Encoding - unsigned int i, j, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1; - uint16_t *pos = out; - - for (i = 0; i < nwords; i++) { - temp = 0; - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j); - } - for (j = 0; j < npieces_word; j++) { - *pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS)); - temp >>= PARAMS_EXTRACTED_BITS; - pos++; - } - } -} - - -void PQCLEAN_FRODOKEM976AES_CLEAN_key_decode(uint16_t *out, const uint16_t *in) { - // Decoding - unsigned int i, j, index = 0, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1; - uint8_t *pos = (uint8_t *)out; - uint64_t templong; - - for (i = 0; i < nwords; i++) { - templong = 0; - for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5) - temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS); - templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j); - index++; - } - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF; - } - } -} - - -void PQCLEAN_FRODOKEM976AES_CLEAN_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) { - // Pack the input uint16 vector into a char output vector, copying lsb bits from each input element. - // If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied. - memset(out, 0, outlen); - - size_t i = 0; // whole bytes already filled in - size_t j = 0; // whole uint16_t already copied - uint16_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb in w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | |********|********| - ^ - j - w : | ****| - ^ - bits - out:|**|**|**|**|**|**|**|**|* | - ^^ - ib - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < 8) { - int nbits = min(8 - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out - out[i] = out[i] + (t << (8 - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = lsb; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == 8) { // out[i] is filled in - i++; - } - } -} - - -void PQCLEAN_FRODOKEM976AES_CLEAN_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) { - // Unpack the input char vector into a uint16_t output vector, copying lsb bits - // for each output element from input. outlen must be at least ceil(inlen * 8 / lsb). - memset(out, 0, outlen * sizeof(uint16_t)); - - size_t i = 0; // whole uint16_t already filled in - size_t j = 0; // whole bytes already copied - uint8_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb bits of w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | | | | | |**|**|... - ^ - j - w : | *| - ^ - bits - out:| *****| *****| *** | |... - ^ ^ - i b - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < lsb) { - int nbits = min(lsb - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out - out[i] = out[i] + (t << (lsb - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = 8; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == lsb) { // out[i] is filled in - i++; - } - } -} - - -int8_t PQCLEAN_FRODOKEM976AES_CLEAN_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) { - // Compare two arrays in constant time. - // Returns 0 if the byte arrays are equal, -1 otherwise. - uint16_t r = 0; - - for (size_t i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); - return (int8_t)r; -} - - -void PQCLEAN_FRODOKEM976AES_CLEAN_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) { - // Select one of the two input arrays to be moved to r - // If (selector == 0) then load r with a, else if (selector == -1) load r with b - - for (size_t i = 0; i < len; i++) { - r[i] = (~selector & a[i]) | (selector & b[i]); - } -} - - -void PQCLEAN_FRODOKEM976AES_CLEAN_clear_bytes(uint8_t *mem, size_t n) { - // Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed. - // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. - volatile uint8_t *v = mem; - - for (size_t i = 0; i < n; i++) { - v[i] = 0; - } -} diff --git a/crypto_kem/frodokem976aes/opt/LICENSE b/crypto_kem/frodokem976aes/opt/LICENSE deleted file mode 100644 index 5cf7c8db..00000000 --- a/crypto_kem/frodokem976aes/opt/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) Microsoft Corporation. All rights reserved. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE diff --git a/crypto_kem/frodokem976aes/opt/Makefile.Microsoft_nmake b/crypto_kem/frodokem976aes/opt/Makefile.Microsoft_nmake deleted file mode 100644 index 3cce34aa..00000000 --- a/crypto_kem/frodokem976aes/opt/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libfrodokem976aes_opt.lib -OBJECTS=kem.obj matrix_aes.obj noise.obj util.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/frodokem976aes/opt/api.h b/crypto_kem/frodokem976aes/opt/api.h deleted file mode 100644 index d4be07a2..00000000 --- a/crypto_kem/frodokem976aes/opt/api.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_FRODOKEM976AES_OPT_API_H -#define PQCLEAN_FRODOKEM976AES_OPT_API_H - -#include -#include - -#define PQCLEAN_FRODOKEM976AES_OPT_CRYPTO_SECRETKEYBYTES 31296 // sizeof(s) + CRYPTO_PUBLICKEYBYTES + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH -#define PQCLEAN_FRODOKEM976AES_OPT_CRYPTO_PUBLICKEYBYTES 15632 // sizeof(seed_A) + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 -#define PQCLEAN_FRODOKEM976AES_OPT_CRYPTO_BYTES 24 -#define PQCLEAN_FRODOKEM976AES_OPT_CRYPTO_CIPHERTEXTBYTES 15744 // (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + (PARAMS_LOGQ*PARAMS_NBAR*PARAMS_NBAR)/8 - -#define PQCLEAN_FRODOKEM976AES_OPT_CRYPTO_ALGNAME "FrodoKEM-976-AES" - -int PQCLEAN_FRODOKEM976AES_OPT_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_FRODOKEM976AES_OPT_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_FRODOKEM976AES_OPT_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/frodokem976aes/opt/common.h b/crypto_kem/frodokem976aes/opt/common.h deleted file mode 100644 index e655aedf..00000000 --- a/crypto_kem/frodokem976aes/opt/common.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef COMMON_H -#define COMMON_H - -int PQCLEAN_FRODOKEM976AES_OPT_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -int PQCLEAN_FRODOKEM976AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A); -void PQCLEAN_FRODOKEM976AES_OPT_sample_n(uint16_t *s, size_t n); -void PQCLEAN_FRODOKEM976AES_OPT_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s); -void PQCLEAN_FRODOKEM976AES_OPT_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e); -void PQCLEAN_FRODOKEM976AES_OPT_add(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM976AES_OPT_sub(uint16_t *out, const uint16_t *a, const uint16_t *b); -void PQCLEAN_FRODOKEM976AES_OPT_key_encode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM976AES_OPT_key_decode(uint16_t *out, const uint16_t *in); -void PQCLEAN_FRODOKEM976AES_OPT_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb); -void PQCLEAN_FRODOKEM976AES_OPT_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb); -int8_t PQCLEAN_FRODOKEM976AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b, size_t len); -void PQCLEAN_FRODOKEM976AES_OPT_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector); -void PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(uint8_t *mem, size_t n); -uint16_t PQCLEAN_FRODOKEM976AES_OPT_LE_TO_UINT16(uint16_t n); -uint16_t PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(uint16_t n); - -#endif diff --git a/crypto_kem/frodokem976aes/opt/kem.c b/crypto_kem/frodokem976aes/opt/kem.c deleted file mode 100644 index c2420c8e..00000000 --- a/crypto_kem/frodokem976aes/opt/kem.c +++ /dev/null @@ -1,237 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: Key Encapsulation Mechanism (KEM) based on Frodo -*********************************************************************************************/ - -#include -#include - -#include "fips202.h" -#include "randombytes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM976AES_OPT_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) { - // FrodoKEM's key generation - // Outputs: public key pk ( BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 bytes) - // secret key sk (CRYPTO_BYTES + BYTES_SEED_A + (PARAMS_LOGQ*PARAMS_N*PARAMS_NBAR)/8 + 2*PARAMS_N*PARAMS_NBAR + BYTES_PKHASH bytes) - uint8_t *pk_seedA = &pk[0]; - uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *sk_s = &sk[0]; - uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t S[2 * PARAMS_N * PARAMS_NBAR] = {0}; // contains secret data - uint16_t *E = &S[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t randomness[2 * CRYPTO_BYTES + BYTES_SEED_A]; // contains secret data via randomness_s and randomness_seedSE - uint8_t *randomness_s = &randomness[0]; // contains secret data - uint8_t *randomness_seedSE = &randomness[CRYPTO_BYTES]; // contains secret data - uint8_t *randomness_z = &randomness[2 * CRYPTO_BYTES]; - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // Generate the secret value s, the seed for S and E, and the seed for the seed for A. Add seed_A to the public key - randombytes(randomness, CRYPTO_BYTES + CRYPTO_BYTES + BYTES_SEED_A); - shake(pk_seedA, BYTES_SEED_A, randomness_z, BYTES_SEED_A); - - // Generate S and E, and compute B = A*S + E. Generate A on-the-fly - shake_input_seedSE[0] = 0x5F; - memcpy(&shake_input_seedSE[1], randomness_seedSE, CRYPTO_BYTES); - shake((uint8_t *)S, 2 * PARAMS_N * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < 2 * PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM976AES_OPT_LE_TO_UINT16(S[i]); - } - PQCLEAN_FRODOKEM976AES_OPT_sample_n(S, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_OPT_sample_n(E, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_OPT_mul_add_as_plus_e(B, S, E, pk); - - // Encode the second part of the public key - PQCLEAN_FRODOKEM976AES_OPT_pack(pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, B, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Add s, pk and S to the secret key - memcpy(sk_s, randomness_s, CRYPTO_BYTES); - memcpy(sk_pk, pk, CRYPTO_PUBLICKEYBYTES); - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(S[i]); - } - memcpy(sk_S, S, 2 * PARAMS_N * PARAMS_NBAR); - - // Add H(pk) to the secret key - shake(sk_pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - - // Cleanup: - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)E, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(randomness, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM976AES_OPT_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk) { - // FrodoKEM's key encapsulation - const uint8_t *pk_seedA = &pk[0]; - const uint8_t *pk_b = &pk[BYTES_SEED_A]; - uint8_t *ct_c1 = &ct[0]; - uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t V[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via mu - uint8_t *pkh = &G2in[0]; - uint8_t *mu = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSE = &G2out[0]; // contains secret data - uint8_t *k = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSE[1 + CRYPTO_BYTES]; // contains secret data - - // pkh <- G_1(pk), generate random mu, compute (seedSE || k) = G_2(pkh || mu) - shake(pkh, BYTES_PKHASH, pk, CRYPTO_PUBLICKEYBYTES); - randombytes(mu, BYTES_MU); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute Bp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSE[0] = 0x96; - memcpy(&shake_input_seedSE[1], seedSE, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSE, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM976AES_OPT_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM976AES_OPT_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_OPT_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_OPT_mul_add_sa_plus_e(Bp, Sp, Ep, pk_seedA); - PQCLEAN_FRODOKEM976AES_OPT_pack(ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, Bp, PARAMS_N * PARAMS_NBAR, PARAMS_LOGQ); - - // Generate Epp, and compute V = Sp*B + Epp - PQCLEAN_FRODOKEM976AES_OPT_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_OPT_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM976AES_OPT_mul_add_sb_plus_e(V, B, Sp, Epp); - - // Encode mu, and compute C = V + enc(mu) (mod q) - PQCLEAN_FRODOKEM976AES_OPT_key_encode(C, (uint16_t *)mu); - PQCLEAN_FRODOKEM976AES_OPT_add(C, V, C); - PQCLEAN_FRODOKEM976AES_OPT_pack(ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, C, PARAMS_NBAR * PARAMS_NBAR, PARAMS_LOGQ); - - // Compute ss = F(ct||KK) - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - memcpy(Fin_k, k, CRYPTO_BYTES); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)V, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(mu, BYTES_MU); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(shake_input_seedSE, 1 + CRYPTO_BYTES); - return 0; -} - - -int PQCLEAN_FRODOKEM976AES_OPT_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) { - // FrodoKEM's key decapsulation - uint16_t B[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Bp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t W[PARAMS_NBAR * PARAMS_NBAR] = {0}; // contains secret data - uint16_t C[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t CC[PARAMS_NBAR * PARAMS_NBAR] = {0}; - uint16_t BBp[PARAMS_N * PARAMS_NBAR] = {0}; - uint16_t Sp[(2 * PARAMS_N + PARAMS_NBAR)*PARAMS_NBAR] = {0}; // contains secret data - uint16_t *Ep = &Sp[PARAMS_N * PARAMS_NBAR]; // contains secret data - uint16_t *Epp = &Sp[2 * PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *ct_c1 = &ct[0]; - const uint8_t *ct_c2 = &ct[(PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8]; - const uint8_t *sk_s = &sk[0]; - const uint8_t *sk_pk = &sk[CRYPTO_BYTES]; - const uint8_t *sk_S = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES]; - uint16_t S[PARAMS_N * PARAMS_NBAR]; // contains secret data - const uint8_t *sk_pkh = &sk[CRYPTO_BYTES + CRYPTO_PUBLICKEYBYTES + 2 * PARAMS_N * PARAMS_NBAR]; - const uint8_t *pk_seedA = &sk_pk[0]; - const uint8_t *pk_b = &sk_pk[BYTES_SEED_A]; - uint8_t G2in[BYTES_PKHASH + BYTES_MU]; // contains secret data via muprime - uint8_t *pkh = &G2in[0]; - uint8_t *muprime = &G2in[BYTES_PKHASH]; // contains secret data - uint8_t G2out[2 * CRYPTO_BYTES]; // contains secret data - uint8_t *seedSEprime = &G2out[0]; // contains secret data - uint8_t *kprime = &G2out[CRYPTO_BYTES]; // contains secret data - uint8_t Fin[CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES]; // contains secret data via Fin_k - uint8_t *Fin_ct = &Fin[0]; - uint8_t *Fin_k = &Fin[CRYPTO_CIPHERTEXTBYTES]; // contains secret data - uint8_t shake_input_seedSEprime[1 + CRYPTO_BYTES]; // contains secret data - - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - S[i] = sk_S[2 * i] | (sk_S[2 * i + 1] << 8); - } - - // Compute W = C - Bp*S (mod q), and decode the randomness mu - PQCLEAN_FRODOKEM976AES_OPT_unpack(Bp, PARAMS_N * PARAMS_NBAR, ct_c1, (PARAMS_LOGQ * PARAMS_N * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM976AES_OPT_unpack(C, PARAMS_NBAR * PARAMS_NBAR, ct_c2, (PARAMS_LOGQ * PARAMS_NBAR * PARAMS_NBAR) / 8, PARAMS_LOGQ); - PQCLEAN_FRODOKEM976AES_OPT_mul_bs(W, Bp, S); - PQCLEAN_FRODOKEM976AES_OPT_sub(W, C, W); - PQCLEAN_FRODOKEM976AES_OPT_key_decode((uint16_t *)muprime, W); - - // Generate (seedSE' || k') = G_2(pkh || mu') - memcpy(pkh, sk_pkh, BYTES_PKHASH); - shake(G2out, CRYPTO_BYTES + CRYPTO_BYTES, G2in, BYTES_PKHASH + BYTES_MU); - - // Generate Sp and Ep, and compute BBp = Sp*A + Ep. Generate A on-the-fly - shake_input_seedSEprime[0] = 0x96; - memcpy(&shake_input_seedSEprime[1], seedSEprime, CRYPTO_BYTES); - shake((uint8_t *)Sp, (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR * sizeof(uint16_t), shake_input_seedSEprime, 1 + CRYPTO_BYTES); - for (size_t i = 0; i < (2 * PARAMS_N + PARAMS_NBAR) * PARAMS_NBAR; i++) { - Sp[i] = PQCLEAN_FRODOKEM976AES_OPT_LE_TO_UINT16(Sp[i]); - } - PQCLEAN_FRODOKEM976AES_OPT_sample_n(Sp, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_OPT_sample_n(Ep, PARAMS_N * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_OPT_mul_add_sa_plus_e(BBp, Sp, Ep, pk_seedA); - - // Generate Epp, and compute W = Sp*B + Epp - PQCLEAN_FRODOKEM976AES_OPT_sample_n(Epp, PARAMS_NBAR * PARAMS_NBAR); - PQCLEAN_FRODOKEM976AES_OPT_unpack(B, PARAMS_N * PARAMS_NBAR, pk_b, CRYPTO_PUBLICKEYBYTES - BYTES_SEED_A, PARAMS_LOGQ); - PQCLEAN_FRODOKEM976AES_OPT_mul_add_sb_plus_e(W, B, Sp, Epp); - - // Encode mu, and compute CC = W + enc(mu') (mod q) - PQCLEAN_FRODOKEM976AES_OPT_key_encode(CC, (uint16_t *)muprime); - PQCLEAN_FRODOKEM976AES_OPT_add(CC, W, CC); - - // Prepare input to F - memcpy(Fin_ct, ct, CRYPTO_CIPHERTEXTBYTES); - - // Reducing BBp modulo q - for (size_t i = 0; i < PARAMS_N * PARAMS_NBAR; i++) { - BBp[i] = BBp[i] & ((1 << PARAMS_LOGQ) - 1); - } - - // If (Bp == BBp & C == CC) then ss = F(ct || k'), else ss = F(ct || s) - // Needs to avoid branching on secret data as per: - // Qian Guo, Thomas Johansson, Alexander Nilsson. A key-recovery timing attack on post-quantum - // primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM. In CRYPTO 2020. - int8_t selector = PQCLEAN_FRODOKEM976AES_OPT_ct_verify(Bp, BBp, PARAMS_N * PARAMS_NBAR) | PQCLEAN_FRODOKEM976AES_OPT_ct_verify(C, CC, PARAMS_NBAR * PARAMS_NBAR); - // If (selector == 0) then load k' to do ss = F(ct || k'), else if (selector == -1) load s to do ss = F(ct || s) - PQCLEAN_FRODOKEM976AES_OPT_ct_select((uint8_t *)Fin_k, (uint8_t *)kprime, (uint8_t *)sk_s, CRYPTO_BYTES, selector); - shake(ss, CRYPTO_BYTES, Fin, CRYPTO_CIPHERTEXTBYTES + CRYPTO_BYTES); - - // Cleanup: - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)W, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)Sp, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)S, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)Ep, PARAMS_N * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes((uint8_t *)Epp, PARAMS_NBAR * PARAMS_NBAR * sizeof(uint16_t)); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(muprime, BYTES_MU); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(G2out, 2 * CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(Fin_k, CRYPTO_BYTES); - PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(shake_input_seedSEprime, 1 + CRYPTO_BYTES); - return 0; -} diff --git a/crypto_kem/frodokem976aes/opt/matrix_aes.c b/crypto_kem/frodokem976aes/opt/matrix_aes.c deleted file mode 100644 index 8461bda0..00000000 --- a/crypto_kem/frodokem976aes/opt/matrix_aes.c +++ /dev/null @@ -1,127 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: matrix arithmetic functions used by the KEM -*********************************************************************************************/ - -#include -#include - -#include "aes.h" - -#include "api.h" -#include "common.h" -#include "params.h" - -int PQCLEAN_FRODOKEM976AES_OPT_mul_add_as_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) row-wise, multiply by s on the right. - // Inputs: s, e (N x N_BAR) - // Output: out = A*s + e (N x N_BAR) - int k; - uint16_t i, j; - int16_t a_row[4 * PARAMS_N]; - - for (i = 0; i < (PARAMS_N * PARAMS_NBAR); i += 2) { - *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]); - } - - int16_t a_row_temp[4 * PARAMS_N] = {0}; // Take four lines of A at once - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { - a_row_temp[j + 1 + 0 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(j); // Loading values in the little-endian order - a_row_temp[j + 1 + 1 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(j); - a_row_temp[j + 1 + 2 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(j); - a_row_temp[j + 1 + 3 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(j); - } - - for (i = 0; i < PARAMS_N; i += 4) { - for (j = 0; j < PARAMS_N; j += PARAMS_STRIPE_STEP) { // Go through A, four rows at a time - a_row_temp[j + 0 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i + 0); // Loading values in the little-endian order - a_row_temp[j + 1 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i + 1); - a_row_temp[j + 2 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i + 2); - a_row_temp[j + 3 * PARAMS_N] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i + 3); - } - aes128_ecb((uint8_t *)a_row, (uint8_t *)a_row_temp, 4 * PARAMS_N * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - for (k = 0; k < 4 * PARAMS_N; k++) { - a_row[k] = PQCLEAN_FRODOKEM976AES_OPT_LE_TO_UINT16(a_row[k]); - } - for (k = 0; k < PARAMS_NBAR; k++) { - uint16_t sum[4] = {0}; - for (j = 0; j < PARAMS_N; j++) { // Matrix-vector multiplication - uint16_t sp = s[k * PARAMS_N + j]; - sum[0] += a_row[0 * PARAMS_N + j] * sp; // Go through four lines with same s - sum[1] += a_row[1 * PARAMS_N + j] * sp; - sum[2] += a_row[2 * PARAMS_N + j] * sp; - sum[3] += a_row[3 * PARAMS_N + j] * sp; - } - out[(i + 0)*PARAMS_NBAR + k] += sum[0]; - out[(i + 2)*PARAMS_NBAR + k] += sum[2]; - out[(i + 1)*PARAMS_NBAR + k] += sum[1]; - out[(i + 3)*PARAMS_NBAR + k] += sum[3]; - } - } - aes128_ctx_release(&ctx128); - return 1; -} - - - - -int PQCLEAN_FRODOKEM976AES_OPT_mul_add_sa_plus_e(uint16_t *out, const uint16_t *s, const uint16_t *e, const uint8_t *seed_A) { - // Generate-and-multiply: generate matrix A (N x N) column-wise, multiply by s' on the left. - // Inputs: s', e' (N_BAR x N) - // Output: out = s'*A + e' (N_BAR x N) - int j; - uint16_t i, kk; - for (i = 0; i < (PARAMS_N * PARAMS_NBAR); i += 2) { - *((uint32_t *)&out[i]) = *((uint32_t *)&e[i]); - } - - int k; - uint16_t a_cols[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; - uint16_t a_cols_t[PARAMS_N * PARAMS_STRIPE_STEP]; - uint16_t a_cols_temp[PARAMS_N * PARAMS_STRIPE_STEP] = {0}; - aes128ctx ctx128; - - aes128_ecb_keyexp(&ctx128, seed_A); - - for (i = 0, j = 0; i < PARAMS_N; i++, j += PARAMS_STRIPE_STEP) { - a_cols_temp[j] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(i); // Loading values in the little-endian order - } - - for (kk = 0; kk < PARAMS_N; kk += PARAMS_STRIPE_STEP) { // Go through A's columns, 8 (== PARAMS_STRIPE_STEP) columns at a time. - for (i = 0; i < (PARAMS_N * PARAMS_STRIPE_STEP); i += PARAMS_STRIPE_STEP) { - a_cols_temp[i + 1] = PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(kk); // Loading values in the little-endian order - } - - aes128_ecb((uint8_t *)a_cols, (uint8_t *)a_cols_temp, PARAMS_N * PARAMS_STRIPE_STEP * sizeof(int16_t) / AES_BLOCKBYTES, &ctx128); - - for (i = 0; i < PARAMS_N; i++) { // Transpose a_cols to have access to it in the column-major order. - for (k = 0; k < PARAMS_STRIPE_STEP; k++) { - a_cols_t[k * PARAMS_N + i] = PQCLEAN_FRODOKEM976AES_OPT_LE_TO_UINT16(a_cols[i * PARAMS_STRIPE_STEP + k]); - } - } - - for (i = 0; i < PARAMS_NBAR; i++) { - for (k = 0; k < PARAMS_STRIPE_STEP; k += PARAMS_PARALLEL) { - uint16_t sum[PARAMS_PARALLEL] = {0}; - for (j = 0; j < PARAMS_N; j++) { // Matrix-vector multiplication - uint16_t sp = s[i * PARAMS_N + j]; - sum[0] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 0) * PARAMS_N + j]); - sum[1] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 1) * PARAMS_N + j]); - sum[2] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 2) * PARAMS_N + j]); - sum[3] += (uint16_t)(sp * (uint32_t)a_cols_t[(k + 3) * PARAMS_N + j]); - } - out[i * PARAMS_N + kk + k + 0] += sum[0]; - out[i * PARAMS_N + kk + k + 2] += sum[2]; - out[i * PARAMS_N + kk + k + 1] += sum[1]; - out[i * PARAMS_N + kk + k + 3] += sum[3]; - } - } - } - aes128_ctx_release(&ctx128); - return 1; -} diff --git a/crypto_kem/frodokem976aes/opt/noise.c b/crypto_kem/frodokem976aes/opt/noise.c deleted file mode 100644 index f502b0c4..00000000 --- a/crypto_kem/frodokem976aes/opt/noise.c +++ /dev/null @@ -1,35 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: noise sampling functions -*********************************************************************************************/ - -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static const uint16_t CDF_TABLE[CDF_TABLE_LEN] = CDF_TABLE_DATA; - -void PQCLEAN_FRODOKEM976AES_OPT_sample_n(uint16_t *s, size_t n) { - // Fills vector s with n samples from the noise distribution which requires 16 bits to sample. - // The distribution is specified by its CDF. - // Input: pseudo-random values (2*n bytes) passed in s. The input is overwritten by the output. - size_t i; - unsigned int j; - - for (i = 0; i < n; ++i) { - uint16_t sample = 0; - uint16_t prnd = s[i] >> 1; // Drop the least significant bit - uint16_t sign = s[i] & 0x1; // Pick the least significant bit - - // No need to compare with the last value. - for (j = 0; j < (unsigned int)(CDF_TABLE_LEN - 1); j++) { - // Constant time comparison: 1 if CDF_TABLE[j] < s, 0 otherwise. Uses the fact that CDF_TABLE[j] and s fit in 15 bits. - sample += (uint16_t)(CDF_TABLE[j] - prnd) >> 15; - } - // Assuming that sign is either 0 or 1, flips sample iff sign = 1 - s[i] = ((-sign) ^ sample) + sign; - } -} diff --git a/crypto_kem/frodokem976aes/opt/params.h b/crypto_kem/frodokem976aes/opt/params.h deleted file mode 100644 index b746f1e7..00000000 --- a/crypto_kem/frodokem976aes/opt/params.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef PARAMS_H -#define PARAMS_H - -#define CRYPTO_SECRETKEYBYTES PQCLEAN_FRODOKEM976AES_OPT_CRYPTO_SECRETKEYBYTES -#define CRYPTO_PUBLICKEYBYTES PQCLEAN_FRODOKEM976AES_OPT_CRYPTO_PUBLICKEYBYTES -#define CRYPTO_BYTES PQCLEAN_FRODOKEM976AES_OPT_CRYPTO_BYTES -#define CRYPTO_CIPHERTEXTBYTES PQCLEAN_FRODOKEM976AES_OPT_CRYPTO_CIPHERTEXTBYTES - -#define PARAMS_N 976 -#define PARAMS_NBAR 8 -#define PARAMS_LOGQ 16 -#define PARAMS_Q (1 << PARAMS_LOGQ) -#define PARAMS_EXTRACTED_BITS 3 -#define PARAMS_STRIPE_STEP 8 -#define PARAMS_PARALLEL 4 -#define BYTES_SEED_A 16 -#define BYTES_MU ((PARAMS_EXTRACTED_BITS * PARAMS_NBAR * PARAMS_NBAR) / 8) -#define BYTES_PKHASH CRYPTO_BYTES - -// Selecting SHAKE XOF function for the KEM and noise sampling -#define shake shake256 - -// CDF table -#define CDF_TABLE_DATA {5638, 15915, 23689, 28571, 31116, 32217, 32613, 32731, 32760, 32766, 32767} -#define CDF_TABLE_LEN 11 - -#endif diff --git a/crypto_kem/frodokem976aes/opt/util.c b/crypto_kem/frodokem976aes/opt/util.c deleted file mode 100644 index f7e62818..00000000 --- a/crypto_kem/frodokem976aes/opt/util.c +++ /dev/null @@ -1,264 +0,0 @@ -/******************************************************************************************** -* FrodoKEM: Learning with Errors Key Encapsulation -* -* Abstract: additional functions for FrodoKEM -*********************************************************************************************/ - -#include -#include - -#include "api.h" -#include "common.h" -#include "params.h" - -static inline uint8_t min(uint8_t x, uint8_t y) { - if (x < y) { - return x; - } - return y; -} - -uint16_t PQCLEAN_FRODOKEM976AES_OPT_LE_TO_UINT16(uint16_t n) { - return (((uint8_t *) &n)[0] | (((uint8_t *) &n)[1] << 8)); -} - -uint16_t PQCLEAN_FRODOKEM976AES_OPT_UINT16_TO_LE(uint16_t n) { - uint16_t y; - uint8_t *z = (uint8_t *) &y; - z[0] = n & 0xFF; - z[1] = (n & 0xFF00) >> 8; - return y; -} - -void PQCLEAN_FRODOKEM976AES_OPT_mul_bs(uint16_t *out, const uint16_t *b, const uint16_t *s) { - // Multiply by s on the right - // Inputs: b (N_BAR x N), s (N x N_BAR) - // Output: out = b*s (N_BAR x N_BAR) - int i, j, k; - - for (i = 0; i < PARAMS_NBAR; i++) { - for (j = 0; j < PARAMS_NBAR; j++) { - out[i * PARAMS_NBAR + j] = 0; - for (k = 0; k < PARAMS_N; k++) { - out[i * PARAMS_NBAR + j] += (uint16_t)(b[i * PARAMS_N + k] * (uint32_t)s[j * PARAMS_N + k]); - } - out[i * PARAMS_NBAR + j] = (uint32_t)(out[i * PARAMS_NBAR + j]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM976AES_OPT_mul_add_sb_plus_e(uint16_t *out, const uint16_t *b, const uint16_t *s, const uint16_t *e) { - // Multiply by s on the left - // Inputs: b (N x N_BAR), s (N_BAR x N), e (N_BAR x N_BAR) - // Output: out = s*b + e (N_BAR x N_BAR) - int i, j, k; - - for (k = 0; k < PARAMS_NBAR; k++) { - for (i = 0; i < PARAMS_NBAR; i++) { - out[k * PARAMS_NBAR + i] = e[k * PARAMS_NBAR + i]; - for (j = 0; j < PARAMS_N; j++) { - out[k * PARAMS_NBAR + i] += (uint16_t)(s[k * PARAMS_N + j] * (uint32_t)b[j * PARAMS_NBAR + i]); - } - out[k * PARAMS_NBAR + i] = (uint32_t)(out[k * PARAMS_NBAR + i]) & ((1 << PARAMS_LOGQ) - 1); - } - } -} - - -void PQCLEAN_FRODOKEM976AES_OPT_add(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Add a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a + b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] + b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM976AES_OPT_sub(uint16_t *out, const uint16_t *a, const uint16_t *b) { - // Subtract a and b - // Inputs: a, b (N_BAR x N_BAR) - // Output: c = a - b - - for (size_t i = 0; i < (PARAMS_NBAR * PARAMS_NBAR); i++) { - out[i] = (a[i] - b[i]) & ((1 << PARAMS_LOGQ) - 1); - } -} - - -void PQCLEAN_FRODOKEM976AES_OPT_key_encode(uint16_t *out, const uint16_t *in) { - // Encoding - unsigned int i, j, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint64_t temp, mask = ((uint64_t)1 << PARAMS_EXTRACTED_BITS) - 1; - uint16_t *pos = out; - - for (i = 0; i < nwords; i++) { - temp = 0; - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - temp |= ((uint64_t)((uint8_t *)in)[i * PARAMS_EXTRACTED_BITS + j]) << (8 * j); - } - for (j = 0; j < npieces_word; j++) { - *pos = (uint16_t)((temp & mask) << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS)); - temp >>= PARAMS_EXTRACTED_BITS; - pos++; - } - } -} - - -void PQCLEAN_FRODOKEM976AES_OPT_key_decode(uint16_t *out, const uint16_t *in) { - // Decoding - unsigned int i, j, index = 0, npieces_word = 8; - unsigned int nwords = (PARAMS_NBAR * PARAMS_NBAR) / 8; - uint16_t temp, maskex = ((uint16_t)1 << PARAMS_EXTRACTED_BITS) - 1, maskq = ((uint16_t)1 << PARAMS_LOGQ) - 1; - uint8_t *pos = (uint8_t *)out; - uint64_t templong; - - for (i = 0; i < nwords; i++) { - templong = 0; - for (j = 0; j < npieces_word; j++) { // temp = floor(in*2^{-11}+0.5) - temp = ((in[index] & maskq) + (1 << (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS - 1))) >> (PARAMS_LOGQ - PARAMS_EXTRACTED_BITS); - templong |= ((uint64_t)(temp & maskex)) << (PARAMS_EXTRACTED_BITS * j); - index++; - } - for (j = 0; j < PARAMS_EXTRACTED_BITS; j++) { - pos[i * PARAMS_EXTRACTED_BITS + j] = (templong >> (8 * j)) & 0xFF; - } - } -} - - -void PQCLEAN_FRODOKEM976AES_OPT_pack(uint8_t *out, size_t outlen, const uint16_t *in, size_t inlen, uint8_t lsb) { - // Pack the input uint16 vector into a char output vector, copying lsb bits from each input element. - // If inlen * lsb / 8 > outlen, only outlen * 8 bits are copied. - memset(out, 0, outlen); - - size_t i = 0; // whole bytes already filled in - size_t j = 0; // whole uint16_t already copied - uint16_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb in w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | |********|********| - ^ - j - w : | ****| - ^ - bits - out:|**|**|**|**|**|**|**|**|* | - ^^ - ib - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < 8) { - int nbits = min(8 - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (uint8_t) ((w >> (bits - nbits)) & mask); // the bits to copy from w to out - out[i] = out[i] + (t << (8 - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = lsb; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == 8) { // out[i] is filled in - i++; - } - } -} - - -void PQCLEAN_FRODOKEM976AES_OPT_unpack(uint16_t *out, size_t outlen, const uint8_t *in, size_t inlen, uint8_t lsb) { - // Unpack the input char vector into a uint16_t output vector, copying lsb bits - // for each output element from input. outlen must be at least ceil(inlen * 8 / lsb). - memset(out, 0, outlen * sizeof(uint16_t)); - - size_t i = 0; // whole uint16_t already filled in - size_t j = 0; // whole bytes already copied - uint8_t w = 0; // the leftover, not yet copied - uint8_t bits = 0; // the number of lsb bits of w - - while (i < outlen && (j < inlen || ((j == inlen) && (bits > 0)))) { - /* - in: | | | | | | |**|**|... - ^ - j - w : | *| - ^ - bits - out:| *****| *****| *** | |... - ^ ^ - i b - */ - uint8_t b = 0; // bits in out[i] already filled in - while (b < lsb) { - int nbits = min(lsb - b, bits); - uint16_t mask = (1 << nbits) - 1; - uint8_t t = (w >> (bits - nbits)) & mask; // the bits to copy from w to out - out[i] = out[i] + (t << (lsb - b - nbits)); - b += (uint8_t) nbits; - bits -= (uint8_t) nbits; - w &= ~(mask << bits); // not strictly necessary; mostly for debugging - - if (bits == 0) { - if (j < inlen) { - w = in[j]; - bits = 8; - j++; - } else { - break; // the input vector is exhausted - } - } - } - if (b == lsb) { // out[i] is filled in - i++; - } - } -} - - -int8_t PQCLEAN_FRODOKEM976AES_OPT_ct_verify(const uint16_t *a, const uint16_t *b, size_t len) { - // Compare two arrays in constant time. - // Returns 0 if the byte arrays are equal, -1 otherwise. - uint16_t r = 0; - - for (size_t i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-(int16_t)(r >> 1) | -(int16_t)(r & 1)) >> (8 * sizeof(uint16_t) -1); - return (int8_t)r; -} - - -void PQCLEAN_FRODOKEM976AES_OPT_ct_select(uint8_t *r, const uint8_t *a, const uint8_t *b, size_t len, int8_t selector) { - // Select one of the two input arrays to be moved to r - // If (selector == 0) then load r with a, else if (selector == -1) load r with b - - for (size_t i = 0; i < len; i++) { - r[i] = (~selector & a[i]) | (selector & b[i]); - } -} - - -void PQCLEAN_FRODOKEM976AES_OPT_clear_bytes(uint8_t *mem, size_t n) { - // Clear 8-bit bytes from memory. "n" indicates the number of bytes to be zeroed. - // This function uses the volatile type qualifier to inform the compiler not to optimize out the memory clearing. - volatile uint8_t *v = mem; - - for (size_t i = 0; i < n; i++) { - v[i] = 0; - } -} diff --git a/crypto_kem/hqc-rmrs-128/META.yml b/crypto_kem/hqc-rmrs-128/META.yml deleted file mode 100644 index 5085ab7a..00000000 --- a/crypto_kem/hqc-rmrs-128/META.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: HQC-RMRS-128 -type: kem -claimed-nist-level: 1 -claimed-security: IND-CCA2 -length-ciphertext: 4481 -length-public-key: 2249 -length-secret-key: 2289 -length-shared-secret: 64 -nistkat-sha256: b9d10eda065c8ff31d40b929ad7f742889544363aa031096850009a882d9d827 -principal-submitters: - - Carlos Aguilar Melchor - - Nicolas Aragon - - Slim Bettaieb - - Olivier Blazy - - Jurjen Bos - - Jean-Christophe Deneuville - - Philippe Gaborit - - Edoardo Persichetti - - Jean-Marc Robert - - Pascal Véron - - Gilles Zémor - - Loïc Bidoux -implementations: - - name: clean - version: hqc-submission_2020-10-01 via https://github.com/jschanck/package-pqclean/tree/c9181076/hqc - - name: avx2 - version: hqc-submission_2020-10-01 via https://github.com/jschanck/package-pqclean/tree/c9181076/hqc - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - avx2 - - bmi1 - - pclmulqdq diff --git a/crypto_kem/hqc-rmrs-128/avx2/LICENSE b/crypto_kem/hqc-rmrs-128/avx2/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/hqc-rmrs-128/avx2/api.h b/crypto_kem/hqc-rmrs-128/avx2/api.h deleted file mode 100644 index a29de656..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/api.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_HQCRMRS128_AVX2_API_H -#define PQCLEAN_HQCRMRS128_AVX2_API_H -/** - * @file api.h - * @brief NIST KEM API used by the HQC_KEM IND-CCA2 scheme - */ - -#define PQCLEAN_HQCRMRS128_AVX2_CRYPTO_ALGNAME "HQC-RMRS-128" - -#define PQCLEAN_HQCRMRS128_AVX2_CRYPTO_SECRETKEYBYTES 2289 -#define PQCLEAN_HQCRMRS128_AVX2_CRYPTO_PUBLICKEYBYTES 2249 -#define PQCLEAN_HQCRMRS128_AVX2_CRYPTO_BYTES 64 -#define PQCLEAN_HQCRMRS128_AVX2_CRYPTO_CIPHERTEXTBYTES 4481 - -// As a technicality, the public key is appended to the secret key in order to respect the NIST API. -// Without this constraint, PQCLEAN_HQCRMRS128_AVX2_CRYPTO_SECRETKEYBYTES would be defined as 32 - -int PQCLEAN_HQCRMRS128_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_HQCRMRS128_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - -int PQCLEAN_HQCRMRS128_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/code.c b/crypto_kem/hqc-rmrs-128/avx2/code.c deleted file mode 100644 index 5059e0f0..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/code.c +++ /dev/null @@ -1,47 +0,0 @@ -#include "code.h" -#include "parameters.h" -#include "reed_muller.h" -#include "reed_solomon.h" -#include -#include -/** - * @file code.c - * @brief Implementation of concatenated code - */ - - - -/** - * - * @brief Encoding the message m to a code word em using the concatenated code - * - * First we encode the message using the Reed-Solomon code, then with the duplicated Reed-Muller code we obtain - * a concatenated code word. - * - * @param[out] em Pointer to an array that is the tensor code word - * @param[in] m Pointer to an array that is the message - */ -void PQCLEAN_HQCRMRS128_AVX2_code_encode(uint8_t *em, const uint8_t *m) { - uint8_t tmp[8 * VEC_N1_SIZE_64] = {0}; - - PQCLEAN_HQCRMRS128_AVX2_reed_solomon_encode(tmp, m); - PQCLEAN_HQCRMRS128_AVX2_reed_muller_encode(em, tmp); - -} - - - -/** - * @brief Decoding the code word em to a message m using the concatenated code - * - * @param[out] m Pointer to an array that is the message - * @param[in] em Pointer to an array that is the code word - */ -void PQCLEAN_HQCRMRS128_AVX2_code_decode(uint8_t *m, const uint8_t *em) { - uint8_t tmp[8 * VEC_N1_SIZE_64] = {0}; - - PQCLEAN_HQCRMRS128_AVX2_reed_muller_decode(tmp, em); - PQCLEAN_HQCRMRS128_AVX2_reed_solomon_decode(m, tmp); - - -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/code.h b/crypto_kem/hqc-rmrs-128/avx2/code.h deleted file mode 100644 index 4824298f..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/code.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef CODE_H -#define CODE_H - - -/** - * @file code.h - * Header file of code.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS128_AVX2_code_encode(uint8_t *em, const uint8_t *message); - -void PQCLEAN_HQCRMRS128_AVX2_code_decode(uint8_t *m, const uint8_t *em); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/fft.c b/crypto_kem/hqc-rmrs-128/avx2/fft.c deleted file mode 100644 index 23f2b20b..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/fft.c +++ /dev/null @@ -1,351 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include -#include -/** - * @file fft.c - * Implementation of the additive FFT and its transpose. - * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf - */ - - -static void compute_fft_betas(uint16_t *betas); -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size); -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas); - - -/** - * @brief Computes the basis of betas (omitting 1) used in the additive FFT and its transpose - * - * @param[out] betas Array of size PARAM_M-1 - */ -static void compute_fft_betas(uint16_t *betas) { - size_t i; - for (i = 0; i < PARAM_M - 1; ++i) { - betas[i] = 1 << (PARAM_M - 1 - i); - } -} - - - -/** - * @brief Computes the subset sums of the given set - * - * The array subset_sums is such that its ith element is - * the subset sum of the set elements given by the binary form of i. - * - * @param[out] subset_sums Array of size 2^set_size receiving the subset sums - * @param[in] set Array of set_size elements - * @param[in] set_size Size of the array set - */ -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size) { - uint16_t i, j; - subset_sums[0] = 0; - - for (i = 0; i < set_size; ++i) { - for (j = 0; j < (1 << i); ++j) { - subset_sums[(1 << i) + j] = set[i] ^ subset_sums[j]; - } - } -} - - - -/** - * @brief Computes the radix conversion of a polynomial f in GF(2^m)[x] - * - * Computes f0 and f1 such that f(x) = f0(x^2-x) + x.f1(x^2-x) - * as proposed by Bernstein, Chou and Schwabe: - * https://binary.cr.yp.to/mcbits-20130616.pdf - * - * @param[out] f0 Array half the size of f - * @param[out] f1 Array half the size of f - * @param[in] f Array of size a power of 2 - * @param[in] m_f 2^{m_f} is the smallest power of 2 greater or equal to the number of coefficients of f - */ -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - switch (m_f) { - case 4: - f0[4] = f[8] ^ f[12]; - f0[6] = f[12] ^ f[14]; - f0[7] = f[14] ^ f[15]; - f1[5] = f[11] ^ f[13]; - f1[6] = f[13] ^ f[14]; - f1[7] = f[15]; - f0[5] = f[10] ^ f[12] ^ f1[5]; - f1[4] = f[9] ^ f[13] ^ f0[5]; - - f0[0] = f[0]; - f1[3] = f[7] ^ f[11] ^ f[15]; - f0[3] = f[6] ^ f[10] ^ f[14] ^ f1[3]; - f0[2] = f[4] ^ f0[4] ^ f0[3] ^ f1[3]; - f1[1] = f[3] ^ f[5] ^ f[9] ^ f[13] ^ f1[3]; - f1[2] = f[3] ^ f1[1] ^ f0[3]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 3: - f0[0] = f[0]; - f0[2] = f[4] ^ f[6]; - f0[3] = f[6] ^ f[7]; - f1[1] = f[3] ^ f[5] ^ f[7]; - f1[2] = f[5] ^ f[6]; - f1[3] = f[7]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 2: - f0[0] = f[0]; - f0[1] = f[2] ^ f[3]; - f1[0] = f[1] ^ f0[1]; - f1[1] = f[3]; - break; - - case 1: - f0[0] = f[0]; - f1[0] = f[1]; - break; - - default: - radix_big(f0, f1, f, m_f); - break; - } -} - -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - uint16_t Q[2 * (1 << (PARAM_FFT - 2))] = {0}; - uint16_t R[2 * (1 << (PARAM_FFT - 2))] = {0}; - - uint16_t Q0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t Q1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R1[1 << (PARAM_FFT - 2)] = {0}; - - size_t i, n; - - n = 1; - n <<= (m_f - 2); - memcpy(Q, f + 3 * n, 2 * n); - memcpy(Q + n, f + 3 * n, 2 * n); - memcpy(R, f, 4 * n); - - for (i = 0; i < n; ++i) { - Q[i] ^= f[2 * n + i]; - R[n + i] ^= Q[i]; - } - - radix(Q0, Q1, Q, m_f - 1); - radix(R0, R1, R, m_f - 1); - - memcpy(f0, R0, 2 * n); - memcpy(f0 + n, Q0, 2 * n); - memcpy(f1, R1, 2 * n); - memcpy(f1 + n, Q1, 2 * n); -} - - - -/** - * @brief Evaluates f at all subset sums of a given set - * - * This function is a subroutine of the function PQCLEAN_HQCRMRS128_AVX2_fft. - * - * @param[out] w Array - * @param[in] f Array - * @param[in] f_coeffs Number of coefficients of f - * @param[in] m Number of betas - * @param[in] m_f Number of coefficients of f (one more than its degree) - * @param[in] betas FFT constants - */ -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas) { - uint16_t f0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t gammas[PARAM_M - 2] = {0}; - uint16_t deltas[PARAM_M - 2] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 2)] = {0}; - uint16_t u[1 << (PARAM_M - 2)] = {0}; - uint16_t v[1 << (PARAM_M - 2)] = {0}; - uint16_t tmp[PARAM_M - (PARAM_FFT - 1)] = {0}; - - uint16_t beta_m_pow; - size_t i, j, k; - size_t x; - - // Step 1 - if (m_f == 1) { - for (i = 0; i < m; ++i) { - tmp[i] = PQCLEAN_HQCRMRS128_AVX2_gf_mul(betas[i], f[1]); - } - - w[0] = f[0]; - x = 1; - for (j = 0; j < m; ++j) { - for (k = 0; k < x; ++k) { - w[x + k] = w[k] ^ tmp[j]; - } - x <<= 1; - } - - return; - } - - // Step 2: compute g - if (betas[m - 1] != 1) { - beta_m_pow = 1; - x = 1; - x <<= m_f; - for (i = 1; i < x; ++i) { - beta_m_pow = PQCLEAN_HQCRMRS128_AVX2_gf_mul(beta_m_pow, betas[m - 1]); - f[i] = PQCLEAN_HQCRMRS128_AVX2_gf_mul(beta_m_pow, f[i]); - } - } - - // Step 3 - radix(f0, f1, f, m_f); - - // Step 4: compute gammas and deltas - for (i = 0; i + 1 < m; ++i) { - gammas[i] = PQCLEAN_HQCRMRS128_AVX2_gf_mul(betas[i], PQCLEAN_HQCRMRS128_AVX2_gf_inverse(betas[m - 1])); - deltas[i] = PQCLEAN_HQCRMRS128_AVX2_gf_square(gammas[i]) ^ gammas[i]; - } - - // Compute gammas sums - compute_subset_sums(gammas_sums, gammas, m - 1); - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, m - 1, m_f - 1, deltas); - - k = 1; - k <<= ((m - 1) & 0xf); // &0xf is to let the compiler know that m-1 is small. - if (f_coeffs <= 3) { // 3-coefficient polynomial f case: f1 is constant - w[0] = u[0]; - w[k] = u[0] ^ f1[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS128_AVX2_gf_mul(gammas_sums[i], f1[0]); - w[k + i] = w[i] ^ f1[0]; - } - } else { - fft_rec(v, f1, f_coeffs / 2, m - 1, m_f - 1, deltas); - - // Step 6 - memcpy(w + k, v, 2 * k); - w[0] = u[0]; - w[k] ^= u[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS128_AVX2_gf_mul(gammas_sums[i], v[i]); - w[k + i] ^= w[i]; - } - } -} - - - -/** - * @brief Evaluates f on all fields elements using an additive FFT algorithm - * - * f_coeffs is the number of coefficients of f (one less than its degree).
- * The FFT proceeds recursively to evaluate f at all subset sums of a basis B.
- * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf
- * Note that on this first call (as opposed to the recursive calls to fft_rec), gammas are equal to betas, - * meaning the first gammas subset sums are actually the subset sums of betas (except 1).
- * Also note that f is altered during computation (twisted at each level). - * - * @param[out] w Array - * @param[in] f Array of 2^PARAM_FFT elements - * @param[in] f_coeffs Number coefficients of f (i.e. deg(f)+1) - */ -void PQCLEAN_HQCRMRS128_AVX2_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs) { - uint16_t betas[PARAM_M - 1] = {0}; - uint16_t betas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t f0[1 << (PARAM_FFT - 1)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 1)] = {0}; - uint16_t deltas[PARAM_M - 1] = {0}; - uint16_t u[1 << (PARAM_M - 1)] = {0}; - uint16_t v[1 << (PARAM_M - 1)] = {0}; - - size_t i, k; - - // Follows Gao and Mateer algorithm - compute_fft_betas(betas); - - // Step 1: PARAM_FFT > 1, nothing to do - - // Compute gammas sums - compute_subset_sums(betas_sums, betas, PARAM_M - 1); - - // Step 2: beta_m = 1, nothing to do - - // Step 3 - radix(f0, f1, f, PARAM_FFT); - - // Step 4: Compute deltas - for (i = 0; i < PARAM_M - 1; ++i) { - deltas[i] = PQCLEAN_HQCRMRS128_AVX2_gf_square(betas[i]) ^ betas[i]; - } - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - fft_rec(v, f1, f_coeffs / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - - k = 1 << (PARAM_M - 1); - // Step 6, 7 and error polynomial computation - memcpy(w + k, v, 2 * k); - - // Check if 0 is root - w[0] = u[0]; - - // Check if 1 is root - w[k] ^= u[0]; - - // Find other roots - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS128_AVX2_gf_mul(betas_sums[i], v[i]); - w[k + i] ^= w[i]; - } -} - - - -/** - * @brief Retrieves the error polynomial error from the evaluations w of the ELP (Error Locator Polynomial) on all field elements. - * - * @param[out] error Array with the error - * @param[out] error_compact Array with the error in a compact form - * @param[in] w Array of size 2^PARAM_M - */ -void PQCLEAN_HQCRMRS128_AVX2_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w) { - uint16_t gammas[PARAM_M - 1] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t k; - size_t i, index; - - compute_fft_betas(gammas); - compute_subset_sums(gammas_sums, gammas, PARAM_M - 1); - - k = 1 << (PARAM_M - 1); - error[0] ^= 1 ^ ((uint16_t) - w[0] >> 15); - error[0] ^= 1 ^ ((uint16_t) - w[k] >> 15); - - for (i = 1; i < k; ++i) { - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i]]; - error[index] ^= 1 ^ ((uint16_t) - w[i] >> 15); - - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i] ^ 1]; - error[index] ^= 1 ^ ((uint16_t) - w[k + i] >> 15); - } -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/fft.h b/crypto_kem/hqc-rmrs-128/avx2/fft.h deleted file mode 100644 index 129cb0a5..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/fft.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef FFT_H -#define FFT_H - - -/** - * @file fft.h - * Header file of fft.c - */ - -#include -#include - -void PQCLEAN_HQCRMRS128_AVX2_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs); - -void PQCLEAN_HQCRMRS128_AVX2_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/gf.c b/crypto_kem/hqc-rmrs-128/avx2/gf.c deleted file mode 100644 index 932da629..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/gf.c +++ /dev/null @@ -1,176 +0,0 @@ -#include "gf.h" -#include "parameters.h" -#include -/** - * @file gf.c - * Galois field implementation with multiplication using the pclmulqdq instruction - */ - - -static uint16_t gf_reduce(uint64_t x, size_t deg_x); - - - -/** - * Reduces polynomial x modulo primitive polynomial GF_POLY. - * @returns x mod GF_POLY - * @param[in] x Polynomial of degree less than 64 - * @param[in] deg_x The degree of polynomial x - */ -static uint16_t gf_reduce(uint64_t x, size_t deg_x) { - uint16_t z1, z2, rmdr, dist; - uint64_t mod; - size_t steps, i, j; - - // Deduce the number of steps of reduction - steps = CEIL_DIVIDE(deg_x - (PARAM_M - 1), PARAM_GF_POLY_M2); - - // Reduce - for (i = 0; i < steps; ++i) { - mod = x >> PARAM_M; - x &= (1 << PARAM_M) - 1; - x ^= mod; - - z1 = 0; - rmdr = PARAM_GF_POLY ^ 1; - for (j = PARAM_GF_POLY_WT - 2; j; --j) { - z2 = __tzcnt_u16(rmdr); - dist = (uint16_t) (z2 - z1); - mod <<= dist; - x ^= mod; - rmdr ^= 1 << z2; - z1 = z2; - } - } - - return x; -} - - - -/** - * Multiplies two elements of GF(2^GF_M). - * @returns the product a*b - * @param[in] a Element of GF(2^GF_M) - * @param[in] b Element of GF(2^GF_M) - */ -uint16_t PQCLEAN_HQCRMRS128_AVX2_gf_mul(uint16_t a, uint16_t b) { - __m128i va = _mm_cvtsi32_si128(a); - __m128i vb = _mm_cvtsi32_si128(b); - __m128i vab = _mm_clmulepi64_si128(va, vb, 0); - uint32_t ab = _mm_cvtsi128_si32(vab); - - return gf_reduce(ab, 2 * (PARAM_M - 1)); -} - - - -/** - * Compute 16 products in GF(2^GF_M). - * @returns the product (a0b0,a1b1,...,a15b15) , ai,bi in GF(2^GF_M) - * @param[in] a 256-bit register where a0,..,a15 are stored as 16 bit integers - * @param[in] b 256-bit register where b0,..,b15 are stored as 16 bit integer - * - */ -__m256i PQCLEAN_HQCRMRS128_AVX2_gf_mul_vect(__m256i a, __m256i b) { - __m128i al = _mm256_extractf128_si256(a, 0); - __m128i ah = _mm256_extractf128_si256(a, 1); - __m128i bl = _mm256_extractf128_si256(b, 0); - __m128i bh = _mm256_extractf128_si256(b, 1); - - __m128i abl0 = _mm_clmulepi64_si128(al & CONST128_MASKL, bl & CONST128_MASKL, 0x0); - abl0 &= CONST128_MIDDLEMASKL; - abl0 ^= (_mm_clmulepi64_si128(al & CONST128_MASKH, bl & CONST128_MASKH, 0x0) & CONST128_MIDDLEMASKH); - - __m128i abh0 = _mm_clmulepi64_si128(al & CONST128_MASKL, bl & CONST128_MASKL, 0x11); - abh0 &= CONST128_MIDDLEMASKL; - abh0 ^= (_mm_clmulepi64_si128(al & CONST128_MASKH, bl & CONST128_MASKH, 0x11) & CONST128_MIDDLEMASKH); - - abl0 = _mm_shuffle_epi8(abl0, CONST128_INDEXL); - abl0 ^= _mm_shuffle_epi8(abh0, CONST128_INDEXH); - - __m128i abl1 = _mm_clmulepi64_si128(ah & CONST128_MASKL, bh & CONST128_MASKL, 0x0); - abl1 &= CONST128_MIDDLEMASKL; - abl1 ^= (_mm_clmulepi64_si128(ah & CONST128_MASKH, bh & CONST128_MASKH, 0x0) & CONST128_MIDDLEMASKH); - - __m128i abh1 = _mm_clmulepi64_si128(ah & CONST128_MASKL, bh & CONST128_MASKL, 0x11); - abh1 &= CONST128_MIDDLEMASKL; - abh1 ^= (_mm_clmulepi64_si128(ah & CONST128_MASKH, bh & CONST128_MASKH, 0x11) & CONST128_MIDDLEMASKH); - - abl1 = _mm_shuffle_epi8(abl1, CONST128_INDEXL); - abl1 ^= _mm_shuffle_epi8(abh1, CONST128_INDEXH); - - __m256i ret = _mm256_set_m128i(abl1, abl0); - - __m256i aux = CONST256_MR0; - - for (int32_t i = 0; i < 7; i++) { - ret ^= red[i] & _mm256_cmpeq_epi16((ret & aux), aux); - aux = aux << 1; - } - - ret &= CONST256_LASTMASK; - return ret; -} - - - -/** - * Squares an element of GF(2^GF_M). - * @returns a^2 - * @param[in] a Element of GF(2^GF_M) - */ -uint16_t PQCLEAN_HQCRMRS128_AVX2_gf_square(uint16_t a) { - uint32_t b = a; - uint32_t s = b & 1; - for (size_t i = 1; i < PARAM_M; ++i) { - b <<= 1; - s ^= b & (1 << 2 * i); - } - - return gf_reduce(s, 2 * (PARAM_M - 1)); -} - - - -/** - * Computes the inverse of an element of GF(2^8), - * using the addition chain 1 2 3 4 7 11 15 30 60 120 127 254 - * @returns the inverse of a - * @param[in] a Element of GF(2^GF_M) - */ -uint16_t PQCLEAN_HQCRMRS128_AVX2_gf_inverse(uint16_t a) { - uint16_t inv = a; - uint16_t tmp1, tmp2; - - inv = PQCLEAN_HQCRMRS128_AVX2_gf_square(a); /* a^2 */ - tmp1 = PQCLEAN_HQCRMRS128_AVX2_gf_mul(inv, a); /* a^3 */ - inv = PQCLEAN_HQCRMRS128_AVX2_gf_square(inv); /* a^4 */ - tmp2 = PQCLEAN_HQCRMRS128_AVX2_gf_mul(inv, tmp1); /* a^7 */ - tmp1 = PQCLEAN_HQCRMRS128_AVX2_gf_mul(inv, tmp2); /* a^11 */ - inv = PQCLEAN_HQCRMRS128_AVX2_gf_mul(tmp1, inv); /* a^15 */ - inv = PQCLEAN_HQCRMRS128_AVX2_gf_square(inv); /* a^30 */ - inv = PQCLEAN_HQCRMRS128_AVX2_gf_square(inv); /* a^60 */ - inv = PQCLEAN_HQCRMRS128_AVX2_gf_square(inv); /* a^120 */ - inv = PQCLEAN_HQCRMRS128_AVX2_gf_mul(inv, tmp2); /* a^127 */ - inv = PQCLEAN_HQCRMRS128_AVX2_gf_square(inv); /* a^254 */ - return inv; -} - - - -/** - * Returns i modulo 2^GF_M-1. - * i must be less than 2*(2^GF_M-1). - * Therefore, the return value is either i or i-2^GF_M+1. - * @returns i mod (2^GF_M-1) - * @param[in] i The integer whose modulo is taken - */ -uint16_t PQCLEAN_HQCRMRS128_AVX2_gf_mod(uint16_t i) { - uint16_t tmp = (uint16_t) (i - PARAM_GF_MUL_ORDER); - - // mask = 0xffff if (i < GF_MUL_ORDER) - uint16_t mask = -(tmp >> 15); - - return tmp + (mask & PARAM_GF_MUL_ORDER); -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/gf.h b/crypto_kem/hqc-rmrs-128/avx2/gf.h deleted file mode 100644 index 6a568a48..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/gf.h +++ /dev/null @@ -1,69 +0,0 @@ -#ifndef GF_H -#define GF_H - - -/** - * @file gf.h - * Header file of gf.c - */ - -#include -#include -#include - -#define _mm256_set_m128i(v0, v1) _mm256_insertf128_si256(_mm256_castsi128_si256(v1), (v0), 1) - -/** - * Powers of the root alpha of 1 + x^2 + x^3 + x^4 + x^8. - * The last two elements are needed by the PQCLEAN_HQCRMRS128_AVX2_gf_mul function - * (for example if both elements to multiply are zero). - */ -static const uint16_t gf_exp[258] = { 1, 2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60, 120, 240, 253, 231, 211, 187, 107, 214, 177, 127, 254, 225, 223, 163, 91, 182, 113, 226, 217, 175, 67, 134, 17, 34, 68, 136, 13, 26, 52, 104, 208, 189, 103, 206, 129, 31, 62, 124, 248, 237, 199, 147, 59, 118, 236, 197, 151, 51, 102, 204, 133, 23, 46, 92, 184, 109, 218, 169, 79, 158, 33, 66, 132, 21, 42, 84, 168, 77, 154, 41, 82, 164, 85, 170, 73, 146, 57, 114, 228, 213, 183, 115, 230, 209, 191, 99, 198, 145, 63, 126, 252, 229, 215, 179, 123, 246, 241, 255, 227, 219, 171, 75, 150, 49, 98, 196, 149, 55, 110, 220, 165, 87, 174, 65, 130, 25, 50, 100, 200, 141, 7, 14, 28, 56, 112, 224, 221, 167, 83, 166, 81, 162, 89, 178, 121, 242, 249, 239, 195, 155, 43, 86, 172, 69, 138, 9, 18, 36, 72, 144, 61, 122, 244, 245, 247, 243, 251, 235, 203, 139, 11, 22, 44, 88, 176, 125, 250, 233, 207, 131, 27, 54, 108, 216, 173, 71, 142, 1, 2, 4 }; - - - -/** - * Logarithm of elements of GF(2^8) to the base alpha (root of 1 + x^2 + x^3 + x^4 + x^8). - * The logarithm of 0 is set to 0 by convention. - */ -static const uint16_t gf_log[256] = { 0, 0, 1, 25, 2, 50, 26, 198, 3, 223, 51, 238, 27, 104, 199, 75, 4, 100, 224, 14, 52, 141, 239, 129, 28, 193, 105, 248, 200, 8, 76, 113, 5, 138, 101, 47, 225, 36, 15, 33, 53, 147, 142, 218, 240, 18, 130, 69, 29, 181, 194, 125, 106, 39, 249, 185, 201, 154, 9, 120, 77, 228, 114, 166, 6, 191, 139, 98, 102, 221, 48, 253, 226, 152, 37, 179, 16, 145, 34, 136, 54, 208, 148, 206, 143, 150, 219, 189, 241, 210, 19, 92, 131, 56, 70, 64, 30, 66, 182, 163, 195, 72, 126, 110, 107, 58, 40, 84, 250, 133, 186, 61, 202, 94, 155, 159, 10, 21, 121, 43, 78, 212, 229, 172, 115, 243, 167, 87, 7, 112, 192, 247, 140, 128, 99, 13, 103, 74, 222, 237, 49, 197, 254, 24, 227, 165, 153, 119, 38, 184, 180, 124, 17, 68, 146, 217, 35, 32, 137, 46, 55, 63, 209, 91, 149, 188, 207, 205, 144, 135, 151, 178, 220, 252, 190, 97, 242, 86, 211, 171, 20, 42, 93, 158, 132, 60, 57, 83, 71, 109, 65, 162, 31, 45, 67, 216, 183, 123, 164, 118, 196, 23, 73, 236, 127, 12, 111, 246, 108, 161, 59, 82, 41, 157, 85, 170, 251, 96, 134, 177, 187, 204, 62, 90, 203, 89, 95, 176, 156, 169, 160, 81, 11, 245, 22, 235, 122, 117, 44, 215, 79, 174, 213, 233, 230, 231, 173, 232, 116, 214, 244, 234, 168, 80, 88, 175 }; - -/** - * Masks needed for the computation of 16 mult in GF(2^M) - */ -#define CONST256_MR0 _mm256_set1_epi64x((long long) 0x0100010001000100) -#define CONST256_LASTMASK _mm256_set1_epi64x((long long) 0x00ff00ff00ff00ff) -#define CONST128_MASKL _mm_set1_epi64x((long long) 0x0000ffff0000ffff) -#define CONST128_MASKH _mm_set1_epi64x((long long) 0xffff0000ffff0000) -#define CONST128_MIDDLEMASKL _mm_set1_epi64x((long long) 0x000000000000ffff) -#define CONST128_MIDDLEMASKH _mm_set1_epi64x((long long) 0x0000ffff00000000) -#define CONST128_INDEXH _mm_set_epi64x((long long) 0x0d0c090805040100, (long long) 0xffffffffffffffff) -#define CONST128_INDEXL _mm_set_epi64x((long long) 0xffffffffffffffff, (long long) 0x0d0c090805040100) - -/** - * x^i modulo x^8+x^4+x^3+x^2+1 duplicate 4 times to fit a 256-bit register - */ -static const __m256i red[7] = { - {0x001d001d001d001dUL, 0x001d001d001d001dUL, 0x001d001d001d001dUL, 0x001d001d001d001dUL}, - {0x003a003a003a003aUL, 0x003a003a003a003aUL, 0x003a003a003a003aUL, 0x003a003a003a003aUL}, - {0x0074007400740074UL, 0x0074007400740074UL, 0x0074007400740074UL, 0x0074007400740074UL}, - {0x00e800e800e800e8UL, 0x00e800e800e800e8UL, 0x00e800e800e800e8UL, 0x00e800e800e800e8UL}, - {0x00cd00cd00cd00cdUL, 0x00cd00cd00cd00cdUL, 0x00cd00cd00cd00cdUL, 0x00cd00cd00cd00cdUL}, - {0x0087008700870087UL, 0x0087008700870087UL, 0x0087008700870087UL, 0x0087008700870087UL}, - {0x0013001300130013UL, 0x0013001300130013UL, 0x0013001300130013UL, 0x0013001300130013UL}, - -}; - - -uint16_t PQCLEAN_HQCRMRS128_AVX2_gf_mul(uint16_t a, uint16_t b); - -__m256i PQCLEAN_HQCRMRS128_AVX2_gf_mul_vect(__m256i a, __m256i b); - -uint16_t PQCLEAN_HQCRMRS128_AVX2_gf_square(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS128_AVX2_gf_inverse(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS128_AVX2_gf_mod(uint16_t i); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/gf2x.c b/crypto_kem/hqc-rmrs-128/avx2/gf2x.c deleted file mode 100644 index 74dd0b8b..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/gf2x.c +++ /dev/null @@ -1,369 +0,0 @@ -#include "gf2x.h" -#include "parameters.h" -#include -#include -#include -#include -/** - * \file gf2x.c - * \brief AVX2 implementation of multiplication of two polynomials - */ - - - -#define VEC_N_SPLIT_3x3 CEIL_DIVIDE(CEIL_DIVIDE(PARAM_N, 9), 256) -#define VEC_N_SPLIT_3 (3*VEC_N_SPLIT_3x3) - -static inline void reduce(uint64_t *o, const __m256i *a); -static inline void karat_mult_1(__m128i *C, const __m128i *A, const __m128i *B); -static inline void karat_mult_2(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult_4(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult_8(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_three_way_mult(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult9(__m256i *C, const aligned_vec_t *A, const aligned_vec_t *B); - - -/** - * @brief Compute o(x) = a(x) mod \f$ X^n - 1\f$ - * - * This function computes the modular reduction of the polynomial a(x) - * - * @param[out] o Pointer to the result - * @param[in] a Pointer to the polynomial a(x) - */ -static inline void reduce(uint64_t *o, const __m256i *a256) { - size_t i, i2; - __m256i r256, carry256; - __m256i *o256 = (__m256i *)o; - const uint64_t *a64 = (const uint64_t *)a256; - uint64_t r, carry; - - i2 = 0; - for (i = (PARAM_N >> 6); i < (PARAM_N >> 5) - 4; i += 4) { - r256 = _mm256_lddqu_si256((const __m256i *) (& a64[i])); - r256 = _mm256_srli_epi64(r256, PARAM_N & 63); - carry256 = _mm256_lddqu_si256((const __m256i *) (& a64[i + 1])); - carry256 = _mm256_slli_epi64(carry256, (-PARAM_N) & 63); - r256 ^= carry256; - _mm256_storeu_si256(&o256[i2], a256[i2] ^ r256); - i2 += 1; - } - - i = i - (PARAM_N >> 6); - for (; i < (PARAM_N >> 6) + 1; i++) { - r = a64[i + (PARAM_N >> 6)] >> (PARAM_N & 63); - carry = a64[i + (PARAM_N >> 6) + 1] << ((-PARAM_N) & 63); - r ^= carry; - o[i] = a64[i] ^ r; - } - - o[PARAM_N >> 6] &= RED_MASK; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * A(x) and B(x) are stored in 128-bit registers - * This function computes A(x)*B(x) using Karatsuba - * - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_1(__m128i *C, const __m128i *A, const __m128i *B) { - __m128i D1[2]; - __m128i D0[2], D2[2]; - __m128i Al = _mm_loadu_si128(A); - __m128i Ah = _mm_loadu_si128(A + 1); - __m128i Bl = _mm_loadu_si128(B); - __m128i Bh = _mm_loadu_si128(B + 1); - - // Compute Al.Bl=D0 - __m128i DD0 = _mm_clmulepi64_si128(Al, Bl, 0); - __m128i DD2 = _mm_clmulepi64_si128(Al, Bl, 0x11); - __m128i AAlpAAh = _mm_xor_si128(Al, _mm_shuffle_epi32(Al, 0x4e)); - __m128i BBlpBBh = _mm_xor_si128(Bl, _mm_shuffle_epi32(Bl, 0x4e)); - __m128i DD1 = _mm_xor_si128(_mm_xor_si128(DD0, DD2), _mm_clmulepi64_si128(AAlpAAh, BBlpBBh, 0)); - D0[0] = _mm_xor_si128(DD0, _mm_unpacklo_epi64(_mm_setzero_si128(), DD1)); - D0[1] = _mm_xor_si128(DD2, _mm_unpackhi_epi64(DD1, _mm_setzero_si128())); - - // Compute Ah.Bh=D2 - DD0 = _mm_clmulepi64_si128(Ah, Bh, 0); - DD2 = _mm_clmulepi64_si128(Ah, Bh, 0x11); - AAlpAAh = _mm_xor_si128(Ah, _mm_shuffle_epi32(Ah, 0x4e)); - BBlpBBh = _mm_xor_si128(Bh, _mm_shuffle_epi32(Bh, 0x4e)); - DD1 = _mm_xor_si128(_mm_xor_si128(DD0, DD2), _mm_clmulepi64_si128(AAlpAAh, BBlpBBh, 0)); - D2[0] = _mm_xor_si128(DD0, _mm_unpacklo_epi64(_mm_setzero_si128(), DD1)); - D2[1] = _mm_xor_si128(DD2, _mm_unpackhi_epi64(DD1, _mm_setzero_si128())); - - // Compute AlpAh.BlpBh=D1 - // Initialisation of AlpAh and BlpBh - __m128i AlpAh = _mm_xor_si128(Al, Ah); - __m128i BlpBh = _mm_xor_si128(Bl, Bh); - DD0 = _mm_clmulepi64_si128(AlpAh, BlpBh, 0); - DD2 = _mm_clmulepi64_si128(AlpAh, BlpBh, 0x11); - AAlpAAh = _mm_xor_si128(AlpAh, _mm_shuffle_epi32(AlpAh, 0x4e)); - BBlpBBh = _mm_xor_si128(BlpBh, _mm_shuffle_epi32(BlpBh, 0x4e)); - DD1 = _mm_xor_si128(_mm_xor_si128(DD0, DD2), _mm_clmulepi64_si128(AAlpAAh, BBlpBBh, 0)); - D1[0] = _mm_xor_si128(DD0, _mm_unpacklo_epi64(_mm_setzero_si128(), DD1)); - D1[1] = _mm_xor_si128(DD2, _mm_unpackhi_epi64(DD1, _mm_setzero_si128())); - - // Final comutation of C - __m128i middle = _mm_xor_si128(D0[1], D2[0]); - C[0] = D0[0]; - C[1] = middle ^ D0[0] ^ D1[0]; - C[2] = middle ^ D1[1] ^ D2[1]; - C[3] = D2[1]; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_2(__m256i *C, const __m256i *A, const __m256i *B) { - __m256i D0[2], D1[2], D2[2], SAA, SBB; - const __m128i *A128 = (const __m128i *)A; - const __m128i *B128 = (const __m128i *)B; - __m256i middle; - - karat_mult_1((__m128i *) D0, A128, B128); - karat_mult_1((__m128i *) D2, A128 + 2, B128 + 2); - - SAA = _mm256_xor_si256(A[0], A[1]); - SBB = _mm256_xor_si256(B[0], B[1]); - - karat_mult_1((__m128i *) D1, (__m128i *) &SAA, (__m128i *) &SBB); - middle = _mm256_xor_si256(D0[1], D2[0]); - - C[0] = D0[0]; - C[1] = middle ^ D0[0] ^ D1[0]; - C[2] = middle ^ D1[1] ^ D2[1]; - C[3] = D2[1]; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_4(__m256i *C, const __m256i *A, const __m256i *B) { - __m256i D0[4], D1[4], D2[4], SAA[2], SBB[2]; - __m256i middle0; - __m256i middle1; - - karat_mult_2(D0, A, B); - karat_mult_2(D2, A + 2, B + 2); - - SAA[0] = A[0] ^ A[2]; - SBB[0] = B[0] ^ B[2]; - SAA[1] = A[1] ^ A[3]; - SBB[1] = B[1] ^ B[3]; - - karat_mult_2( D1, SAA, SBB); - - middle0 = _mm256_xor_si256(D0[2], D2[0]); - middle1 = _mm256_xor_si256(D0[3], D2[1]); - - C[0] = D0[0]; - C[1] = D0[1]; - C[2] = middle0 ^ D0[0] ^ D1[0]; - C[3] = middle1 ^ D0[1] ^ D1[1]; - C[4] = middle0 ^ D1[2] ^ D2[2]; - C[5] = middle1 ^ D1[3] ^ D2[3]; - C[6] = D2[2]; - C[7] = D2[3]; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_8(__m256i *C, const __m256i *A, const __m256i *B) { - size_t i, is, is2, is3; - __m256i D0[8], D1[8], D2[8], SAA[4], SBB[4]; - __m256i middle; - - karat_mult_4(D0, A, B); - karat_mult_4(D2, A + 4, B + 4); - - for (i = 0; i < 4; i++) { - is = i + 4; - SAA[i] = A[i] ^ A[is]; - SBB[i] = B[i] ^ B[is]; - } - - karat_mult_4(D1, SAA, SBB); - - for (i = 0; i < 4; i++) { - is = i + 4; - is2 = is + 4; - is3 = is2 + 4; - - middle = _mm256_xor_si256(D0[is], D2[i]); - - C[i] = D0[i]; - C[is] = middle ^ D0[i] ^ D1[i]; - C[is2] = middle ^ D1[is] ^ D2[is]; - C[is3] = D2[is]; - } -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba 3 part split - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_three_way_mult(__m256i *C, const __m256i *A, const __m256i *B) { - size_t i, j; - const __m256i *a0, *b0, *a1, *b1, *a2, *b2; - __m256i aa01[VEC_N_SPLIT_3x3], bb01[VEC_N_SPLIT_3x3], aa02[VEC_N_SPLIT_3x3], bb02[VEC_N_SPLIT_3x3], aa12[VEC_N_SPLIT_3x3], bb12[VEC_N_SPLIT_3x3]; - __m256i D0[2 * VEC_N_SPLIT_3x3], D1[2 * VEC_N_SPLIT_3x3], D2[2 * VEC_N_SPLIT_3x3], D3[2 * VEC_N_SPLIT_3x3], D4[2 * VEC_N_SPLIT_3x3], D5[2 * VEC_N_SPLIT_3x3]; - __m256i ro256[6 * VEC_N_SPLIT_3x3]; - __m256i middle0; - - a0 = A; - a1 = A + VEC_N_SPLIT_3x3; - a2 = A + (VEC_N_SPLIT_3x3 << 1); - - b0 = B; - b1 = B + VEC_N_SPLIT_3x3; - b2 = B + (VEC_N_SPLIT_3x3 << 1); - - for (i = 0; i < VEC_N_SPLIT_3x3; i++) { - aa01[i] = a0[i] ^ a1[i]; - bb01[i] = b0[i] ^ b1[i]; - - aa12[i] = a2[i] ^ a1[i]; - bb12[i] = b2[i] ^ b1[i]; - - aa02[i] = a0[i] ^ a2[i]; - bb02[i] = b0[i] ^ b2[i]; - } - - karat_mult_8(D0, a0, b0); - karat_mult_8(D1, a1, b1); - karat_mult_8(D2, a2, b2); - - karat_mult_8(D3, aa01, bb01); - karat_mult_8(D4, aa02, bb02); - karat_mult_8(D5, aa12, bb12); - - for (i = 0; i < VEC_N_SPLIT_3x3; i++) { - j = i + VEC_N_SPLIT_3x3; - middle0 = D0[i] ^ D1[i] ^ D0[j]; - ro256[i] = D0[i]; - ro256[j] = D3[i] ^ middle0; - ro256[j + VEC_N_SPLIT_3x3] = D4[i] ^ D2[i] ^ D3[j] ^ D1[j] ^ middle0; - middle0 = D1[j] ^ D2[i] ^ D2[j]; - ro256[j + (VEC_N_SPLIT_3x3 << 1)] = D5[i] ^ D4[j] ^ D0[j] ^ D1[i] ^ middle0; - ro256[i + (VEC_N_SPLIT_3x3 << 2)] = D5[j] ^ middle0; - ro256[j + (VEC_N_SPLIT_3x3 << 2)] = D2[j]; - } - - for (i = 0; i < 2 * VEC_N_SPLIT_3; i++) { - C[i] = ro256[i]; - } -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba 3 part split - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult9(__m256i *C, const aligned_vec_t *A, const aligned_vec_t *B) { - size_t i, j; - const __m256i *a0, *b0, *a1, *b1, *a2, *b2; - __m256i aa01[VEC_N_SPLIT_3], bb01[VEC_N_SPLIT_3], aa02[VEC_N_SPLIT_3], bb02[VEC_N_SPLIT_3], aa12[VEC_N_SPLIT_3], bb12[VEC_N_SPLIT_3]; - __m256i D0[2 * VEC_N_SPLIT_3], D1[2 * VEC_N_SPLIT_3], D2[2 * VEC_N_SPLIT_3], D3[2 * VEC_N_SPLIT_3], D4[2 * VEC_N_SPLIT_3], D5[2 * VEC_N_SPLIT_3]; - __m256i middle0; - - a0 = (__m256i *)(A->arr64); - a1 = a0 + VEC_N_SPLIT_3; - a2 = a0 + (2 * VEC_N_SPLIT_3); - - b0 = (__m256i *)(B->arr64); - b1 = b0 + VEC_N_SPLIT_3; - b2 = b0 + (2 * VEC_N_SPLIT_3); - - for (i = 0; i < VEC_N_SPLIT_3; i++) { - aa01[i] = a0[i] ^ a1[i]; - bb01[i] = b0[i] ^ b1[i]; - - aa12[i] = a2[i] ^ a1[i]; - bb12[i] = b2[i] ^ b1[i]; - - aa02[i] = a0[i] ^ a2[i]; - bb02[i] = b0[i] ^ b2[i]; - } - - karat_three_way_mult(D0, a0, b0); - karat_three_way_mult(D1, a1, b1); - karat_three_way_mult(D2, a2, b2); - - karat_three_way_mult(D3, aa01, bb01); - karat_three_way_mult(D4, aa02, bb02); - karat_three_way_mult(D5, aa12, bb12); - - for (i = 0; i < VEC_N_SPLIT_3; i++) { - j = i + VEC_N_SPLIT_3; - middle0 = D0[i] ^ D1[i] ^ D0[j]; - C[i] = D0[i]; - C[j] = D3[i] ^ middle0; - C[j + VEC_N_SPLIT_3] = D4[i] ^ D2[i] ^ D3[j] ^ D1[j] ^ middle0; - middle0 = D1[j] ^ D2[i] ^ D2[j]; - C[j + (VEC_N_SPLIT_3 << 1)] = D5[i] ^ D4[j] ^ D0[j] ^ D1[i] ^ middle0; - C[i + (VEC_N_SPLIT_3 << 2)] = D5[j] ^ middle0; - C[j + (VEC_N_SPLIT_3 << 2)] = D2[j]; - } -} - - - -/** - * @brief Multiply two polynomials modulo \f$ X^n - 1\f$. - * - * This functions multiplies a dense polynomial a1 (of Hamming weight equal to weight) - * and a dense polynomial a2. The multiplication is done modulo \f$ X^n - 1\f$. - * - * @param[out] o Pointer to the result - * @param[in] a1 Pointer to a polynomial - * @param[in] a2 Pointer to a polynomial - */ -void PQCLEAN_HQCRMRS128_AVX2_vect_mul(uint64_t *o, const aligned_vec_t *a1, const aligned_vec_t *a2) { - __m256i a1_times_a2[2 * PARAM_N_MULT + 1] = {0}; - karat_mult9(a1_times_a2, a1, a2); - reduce(o, a1_times_a2); -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/gf2x.h b/crypto_kem/hqc-rmrs-128/avx2/gf2x.h deleted file mode 100644 index c1c5fd2d..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/gf2x.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef GF2X_H -#define GF2X_H - - -/** - * @file gf2x.h - * @brief Header file for gf2x.c - */ -#include "parameters.h" -#include -#include - -typedef union { - uint64_t arr64[VEC_N_256_SIZE_64]; - __m256i dummy; -} aligned_vec_t; - -void PQCLEAN_HQCRMRS128_AVX2_vect_mul(uint64_t *o, const aligned_vec_t *a1, const aligned_vec_t *a2); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/hqc.c b/crypto_kem/hqc-rmrs-128/avx2/hqc.c deleted file mode 100644 index 66af36a3..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/hqc.c +++ /dev/null @@ -1,168 +0,0 @@ -#include "code.h" -#include "gf2x.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -#include -/** - * @file hqc.c - * @brief Implementation of hqc.h - */ - - - -/** - * @brief Keygen of the HQC_PKE IND_CPA scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS128_AVX2_hqc_pke_keygen(unsigned char *pk, unsigned char *sk) { - AES_XOF_struct sk_seedexpander; - AES_XOF_struct pk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - uint8_t pk_seed[SEED_BYTES] = {0}; - aligned_vec_t vx = {0}; - uint64_t *x = vx.arr64; - aligned_vec_t vy = {0}; - uint64_t *y = vy.arr64; - aligned_vec_t vh = {0}; - uint64_t *h = vh.arr64; - aligned_vec_t vs = {0}; - uint64_t *s = vs.arr64; - aligned_vec_t vtmp = {0}; - uint64_t *tmp = vtmp.arr64; - - // Create seed_expanders for public key and secret key - randombytes(sk_seed, SEED_BYTES); - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - randombytes(pk_seed, SEED_BYTES); - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - // Compute secret key - PQCLEAN_HQCRMRS128_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS128_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, y, PARAM_OMEGA); - - // Compute public key - PQCLEAN_HQCRMRS128_AVX2_vect_set_random(&pk_seedexpander, h); - PQCLEAN_HQCRMRS128_AVX2_vect_mul(tmp, &vy, &vh); - PQCLEAN_HQCRMRS128_AVX2_vect_add(s, x, tmp, VEC_N_256_SIZE_64); - - // Parse keys to string - PQCLEAN_HQCRMRS128_AVX2_hqc_public_key_to_string(pk, pk_seed, s); - PQCLEAN_HQCRMRS128_AVX2_hqc_secret_key_to_string(sk, sk_seed, pk); - -} - - - -/** - * @brief Encryption of the HQC_PKE IND_CPA scheme - * - * The cihertext is composed of vectors u and v. - * - * @param[out] u Vector u (first part of the ciphertext) - * @param[out] v Vector v (second part of the ciphertext) - * @param[in] m Vector representing the message to encrypt - * @param[in] theta Seed used to derive randomness required for encryption - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS128_AVX2_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk) { - AES_XOF_struct seedexpander; - aligned_vec_t vh = {0}; - uint64_t *h = vh.arr64; - aligned_vec_t vs = {0}; - uint64_t *s = vs.arr64; - aligned_vec_t vr1 = {0}; - uint64_t *r1 = vr1.arr64; - aligned_vec_t vr2 = {0}; - uint64_t *r2 = vr2.arr64; - aligned_vec_t ve = {0}; - uint64_t *e = ve.arr64; - aligned_vec_t vtmp1 = {0}; - uint64_t *tmp1 = vtmp1.arr64; - aligned_vec_t vtmp2 = {0}; - uint64_t *tmp2 = vtmp2.arr64; - aligned_vec_t vtmp3 = {0}; - uint64_t *tmp3 = vtmp3.arr64; - - // Create seed_expander from theta - seedexpander_init(&seedexpander, theta, theta + 32, SEEDEXPANDER_MAX_LENGTH); - - // Retrieve h and s from public key - PQCLEAN_HQCRMRS128_AVX2_hqc_public_key_from_string(h, s, pk); - - // Generate r1, r2 and e - PQCLEAN_HQCRMRS128_AVX2_vect_set_random_fixed_weight(&seedexpander, r1, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS128_AVX2_vect_set_random_fixed_weight(&seedexpander, r2, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS128_AVX2_vect_set_random_fixed_weight(&seedexpander, e, PARAM_OMEGA_E); - - - - // Compute u = r1 + r2.h - PQCLEAN_HQCRMRS128_AVX2_vect_mul(tmp1, &vr2, &vh); - PQCLEAN_HQCRMRS128_AVX2_vect_add(u, r1, tmp1, VEC_N_256_SIZE_64); - - // Compute v = m.G by encoding the message - PQCLEAN_HQCRMRS128_AVX2_code_encode((uint8_t *)v, m); - PQCLEAN_HQCRMRS128_AVX2_load8_arr(v, VEC_N1N2_256_SIZE_64, (uint8_t *)v, VEC_N1N2_SIZE_BYTES); - PQCLEAN_HQCRMRS128_AVX2_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - - // Compute v = m.G + s.r2 + e - PQCLEAN_HQCRMRS128_AVX2_vect_mul(tmp2, &vr2, &vs); - PQCLEAN_HQCRMRS128_AVX2_vect_add(tmp3, e, tmp2, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS128_AVX2_vect_add(tmp2, tmp1, tmp3, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS128_AVX2_vect_resize(v, PARAM_N1N2, tmp2, PARAM_N); - -} - - - -/** - * @brief Decryption of the HQC_PKE IND_CPA scheme - * - * @param[out] m Vector representing the decrypted message - * @param[in] u Vector u (first part of the ciphertext) - * @param[in] v Vector v (second part of the ciphertext) - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS128_AVX2_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk) { - uint8_t pk[PUBLIC_KEY_BYTES] = {0}; - aligned_vec_t vx = {0}; - uint64_t *x = vx.arr64; - aligned_vec_t vy = {0}; - uint64_t *y = vy.arr64; - aligned_vec_t vtmp1 = {0}; - uint64_t *tmp1 = vtmp1.arr64; - aligned_vec_t vtmp2 = {0}; - uint64_t *tmp2 = vtmp2.arr64; - aligned_vec_t vtmp3 = {0}; - uint64_t *tmp3 = vtmp3.arr64; - - // Retrieve x, y, pk from secret key - PQCLEAN_HQCRMRS128_AVX2_hqc_secret_key_from_string(x, y, pk, sk); - - // Compute v - u.y - PQCLEAN_HQCRMRS128_AVX2_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - for (size_t i = 0; i < VEC_N_256_SIZE_64; i++) { - tmp2[i] = u[i]; - } - PQCLEAN_HQCRMRS128_AVX2_vect_mul(tmp3, &vy, &vtmp2); - PQCLEAN_HQCRMRS128_AVX2_vect_add(tmp2, tmp1, tmp3, VEC_N_256_SIZE_64); - - - // Compute m by decoding v - u.y - PQCLEAN_HQCRMRS128_AVX2_store8_arr((uint8_t *)tmp1, VEC_N_SIZE_BYTES, tmp2, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS128_AVX2_code_decode(m, (uint8_t *)tmp1); -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/hqc.h b/crypto_kem/hqc-rmrs-128/avx2/hqc.h deleted file mode 100644 index eeff199c..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/hqc.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef HQC_H -#define HQC_H - - -/** - * @file hqc.h - * @brief Functions of the HQC_PKE IND_CPA scheme - */ - -#include - -void PQCLEAN_HQCRMRS128_AVX2_hqc_pke_keygen(unsigned char *pk, unsigned char *sk); - -void PQCLEAN_HQCRMRS128_AVX2_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk); - -void PQCLEAN_HQCRMRS128_AVX2_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/kem.c b/crypto_kem/hqc-rmrs-128/avx2/kem.c deleted file mode 100644 index bb33e92f..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/kem.c +++ /dev/null @@ -1,140 +0,0 @@ -#include "api.h" -#include "fips202.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "sha2.h" -#include "vector.h" -#include -#include -/** - * @file kem.c - * @brief Implementation of api.h - */ - - - -/** - * @brief Keygen of the HQC_KEM IND_CAA2 scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - * @returns 0 if keygen is successful - */ -int PQCLEAN_HQCRMRS128_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - - PQCLEAN_HQCRMRS128_AVX2_hqc_pke_keygen(pk, sk); - return 0; -} - - - -/** - * @brief Encapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ct String containing the ciphertext - * @param[out] ss String containing the shared secret - * @param[in] pk String containing the public key - * @returns 0 if encapsulation is successful - */ -int PQCLEAN_HQCRMRS128_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - uint8_t theta[SHA512_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - static uint64_t u[VEC_N_256_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Computing m - randombytes(m, VEC_K_SIZE_BYTES); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m - PQCLEAN_HQCRMRS128_AVX2_hqc_pke_encrypt(u, v, m, theta, pk); - - // Computing d - sha512(d, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS128_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS128_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Computing ciphertext - PQCLEAN_HQCRMRS128_AVX2_hqc_ciphertext_to_string(ct, u, v, d); - - - return 0; -} - - - -/** - * @brief Decapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ss String containing the shared secret - * @param[in] ct String containing the cipĥertext - * @param[in] sk String containing the secret key - * @returns 0 if decapsulation is successful, -1 otherwise - */ -int PQCLEAN_HQCRMRS128_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - - uint8_t result; - uint64_t u[VEC_N_256_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char pk[PUBLIC_KEY_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - uint8_t theta[SHA512_BYTES] = {0}; - uint64_t u2[VEC_N_256_SIZE_64] = {0}; - uint64_t v2[VEC_N1N2_256_SIZE_64] = {0}; - unsigned char d2[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Retrieving u, v and d from ciphertext - PQCLEAN_HQCRMRS128_AVX2_hqc_ciphertext_from_string(u, v, d, ct); - - // Retrieving pk from sk - memcpy(pk, sk + SEED_BYTES, PUBLIC_KEY_BYTES); - - // Decryting - PQCLEAN_HQCRMRS128_AVX2_hqc_pke_decrypt(m, u, v, sk); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m' - PQCLEAN_HQCRMRS128_AVX2_hqc_pke_encrypt(u2, v2, m, theta, pk); - - // Computing d' - sha512(d2, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS128_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS128_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Abort if c != c' or d != d' - result = PQCLEAN_HQCRMRS128_AVX2_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS128_AVX2_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS128_AVX2_vect_compare(d, d2, SHA512_BYTES); - result = (uint8_t) (-((int16_t) result) >> 15); - for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] &= ~result; - } - - - return -(result & 1); -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/parameters.h b/crypto_kem/hqc-rmrs-128/avx2/parameters.h deleted file mode 100644 index ee9efd25..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/parameters.h +++ /dev/null @@ -1,111 +0,0 @@ -#ifndef HQC_PARAMETERS_H -#define HQC_PARAMETERS_H - - -/** - * @file parameters.h - * @brief Parameters of the HQC_KEM IND-CCA2 scheme - */ -#include "api.h" - - -#define CEIL_DIVIDE(a, b) (((a)+(b)-1)/(b)) /*!< Divide a by b and ceil the result*/ - -/* - #define PARAM_N Define the parameter n of the scheme - #define PARAM_N1 Define the parameter n1 of the scheme (length of Reed-Solomon code) - #define PARAM_N2 Define the parameter n2 of the scheme (length of Duplicated Reed-Muller code) - #define PARAM_N1N2 Define the length in bits of the Concatenated code - #define PARAM_OMEGA Define the parameter omega of the scheme - #define PARAM_OMEGA_E Define the parameter omega_e of the scheme - #define PARAM_OMEGA_R Define the parameter omega_r of the scheme - #define PARAM_SECURITY Define the security level corresponding to the chosen parameters - #define PARAM_DFR_EXP Define the decryption failure rate corresponding to the chosen parameters - - #define SECRET_KEY_BYTES Define the size of the secret key in bytes - #define PUBLIC_KEY_BYTES Define the size of the public key in bytes - #define SHARED_SECRET_BYTES Define the size of the shared secret in bytes - #define CIPHERTEXT_BYTES Define the size of the ciphertext in bytes - - #define UTILS_REJECTION_THRESHOLD Define the rejection threshold used to generate given weight vectors (see vector_set_random_fixed_weight function) - #define VEC_N_SIZE_BYTES Define the size of the array used to store a PARAM_N sized vector in bytes - #define VEC_K_SIZE_BYTES Define the size of the array used to store a PARAM_K sized vector in bytes - #define VEC_N1Y_SIZE_BYTES Define the size of the array used to store a PARAM_N1 sized vector in bytes - #define VEC_N1N2_SIZE_BYTES Define the size of the array used to store a PARAM_N1N2 sized vector in bytes - - #define VEC_N_SIZE_64 Define the size of the array used to store a PARAM_N sized vector in 64 bits - #define VEC_K_SIZE_64 Define the size of the array used to store a PARAM_K sized vector in 64 bits - #define VEC_N1_SIZE_64 Define the size of the array used to store a PARAM_N1 sized vector in 64 bits - #define VEC_N1N2_SIZE_64 Define the size of the array used to store a PARAM_N1N2 sized vector in 64 bits - - #define VEC_N_256_SIZE_64 Define the size of the array of 64 bits elements used to store an array of size PARAM_N considered as elements of 256 bits - #define VEC_N1N2_256_SIZE_64 Define the size of the array of 64 bits elements used to store an array of size PARAM_N1N2 considered as elements of 256 bits - - #define PARAM_DELTA Define the parameter delta of the scheme (correcting capacity of the Reed-Solomon code) - #define PARAM_M Define a positive integer - #define PARAM_GF_POLY Generator polynomial of galois field GF(2^PARAM_M), represented in hexadecimial form - #define PARAM_GF_POLY_WT Hamming weight of PARAM_GF_POLY - #define PARAM_GF_POLY_M2 Distance between the primitive polynomial first two set bits - #define PARAM_GF_MUL_ORDER Define the size of the multiplicative group of GF(2^PARAM_M), i.e 2^PARAM_M -1 - #define PARAM_K Define the size of the information bits of the Reed-Solomon code - #define PARAM_G Define the size of the generator polynomial of Reed-Solomon code - #define PARAM_FFT The additive FFT takes a 2^PARAM_FFT polynomial as input - We use the FFT to compute the roots of sigma, whose degree if PARAM_DELTA=24 - The smallest power of 2 greater than 24+1 is 32=2^5 - #define RS_POLY_COEFS Coefficients of the generator polynomial of the Reed-Solomon code - - #define RED_MASK A mask fot the higher bits of a vector - #define SHA512_BYTES Define the size of SHA512 output in bytes - #define SEED_BYTES Define the size of the seed in bytes - #define SEEDEXPANDER_MAX_LENGTH Define the seed expander max length -*/ - -#define PARAM_N 17669 -#define PARAM_N1 46 -#define PARAM_N2 384 -#define PARAM_N1N2 17664 -#define PARAM_OMEGA 66 -#define PARAM_OMEGA_E 75 -#define PARAM_OMEGA_R 75 -#define PARAM_SECURITY 128 -#define PARAM_DFR_EXP 128 - -#define SECRET_KEY_BYTES PQCLEAN_HQCRMRS128_AVX2_CRYPTO_SECRETKEYBYTES -#define PUBLIC_KEY_BYTES PQCLEAN_HQCRMRS128_AVX2_CRYPTO_PUBLICKEYBYTES -#define SHARED_SECRET_BYTES PQCLEAN_HQCRMRS128_AVX2_CRYPTO_BYTES -#define CIPHERTEXT_BYTES PQCLEAN_HQCRMRS128_AVX2_CRYPTO_CIPHERTEXTBYTES - -#define UTILS_REJECTION_THRESHOLD 16767881 -#define VEC_N_SIZE_BYTES CEIL_DIVIDE(PARAM_N, 8) -#define VEC_K_SIZE_BYTES PARAM_K -#define VEC_N1_SIZE_BYTES PARAM_N1 -#define VEC_N1N2_SIZE_BYTES CEIL_DIVIDE(PARAM_N1N2, 8) - -#define VEC_N_SIZE_256 CEIL_DIVIDE(PARAM_N, 256) - -#define VEC_N_SIZE_64 CEIL_DIVIDE(PARAM_N, 64) -#define VEC_K_SIZE_64 CEIL_DIVIDE(PARAM_K, 8) -#define VEC_N1_SIZE_64 CEIL_DIVIDE(PARAM_N1, 8) -#define VEC_N1N2_SIZE_64 CEIL_DIVIDE(PARAM_N1N2, 64) - -#define PARAM_N_MULT (9*256*CEIL_DIVIDE(CEIL_DIVIDE(PARAM_N, 9), 256)) -#define VEC_N_256_SIZE_64 (PARAM_N_MULT / 64) -#define VEC_N1N2_256_SIZE_64 (CEIL_DIVIDE(PARAM_N1N2, 256) << 2) - -#define PARAM_DELTA 15 -#define PARAM_M 8 -#define PARAM_GF_POLY 0x11D -#define PARAM_GF_POLY_WT 5 -#define PARAM_GF_POLY_M2 4 -#define PARAM_GF_MUL_ORDER 255 -#define PARAM_K 16 -#define PARAM_G 31 -#define PARAM_FFT 5 -#define RS_POLY_COEFS 89,69,153,116,176,117,111,75,73,233,242,233,65,210,21,139,103,173,67,118,105,210,174,110,74,69,228,82,255,181,1 - -#define RED_MASK 0x1f -#define SHA512_BYTES 64 -#define SEED_BYTES 40 -#define SEEDEXPANDER_MAX_LENGTH 4294967295 - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/parsing.c b/crypto_kem/hqc-rmrs-128/avx2/parsing.c deleted file mode 100644 index a924a6eb..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/parsing.c +++ /dev/null @@ -1,186 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -/** - * @file parsing.c - * @brief Functions to parse secret key, public key and ciphertext of the HQC scheme - */ - - -void PQCLEAN_HQCRMRS128_AVX2_store8(unsigned char *out, uint64_t in) { - out[0] = (in >> 0x00) & 0xFF; - out[1] = (in >> 0x08) & 0xFF; - out[2] = (in >> 0x10) & 0xFF; - out[3] = (in >> 0x18) & 0xFF; - out[4] = (in >> 0x20) & 0xFF; - out[5] = (in >> 0x28) & 0xFF; - out[6] = (in >> 0x30) & 0xFF; - out[7] = (in >> 0x38) & 0xFF; -} - - -uint64_t PQCLEAN_HQCRMRS128_AVX2_load8(const unsigned char *in) { - uint64_t ret = in[7]; - - for (int8_t i = 6; i >= 0; i--) { - ret <<= 8; - ret |= in[i]; - } - - return ret; -} - -void PQCLEAN_HQCRMRS128_AVX2_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen) { - size_t index_in = 0; - size_t index_out = 0; - - // first copy by 8 bytes - if (inlen >= 8 && outlen >= 1) { - while (index_out < outlen && index_in + 8 <= inlen) { - out64[index_out] = PQCLEAN_HQCRMRS128_AVX2_load8(in8 + index_in); - - index_in += 8; - index_out += 1; - } - } - - // we now need to do the last 7 bytes if necessary - if (index_in >= inlen || index_out >= outlen) { - return; - } - out64[index_out] = in8[inlen - 1]; - for (int8_t i = (int8_t)(inlen - index_in) - 2; i >= 0; i--) { - out64[index_out] <<= 8; - out64[index_out] |= in8[index_in + i]; - } -} - -void PQCLEAN_HQCRMRS128_AVX2_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen) { - for (size_t index_out = 0, index_in = 0; index_out < outlen && index_in < inlen;) { - out8[index_out] = (in64[index_in] >> ((index_out % 8) * 8)) & 0xFF; - index_out++; - if (index_out % 8 == 0) { - index_in++; - } - } -} - - -/** - * @brief Parse a secret key into a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] sk String containing the secret key - * @param[in] sk_seed Seed used to generate the secret key - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS128_AVX2_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk) { - memcpy(sk, sk_seed, SEED_BYTES); - sk += SEED_BYTES; - memcpy(sk, pk, PUBLIC_KEY_BYTES); -} - -/** - * @brief Parse a secret key from a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] x uint64_t representation of vector x - * @param[out] y uint64_t representation of vector y - * @param[out] pk String containing the public key - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS128_AVX2_hqc_secret_key_from_string(uint64_t *x, uint64_t *y, uint8_t *pk, const uint8_t *sk) { - AES_XOF_struct sk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - - memcpy(sk_seed, sk, SEED_BYTES); - sk += SEED_BYTES; - memcpy(pk, sk, PUBLIC_KEY_BYTES); - - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS128_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS128_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, y, PARAM_OMEGA); -} - -/** - * @brief Parse a public key into a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] pk String containing the public key - * @param[in] pk_seed Seed used to generate the public key - * @param[in] s uint8_t representation of vector s - */ -void PQCLEAN_HQCRMRS128_AVX2_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s) { - memcpy(pk, pk_seed, SEED_BYTES); - PQCLEAN_HQCRMRS128_AVX2_store8_arr(pk + SEED_BYTES, VEC_N_SIZE_BYTES, s, VEC_N_SIZE_64); -} - - - -/** - * @brief Parse a public key from a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] h uint8_t representation of vector h - * @param[out] s uint8_t representation of vector s - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS128_AVX2_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk) { - AES_XOF_struct pk_seedexpander; - uint8_t pk_seed[SEED_BYTES] = {0}; - - memcpy(pk_seed, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_HQCRMRS128_AVX2_load8_arr(s, VEC_N_SIZE_64, pk, VEC_N_SIZE_BYTES); - - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS128_AVX2_vect_set_random(&pk_seedexpander, h); -} - - -/** - * @brief Parse a ciphertext into a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] ct String containing the ciphertext - * @param[in] u uint8_t representation of vector u - * @param[in] v uint8_t representation of vector v - * @param[in] d String containing the hash d - */ -void PQCLEAN_HQCRMRS128_AVX2_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d) { - PQCLEAN_HQCRMRS128_AVX2_store8_arr(ct, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS128_AVX2_store8_arr(ct, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(ct, d, SHA512_BYTES); -} - - -/** - * @brief Parse a ciphertext from a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] u uint8_t representation of vector u - * @param[out] v uint8_t representation of vector v - * @param[out] d String containing the hash d - * @param[in] ct String containing the ciphertext - */ -void PQCLEAN_HQCRMRS128_AVX2_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct) { - PQCLEAN_HQCRMRS128_AVX2_load8_arr(u, VEC_N_SIZE_64, ct, VEC_N_SIZE_BYTES); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS128_AVX2_load8_arr(v, VEC_N1N2_SIZE_64, ct, VEC_N1N2_SIZE_BYTES); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(d, ct, SHA512_BYTES); -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/parsing.h b/crypto_kem/hqc-rmrs-128/avx2/parsing.h deleted file mode 100644 index f2f0b5a1..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/parsing.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PARSING_H -#define PARSING_H - - -/** - * @file parsing.h - * @brief Header file for parsing.c - */ - -#include - -void PQCLEAN_HQCRMRS128_AVX2_store8(unsigned char *out, uint64_t in); - -uint64_t PQCLEAN_HQCRMRS128_AVX2_load8(const unsigned char *in); - -void PQCLEAN_HQCRMRS128_AVX2_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen); - -void PQCLEAN_HQCRMRS128_AVX2_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen); - - -void PQCLEAN_HQCRMRS128_AVX2_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk); - -void PQCLEAN_HQCRMRS128_AVX2_hqc_secret_key_from_string(uint64_t *x, uint64_t *y, uint8_t *pk, const uint8_t *sk); - - -void PQCLEAN_HQCRMRS128_AVX2_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s); - -void PQCLEAN_HQCRMRS128_AVX2_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk); - - -void PQCLEAN_HQCRMRS128_AVX2_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d); - -void PQCLEAN_HQCRMRS128_AVX2_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/reed_muller.c b/crypto_kem/hqc-rmrs-128/avx2/reed_muller.c deleted file mode 100644 index 85afd331..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/reed_muller.c +++ /dev/null @@ -1,389 +0,0 @@ -#include "parameters.h" -#include "reed_muller.h" -#include -#include -#include -/** - * @file reed_muller.c - * Constant time implementation of Reed-Muller code RM(1,7) - */ - - -// number of repeated code words -#define MULTIPLICITY CEIL_DIVIDE(PARAM_N2, 128) - -// copy bit 0 into all bits of a 64 bit value -#define BIT0MASK(x) (int64_t)(-((x) & 1)) - -static void encode(uint8_t *word, uint8_t message); -static void expand_and_sum(__m256i *dst, const uint64_t *src); -static void hadamard(__m256i *src, __m256i *dst); -static uint32_t find_peaks(__m256i *transform); - - - -/** - * @brief Encode a single byte into a single codeword using RM(1,7) - * - * Encoding matrix of this code: - * bit pattern (note that bits are numbered big endian) - * 0 aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa - * 1 cccccccc cccccccc cccccccc cccccccc - * 2 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 - * 3 ff00ff00 ff00ff00 ff00ff00 ff00ff00 - * 4 ffff0000 ffff0000 ffff0000 ffff0000 - * 5 00000000 ffffffff 00000000 ffffffff - * 6 00000000 00000000 ffffffff ffffffff - * 7 ffffffff ffffffff ffffffff ffffffff - * - * @param[out] word An RM(1,7) codeword - * @param[in] message A message to encode - */ -static void encode(uint8_t *word, uint8_t message) { - uint32_t e; - // bit 7 flips all the bits, do that first to save work - e = BIT0MASK(message >> 7); - // bits 0, 1, 2, 3, 4 are the same for all four longs - // (Warning: in the bit matrix above, low bits are at the left!) - e ^= BIT0MASK(message >> 0) & 0xaaaaaaaa; - e ^= BIT0MASK(message >> 1) & 0xcccccccc; - e ^= BIT0MASK(message >> 2) & 0xf0f0f0f0; - e ^= BIT0MASK(message >> 3) & 0xff00ff00; - e ^= BIT0MASK(message >> 4) & 0xffff0000; - // we can store this in the first quarter - word[0 + 0] = (e >> 0x00) & 0xff; - word[0 + 1] = (e >> 0x08) & 0xff; - word[0 + 2] = (e >> 0x10) & 0xff; - word[0 + 3] = (e >> 0x18) & 0xff; - // bit 5 flips entries 1 and 3; bit 6 flips 2 and 3 - e ^= BIT0MASK(message >> 5); - word[4 + 0] = (e >> 0x00) & 0xff; - word[4 + 1] = (e >> 0x08) & 0xff; - word[4 + 2] = (e >> 0x10) & 0xff; - word[4 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 6); - word[12 + 0] = (e >> 0x00) & 0xff; - word[12 + 1] = (e >> 0x08) & 0xff; - word[12 + 2] = (e >> 0x10) & 0xff; - word[12 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 5); - word[8 + 0] = (e >> 0x00) & 0xff; - word[8 + 1] = (e >> 0x08) & 0xff; - word[8 + 2] = (e >> 0x10) & 0xff; - word[8 + 3] = (e >> 0x18) & 0xff; -} - - - -/** - * @brief Add multiple codewords into expanded codeword - * - * Note: this does not write the codewords as -1 or +1 as the green machine does - * instead, just 0 and 1 is used. - * The resulting hadamard transform has: - * all values are halved - * the first entry is 64 too high - * - * @param[out] dst Structure that contain the expanded codeword - * @param[in] src Structure that contain the codeword - */ -inline void expand_and_sum(__m256i *dst, const uint64_t *src) { - uint16_t v[16]; - for (size_t part = 0; part < 8; part++) { - dst[part] = _mm256_setzero_si256(); - } - for (size_t copy = 0; copy < MULTIPLICITY; copy++) { - for (size_t part = 0; part < 8; part++) { - for (size_t bit = 0; bit < 16; bit++) { - v[bit] = (((uint16_t *)(&src[2 * copy]))[part] >> bit) & 1; - } - dst[part] += _mm256_set_epi16(v[15], v[14], v[13], v[12], v[11], v[10], v[9], v[8], - v[7], v[6], v[5], v[4], v[3], v[2], v[1], v[0]); - } - } -} - - - -/** - * @brief Hadamard transform - * - * Perform hadamard transform of src and store result in dst - * src is overwritten: it is also used as intermediate buffer - * Method is best explained if we use H(3) instead of H(7): - * - * The routine multiplies by the matrix H(3): - * [1 1 1 1 1 1 1 1] - * [1 -1 1 -1 1 -1 1 -1] - * [1 1 -1 -1 1 1 -1 -1] - * [a b c d e f g h] * [1 -1 -1 1 1 -1 -1 1] = result of routine - * [1 1 1 1 -1 -1 -1 -1] - * [1 -1 1 -1 -1 1 -1 1] - * [1 1 -1 -1 -1 -1 1 1] - * [1 -1 -1 1 -1 1 1 -1] - * You can do this in three passes, where each pass does this: - * set lower half of buffer to pairwise sums, - * and upper half to differences - * index 0 1 2 3 4 5 6 7 - * input: a, b, c, d, e, f, g, h - * pass 1: a+b, c+d, e+f, g+h, a-b, c-d, e-f, g-h - * pass 2: a+b+c+d, e+f+g+h, a-b+c-d, e-f+g-h, a+b-c-d, e+f-g-h, a-b-c+d, e-f-g+h - * pass 3: a+b+c+d+e+f+g+h a+b-c-d+e+f-g-h a+b+c+d-e-f-g-h a+b-c-d-e+-f+g+h - * a-b+c-d+e-f+g-h a-b-c+d+e-f-g+h a-b+c-d-e+f-g+h a-b-c+d-e+f+g-h - * This order of computation is chosen because it vectorises well. - * Likewise, this routine multiplies by H(7) in seven passes. - * - * @param[out] src Structure that contain the expanded codeword - * @param[out] dst Structure that contain the expanded codeword - */ -inline void hadamard(__m256i *src, __m256i *dst) { - // the passes move data: - // src -> dst -> src -> dst -> src -> dst -> src -> dst - // using p1 and p2 alternately - __m256i *p1 = src; - __m256i *p2 = dst; - __m256i *p3; - for (size_t pass = 0; pass < 7; pass++) { - // warning: hadd works "within lanes" as Intel call it - // so you have to swap the middle 64 bit blocks of the result - for (size_t part = 0; part < 4; part++) { - p2[part] = _mm256_permute4x64_epi64(_mm256_hadd_epi16(p1[2 * part], p1[2 * part + 1]), 0xd8); - p2[part + 4] = _mm256_permute4x64_epi64(_mm256_hsub_epi16(p1[2 * part], p1[2 * part + 1]), 0xd8); - } - // swap p1, p2 for next round - p3 = p1; - p1 = p2; - p2 = p3; - } -} - - - -/** - * @brief Finding the location of the highest value - * - * This is the final step of the green machine: find the location of the highest value, - * and add 128 if the peak is positive - * Notes on decoding - * The standard "Green machine" decoder words as follows: - * if the received codeword is W, compute (2 * W - 1) * H7 - * The entries of the resulting vector are always even and vary from - * -128 (= the complement is a code word, add bit 7 to decode) - * via 0 (this is a different codeword) - * to 128 (this is the code word). - * - * Our decoding differs in two ways: - * - We take W instead of 2 * W - 1 (so the entries are 0,1 instead of -1,1) - * - We take the sum of the repititions (so the entries are 0..MULTIPLICITY) - * This implies that we have to subtract 64M (M=MULTIPLICITY) - * from the first entry to make sure the first codewords is handled properly - * and that the entries vary from -64M to 64M. - * -64M or 64M stands for a perfect codeword. - * If there are fewer than 32M errors, there is always a unique codeword - * which an entry with absolute value > 32M; - * this is because an error changes an entry by 1. - * The highest number that seem to be decodable is 50 errors, so that the - * highest entries in the hadamard transform can be as low as 12. - * But this is different for the repeated code. - * Because multiple codewords are added, this changes: the lowest value of the - * hadamard transform of the sum of six words is seen to be as low as 43 (!), - * which is way less than 12*6. - * - * It is possible that there are more errors, but the word is still uniquely - * decodable: we found a word with distance of 50 from the nearest codeword. - * That means that the highest entry can be as low as 14M. - * Since we have to do binary search, we search for the range 1-64M - * which can be done in 6+l2g(M) steps. - * The binary search is based on (values>32M are unique): - * M 32M min> max> firstStep #steps - * 2 64 1 64 33 +- 16 6 - * 4 128 1 128 65 +- 32 7 - * 6 192 1 192 129 +- 64 8 - * - * As a check, we run a sample for M=6 to see the peak value; it ranged - * from 43 to 147, so my analysis looks right. Also, it shows that decoding - * far beyond the bound of 32M is needed. - * - * For the vectors, it would be tempting to use 8 bit ints, - * because the values "almost" fit in there. - * We could use some trickery to fit it in 8 bits, like saturated add or - * division by 2 in a late step. - * Unfortunately, these instructions do not exist. - * the adds _mm512_adds_epi8 is available only on the latest processors, - * and division, shift, mulhi are not available at all for 8 bits. - * So, we use 16 bit ints. - * - * For the search of the optimal comparison value, - * remember the transform contains 64M-d, - * where d are the distances to the codewords. - * The highest value gives the most likely codeword. - * There is not fast vectorized way to find this value, so we search for the - * maximum value itself. - * In each pass, we collect a bit map of the transform values that are, - * say >bound. There are three cases: - * bit map = 0: all code words are further away than 64M-bound (decrease bound) - * bit map has one bit: one unique code word has distance < 64M-bound - * bit map has multiple bits: multiple words (increase bound) - * We will search for the lowest value of bound that gives a nonzero bit map. - * - * @param[in] transform Structure that contain the expanded codeword - */ -inline uint32_t find_peaks(__m256i *transform) { - // a whole lot of vector variables - __m256i bitmap, abs_rows[8], bound, active_row, max_abs_rows; - __m256i tmp = _mm256_setzero_si256(); - __m256i vect_mask; - __m256i res; - int32_t lower; - int32_t width; - uint32_t message; - uint32_t mask; - int8_t index; - int8_t abs_value; - int8_t mask1; - int8_t mask2; - uint16_t result; - - // compute absolute value of transform - for (size_t i = 0; i < 8; i++) { - abs_rows[i] = _mm256_abs_epi16(transform[i]); - } - // compute a vector of 16 elements which contains the maximum somewhere - // (later used to compute bits 0 through 3 of message) - max_abs_rows = abs_rows[0]; - for (size_t i = 1; i < 8; i++) { - max_abs_rows = _mm256_max_epi16(max_abs_rows, abs_rows[i]); - } - - // do binary search for the highest value that is lower than the maximum - // loop invariant: lower gives bit map = 0, lower + width gives bit map > 0 - lower = 1; - // this gives 64, 128 or 256 for MULTIPLICITY = 2, 4, 6 - width = 1 << (5 + MULTIPLICITY / 2); - // if you don't unroll this loop, it fits in the loop cache - // uncomment the line below to speeding up the program by a few percent - // #pragma GCC unroll 0 - while (width > 1) { - width >>= 1; - // compare with lower + width; put result in bitmap - // make vector from value of new bound - bound = _mm256_broadcastw_epi16(_mm_cvtsi32_si128(lower + width)); - bitmap = _mm256_cmpgt_epi16(max_abs_rows, bound); - // step up if there are any matches - // rely on compiler to use conditional move here - mask = (uint32_t) _mm256_testz_si256(bitmap, bitmap); - mask = ~(uint32_t) ((-(int64_t) mask) >> 63); - lower += mask & width; - } - // lower+width contains the maximum value of the vector - // or less, if the maximum is very high (which is OK) - // normally, there is one maximum, but sometimes there are more - // find where the maxima occur in the maximum vector - // (each determines lower 4 bits of peak position) - // construct vector filled with bound-1 - bound = _mm256_broadcastw_epi16(_mm_cvtsi32_si128(lower + width - 1)); - - // find in which of the 8 groups a maximum occurs to compute bits 4, 5, 6 of message - // find lowest value by searching backwards skip first check to save time - message = 0x70; - for (size_t i = 0; i < 8; i++) { - bitmap = _mm256_cmpgt_epi16(abs_rows[7 - i], bound); - mask = (uint32_t) _mm256_testz_si256(bitmap, bitmap); - mask = ~(uint32_t) ((-(int64_t) mask) >> 63); - message ^= mask & (message ^ ((7 - i) << 4)); - } - // we decided which row of the matrix contains the lowest match - // select proper row - index = message >> 4; - - tmp = _mm256_setzero_si256(); - for (size_t i = 0; i < 8; i++) { - abs_value = (int8_t)(index - i); - mask1 = abs_value >> 7; - abs_value ^= mask1; - abs_value -= mask1; - mask2 = ((uint8_t) - abs_value >> 7); - mask = (-1ULL) + mask2; - vect_mask = _mm256_set1_epi32(mask); - res = _mm256_and_si256(abs_rows[i], vect_mask); - tmp = _mm256_or_si256(tmp, res); - } - - active_row = tmp; - - // get the column number of the vector element - // by setting the bits corresponding to the columns - // and then adding elements within two groups of 8 - vect_mask = _mm256_cmpgt_epi16(active_row, bound); - vect_mask &= _mm256_set_epi16(-32768, 16384, 8192, 4096, 2048, 1024, 512, 256, 128, 64, 32, 16, 8, 4, 2, 1); - for (size_t i = 0; i < 3; i++) { - vect_mask = _mm256_hadd_epi16(vect_mask, vect_mask); - } - // add low 4 bits of message - message |= __tzcnt_u16(_mm256_extract_epi16(vect_mask, 0) + _mm256_extract_epi16(vect_mask, 8)); - - // set bit 7 if sign of biggest value is positive - // make sure a jump isn't generated by the compiler - tmp = _mm256_setzero_si256(); - for (size_t i = 0; i < 8; i++) { - mask = ~(uint32_t) ((-(int64_t)(i ^ message / 16)) >> 63); - vect_mask = _mm256_set1_epi32(mask); - tmp = _mm256_or_si256(tmp, _mm256_and_si256(vect_mask, transform[i])); - } - result = 0; - for (size_t i = 0; i < 16; i++) { - mask = ~(uint32_t) ((-(int64_t)(i ^ message % 16)) >> 63); - result |= mask & ((uint16_t *)&tmp)[i]; - } - message |= (0x8000 & ~result) >> 8; - return message; -} - - - -/** - * @brief Encodes the received word - * - * The message consists of N1 bytes each byte is encoded into PARAM_N2 bits, - * or MULTIPLICITY repeats of 128 bits - * - * @param[out] cdw Array of size VEC_N1N2_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_N1_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS128_AVX2_reed_muller_encode(uint8_t *cdw, const uint8_t *msg) { - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // encode first word - encode(&cdw[16 * i * MULTIPLICITY], msg[i]); - // copy to other identical codewords - for (size_t copy = 1; copy < MULTIPLICITY; copy++) { - memcpy(&cdw[16 * i * MULTIPLICITY + 16 * copy], &cdw[16 * i * MULTIPLICITY], 16); - } - } -} - - - -/** - * @brief Decodes the received word - * - * Decoding uses fast hadamard transform, for a more complete picture on Reed-Muller decoding, see MacWilliams, Florence Jessie, and Neil James Alexander Sloane. - * The theory of error-correcting codes codes @cite macwilliams1977theory - * - * @param[out] msg Array of size VEC_N1_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1N2_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS128_AVX2_reed_muller_decode(uint8_t *msg, const uint8_t *cdw) { - __m256i expanded[8]; - __m256i transform[8]; - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // collect the codewords - expand_and_sum(expanded, (uint64_t *)&cdw[16 * i * MULTIPLICITY]); - // apply hadamard transform - hadamard(expanded, transform); - // fix the first entry to get the half Hadamard transform - transform[0] -= _mm256_set_epi16(0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 64 * MULTIPLICITY); - // finish the decoding - msg[i] = find_peaks(transform); - } -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/reed_muller.h b/crypto_kem/hqc-rmrs-128/avx2/reed_muller.h deleted file mode 100644 index 4c5936d3..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/reed_muller.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef REED_MULLER_H -#define REED_MULLER_H - - -/** - * @file reed_muller.h - * Header file of reed_muller.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS128_AVX2_reed_muller_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS128_AVX2_reed_muller_decode(uint8_t *msg, const uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/reed_solomon.c b/crypto_kem/hqc-rmrs-128/avx2/reed_solomon.c deleted file mode 100644 index e42c9529..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/reed_solomon.c +++ /dev/null @@ -1,466 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include "parsing.h" -#include "reed_solomon.h" -#include -#include -#include -/** - * @file reed_solomon.c - * Constant time implementation of Reed-Solomon codes - */ - - -static void compute_syndromes(uint16_t *syndromes, uint8_t *cdw); -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes); -static void compute_roots(uint8_t *error, uint16_t *sigma); -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes); -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error); -static void correct_errors(uint8_t *cdw, const uint16_t *error_values); - -static const __m256i alpha_ij256_1[45] = { - {0x0010000800040002, 0x001d008000400020, 0x00cd00e80074003a, 0x004c002600130087}, - {0x001d004000100004, 0x004c001300cd0074, 0x008f00ea00b4002d, 0x009d006000180006}, - {0x00cd003a00400008, 0x008f0075002d0026, 0x002500270060000c, 0x004600c100b50035}, - {0x004c00cd001d0010, 0x009d0018008f00b4, 0x004600ee006a0025, 0x005f00b9005d0014}, - {0x00b4002600740020, 0x006a009c00600003, 0x00b900a0000500c1, 0x00fd000f005e00be}, - {0x008f002d00cd0040, 0x004600b500250060, 0x0065006100b90050, 0x00d900df006b0078}, - {0x0018007500130080, 0x005d008c00b5009c, 0x006b003c005e00a1, 0x0081001a004300a3}, - {0x009d008f004c001d, 0x005f005d0046006a, 0x00d900fe00fd0065, 0x0085003b0081000d}, - {0x0025000c002d003a, 0x006500a1005000c1, 0x00d0008600df00e7, 0x00a800a9006600ed}, - {0x006a006000b40074, 0x00fd005e00b90005, 0x003b0067001100df, 0x00e600550084002e}, - {0x00ee002700ea00e8, 0x00fe003c006100a0, 0x00b8007600670086, 0x00e3009100390054}, - {0x00460025008f00cd, 0x00d9006b006500b9, 0x00a800b8003b00d0, 0x0082009600fc00e4}, - {0x0014003500060087, 0x000d00a3007800be, 0x00e40054002e00ed, 0x00510064006200e5}, - {0x005d00b500180013, 0x00810043006b005e, 0x00fc003900840066, 0x0012005900c80062}, - {0x00b900c100600026, 0x003b001a00df000f, 0x00960091005500a9, 0x002c002400590064}, - {0x005f0046009d004c, 0x0085008100d900fd, 0x008200e300e600a8, 0x0002002c00120051}, - {0x0099000a004e0098, 0x004f0093004400d6, 0x00dd00dc00d70092, 0x00980001000b0045}, - {0x006500500025002d, 0x00a8006600d000df, 0x00c30007009600bf, 0x0027002600ad00fb}, - {0x001e00ba0094005a, 0x0049006d003e00e2, 0x003d00a200ae00b3, 0x008c006000e80083}, - {0x00fd00b9006a00b4, 0x00e60084003b0011, 0x002c00ac001c0096, 0x00be00c100030020}, - {0x006b00a100b50075, 0x00fc00290066001a, 0x00ad00f500590057, 0x00e700b90035002d}, - {0x00fe006100ee00ea, 0x00e3003900b80067, 0x003a00b000ac0007, 0x00af000f002800c0}, - {0x005b002f009f00c9, 0x009500d10021007c, 0x0075004700f400a6, 0x001f00df00c200ee}, - {0x00d900650046008f, 0x008200fc00a8003b, 0x0027003a002c00c3, 0x0017001a00e700ba}, - {0x0011000f00050003, 0x001c00ff00550033, 0x00c100b4006c0024, 0x004d003b00e2005e}, - {0x000d007800140006, 0x0051006200e4002e, 0x00ba00c0002000fb, 0x00d100a900bd00bb}, - {0x00d000e70050000c, 0x00c3005700bf00a9, 0x002f00b50026007d, 0x00db005500c500d9}, - {0x0081006b005d0018, 0x001200c800fc0084, 0x00e70028000300ad, 0x00190091009e00bd}, - {0x00f8007f00690030, 0x00f700e000f1004d, 0x00b6005f009c0040, 0x00a2009600aa00ec}, - {0x003b00df00b90060, 0x002c005900960055, 0x001a000f00c10026, 0x00240064009100a9}, - {0x009700b600de00c0, 0x001b009b006e0072, 0x00ed00b100a0008f, 0x00580059004b0052}, - {0x008500d9005f009d, 0x00020012008200e6, 0x001700af00be0027, 0x00040024001900d1}, - {0x00b8008600610027, 0x003a00f500070091, 0x001500d0000f00b5, 0x002d002c00a600f1}, - {0x004f00440099004e, 0x0098000b00dd00d7, 0x0092009300d6000a, 0x004e0001004500dc}, - {0x0084001a005e009c, 0x000300e9005900ff, 0x0091002e00e200b9, 0x0005002600eb001c}, - {0x00a800d000650025, 0x002700ad00c30096, 0x00db0015001a002f, 0x00610060003600f2}, - {0x005200ce0089004a, 0x00d40010008a0037, 0x00570049007c0078, 0x00d300c1001d0048}, - {0x0049003e001e0094, 0x008c00e8003d00ae, 0x003800630033007f, 0x004300b900ea0016}, - {0x00e400ed00780035, 0x00ba002d00fb0064, 0x00f200f100a900d9, 0x003e000f002500ad}, - {0x00e6003b00fd006a, 0x00be0003002c001c, 0x00240037004d001a, 0x002e00df00050074}, - {0x00c600c500d300d4, 0x00ca009d00cf00a7, 0x008b00c80072003e, 0x009a001a005f00c9}, - {0x00fc0066006b00b5, 0x00e7003500ad0059, 0x003600a6009100c5, 0x00bf003b00780025}, - {0x007b001700b10077, 0x00e1009f000800ef, 0x0040002b00ff00b8, 0x00ab00a9005b008c}, - {0x00e300b800fe00ee, 0x00af0028003a00ac, 0x002d007a00370015, 0x00320055003400de}, - {0x009600a900df00c1, 0x001a00b900260024, 0x0060002c00640055, 0x00590091003b000f} -}; -static const __m256i alpha_ij256_2[45] = { - {0x00b4005a002d0098, 0x008f00c900ea0075, 0x0018000c00060003, 0x0000000000600030}, - {0x006a00940025004e, 0x0046009f00ee00b5, 0x005d005000140005, 0x0000000000b90069}, - {0x00b900ba0050000a, 0x0065002f006100a1, 0x006b00e70078000f, 0x0000000000df007f}, - {0x00fd001e00650099, 0x00d9005b00fe006b, 0x008100d0000d0011, 0x00000000003b00f8}, - {0x001100e200df00d6, 0x003b007c0067001a, 0x008400a9002e0033, 0x000000000055004d}, - {0x003b003e00d00044, 0x00a8002100b80066, 0x00fc00bf00e40055, 0x00000000009600f1}, - {0x0084006d00660093, 0x00fc00d100390029, 0x00c80057006200ff, 0x00000000005900e0}, - {0x00e6004900a8004f, 0x0082009500e300fc, 0x001200c30051001c, 0x00000000002c00f7}, - {0x009600b300bf0092, 0x00c300a600070057, 0x00ad007d00fb0024, 0x0000000000260040}, - {0x001c00ae009600d7, 0x002c00f400ac0059, 0x000300260020006c, 0x0000000000c1009c}, - {0x00ac00a2000700dc, 0x003a004700b000f5, 0x002800b500c000b4, 0x00000000000f005f}, - {0x002c003d00c300dd, 0x00270075003a00ad, 0x00e7002f00ba00c1, 0x00000000001a00b6}, - {0x0020008300fb0045, 0x00ba00ee00c0002d, 0x00bd00d900bb005e, 0x0000000000a900ec}, - {0x000300e800ad000b, 0x00e700c200280035, 0x009e00c500bd00e2, 0x00000000009100aa}, - {0x00c1006000260001, 0x001a00df000f00b9, 0x0091005500a9003b, 0x0000000000640096}, - {0x00be008c00270098, 0x0017001f00af00e7, 0x001900db00d1004d, 0x00000000002400a2}, - {0x00d60099000a004e, 0x0092004f00930044, 0x004500dd00dc00d7, 0x000000000001000b}, - {0x001a007f002f000a, 0x00db0073001500c5, 0x003600f500f20064, 0x00000000006000cd}, - {0x00330034007f0099, 0x00380062006300a8, 0x00ea0008001600ac, 0x0000000000b900d4}, - {0x004d0033001a00d6, 0x002400a700370091, 0x00050060007400e9, 0x0000000000df005e}, - {0x009100a800c50044, 0x0036003d00a6006e, 0x007800ba00250026, 0x00000000003b0086}, - {0x0037006300150093, 0x002d00d8007a00a6, 0x0034006b00de006a, 0x0000000000550085}, - {0x00a700620073004f, 0x00b5005a00d8003d, 0x00da00ce00fe00be, 0x00000000009600d5}, - {0x0024003800db0092, 0x006100b5002d0036, 0x00bf0021003e00df, 0x000000000059006e}, - {0x00e900ac006400d7, 0x00df00be006a0026, 0x00ae00910084007c, 0x00000000002c00ef}, - {0x0074001600f200dc, 0x003e00fe00de0025, 0x002b0082003f0084, 0x00000000002600fa}, - {0x0060000800f500dd, 0x002100ce006b00ba, 0x00cf005600820091, 0x0000000000c1002d}, - {0x000500ea00360045, 0x00bf00da00340078, 0x005a00cf002b00ae, 0x00000000000f0023}, - {0x005e00d400cd000b, 0x006e00d500850086, 0x0023002d00fa00ef, 0x00000000001a001e}, - {0x00df00b900600001, 0x005900960055003b, 0x000f00c10026002c, 0x0000000000a9001a}, - {0x006700f000460098, 0x00fb00e0007b0015, 0x0088006500d40074, 0x00000000009100da}, - {0x002e00430061004e, 0x00080048003200bf, 0x005c008600c2009c, 0x0000000000640063}, - {0x005500ed006b000a, 0x000c003600c300c4, 0x0073006600b600b9, 0x0000000000240082}, - {0x00d7004f00440099, 0x000a0098000b00dd, 0x00dc0092009300d6, 0x0000000000010045}, - {0x00ae0072003b00d6, 0x000f006a00200024, 0x00ef0096004d0067, 0x000000000060006c}, - {0x005900f100210044, 0x008600a1000c00cf, 0x007d00a600b300a9, 0x0000000000b9008f}, - {0x00f4001900e40093, 0x00c500b1008c00cd, 0x004c00fb008d00e6, 0x0000000000df0028}, - {0x006c007900f1004f, 0x002900bd00bc0027, 0x00ee004000090037, 0x00000000003b00d3}, - {0x002600f500820092, 0x00b300b800b60050, 0x0065002700360059, 0x00000000005500ce}, - {0x009c006c005900d7, 0x00640072007c000f, 0x001100b900b400eb, 0x0000000000960084}, - {0x00a00013003d00dc, 0x005600ab009e00d9, 0x0085007f009f0020, 0x00000000005900e5}, - {0x000f002700cf00dd, 0x007d0038007300ed, 0x00e4003e00650060, 0x00000000002c0007}, - {0x00e20014003a0045, 0x00cd001200310021, 0x00950015004300a0, 0x0000000000260090}, - {0x007c00bc000c000b, 0x0025008300e00073, 0x007900fc009700fd, 0x0000000000c10002}, - {0x00a900df00c10001, 0x00b9002600240096, 0x002c00640055001a, 0x00000000000f0060} -}; - - -/** - * @brief Encodes a message message of PARAM_K bits to a Reed-Solomon codeword codeword of PARAM_N1 bytes - * - * Following @cite lin1983error (Chapter 4 - Cyclic Codes), - * We perform a systematic encoding using a linear (PARAM_N1 - PARAM_K)-stage shift register - * with feedback connections based on the generator polynomial PARAM_RS_POLY of the Reed-Solomon code. - * - * @param[out] cdw Array of size VEC_N1_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_K_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS128_AVX2_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg) { - size_t i, k; - uint8_t gate_value = 0; - uint8_t prev, x; - - union { - uint16_t arr16[16 * CEIL_DIVIDE(PARAM_G, 16)]; - __m256i dummy; - } tmp = {0}; - - union { - uint16_t arr16[16 * CEIL_DIVIDE(PARAM_G, 16)]; - __m256i dummy; - } PARAM_RS_POLY = {{ RS_POLY_COEFS }}; - - __m256i *tmp256 = (__m256i *)tmp.arr16; - __m256i *param256 = (__m256i *)PARAM_RS_POLY.arr16; - - for (i = 0; i < PARAM_K; ++i) { - gate_value = (uint8_t) (msg[PARAM_K - 1 - i] ^ cdw[PARAM_N1 - PARAM_K - 1]); - _mm256_storeu_si256(&tmp256[0], PQCLEAN_HQCRMRS128_AVX2_gf_mul_vect(_mm256_set1_epi16(gate_value), param256[0])); - _mm256_storeu_si256(&tmp256[1], PQCLEAN_HQCRMRS128_AVX2_gf_mul_vect(_mm256_set1_epi16(gate_value), param256[1])); - - prev = 0; - for (k = 0; k < PARAM_N1 - PARAM_K; k++) { - x = cdw[k]; - cdw[k] = (uint8_t) (prev ^ tmp.arr16[k]); - prev = x; - } - } - - memcpy(cdw + PARAM_N1 - PARAM_K, msg, PARAM_K); -} - - - -/** - * @brief Computes 2 * PARAM_DELTA syndromes - * - * @param[out] syndromes Array of size 2 * PARAM_DELTA receiving the computed syndromes - * @param[in] cdw Array of size PARAM_N1 storing the received vector - */ -void compute_syndromes(uint16_t *syndromes, uint8_t *cdw) { - __m256i *syndromes256 = (__m256i *) syndromes; - __m256i last_syndromes256; - syndromes256[0] = _mm256_set1_epi16(cdw[0]); - - for (size_t i = 0; i < PARAM_N1 - 1; ++i) { - syndromes256[0] ^= PQCLEAN_HQCRMRS128_AVX2_gf_mul_vect(_mm256_set1_epi16(cdw[i + 1]), alpha_ij256_1[i]); - } - - last_syndromes256 = _mm256_set1_epi16(cdw[0]); - - for (size_t i = 0; i < PARAM_N1 - 1; ++i) { - last_syndromes256 ^= PQCLEAN_HQCRMRS128_AVX2_gf_mul_vect(_mm256_set1_epi16(cdw[i + 1]), alpha_ij256_2[i]); - } - - __m128i *s128 = (__m128i *) &last_syndromes256; - _mm_store_si128((__m128i *) (syndromes + 16), *s128); - - uint64_t *s8 = (uint64_t *) (syndromes + 24); - s8[0] = _mm_extract_epi64(s128[1], 0); - - uint32_t *s12 = (uint32_t *) (syndromes + 28); - uint32_t *s32 = ((uint32_t *) &last_syndromes256) + 6; - s12[0] = *s32; -} - - - -/** - * @brief Computes the error locator polynomial (ELP) sigma - * - * This is a constant time implementation of Berlekamp's simplified algorithm (see @cite lin1983error (Chapter 6 - BCH Codes).
- * We use the letter p for rho which is initialized at -1.
- * The array X_sigma_p represents the polynomial X^(mu-rho)*sigma_p(X).
- * Instead of maintaining a list of sigmas, we update in place both sigma and X_sigma_p.
- * sigma_copy serves as a temporary save of sigma in case X_sigma_p needs to be updated.
- * We can properly correct only if the degree of sigma does not exceed PARAM_DELTA. - * This means only the first PARAM_DELTA + 1 coefficients of sigma are of value - * and we only need to save its first PARAM_DELTA - 1 coefficients. - * - * @returns the degree of the ELP sigma - * @param[out] sigma Array of size (at least) PARAM_DELTA receiving the ELP - * @param[in] syndromes Array of size (at least) 2*PARAM_DELTA storing the syndromes - */ -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes) { - uint16_t deg_sigma = 0; - uint16_t deg_sigma_p = 0; - uint16_t deg_sigma_copy = 0; - uint16_t sigma_copy[PARAM_DELTA + 1] = {0}; - uint16_t X_sigma_p[PARAM_DELTA + 1] = {0, 1}; - uint16_t pp = (uint16_t) -1; // 2*rho - uint16_t d_p = 1; - uint16_t d = syndromes[0]; - - uint16_t mask1, mask2, mask12; - uint16_t deg_X, deg_X_sigma_p; - uint16_t dd; - uint16_t mu; - - uint16_t i; - - sigma[0] = 1; - for (mu = 0; (mu < (2 * PARAM_DELTA)); ++mu) { - // Save sigma in case we need it to update X_sigma_p - memcpy(sigma_copy, sigma, 2 * (PARAM_DELTA)); - deg_sigma_copy = deg_sigma; - - dd = PQCLEAN_HQCRMRS128_AVX2_gf_mul(d, PQCLEAN_HQCRMRS128_AVX2_gf_inverse(d_p)); - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - sigma[i] ^= PQCLEAN_HQCRMRS128_AVX2_gf_mul(dd, X_sigma_p[i]); - } - - deg_X = mu - pp; - deg_X_sigma_p = deg_X + deg_sigma_p; - - // mask1 = 0xffff if(d != 0) and 0 otherwise - mask1 = -((uint16_t) - d >> 15); - - // mask2 = 0xffff if(deg_X_sigma_p > deg_sigma) and 0 otherwise - mask2 = -((uint16_t) (deg_sigma - deg_X_sigma_p) >> 15); - - // mask12 = 0xffff if the deg_sigma increased and 0 otherwise - mask12 = mask1 & mask2; - deg_sigma ^= mask12 & (deg_X_sigma_p ^ deg_sigma); - - if (mu == (2 * PARAM_DELTA - 1)) { - break; - } - - pp ^= mask12 & (mu ^ pp); - d_p ^= mask12 & (d ^ d_p); - for (i = PARAM_DELTA; i; --i) { - X_sigma_p[i] = (mask12 & sigma_copy[i - 1]) ^ (~mask12 & X_sigma_p[i - 1]); - } - - deg_sigma_p ^= mask12 & (deg_sigma_copy ^ deg_sigma_p); - d = syndromes[mu + 1]; - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - d ^= PQCLEAN_HQCRMRS128_AVX2_gf_mul(sigma[i], syndromes[mu + 1 - i]); - } - } - - return deg_sigma; -} - - - -/** - * @brief Computes the error polynomial error from the error locator polynomial sigma - * - * See function PQCLEAN_HQCRMRS128_AVX2_fft for more details. - * - * @param[out] error Array of 2^PARAM_M elements receiving the error polynomial - * @param[out] error_compact Array of PARAM_DELTA + PARAM_N1 elements receiving a compact representation of the vector error - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - */ -static void compute_roots(uint8_t *error, uint16_t *sigma) { - uint16_t w[1 << PARAM_M] = {0}; - - PQCLEAN_HQCRMRS128_AVX2_fft(w, sigma, PARAM_DELTA + 1); - PQCLEAN_HQCRMRS128_AVX2_fft_retrieve_error_poly(error, w); -} - - - -/** - * @brief Computes the polynomial z(x) - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] z Array of PARAM_DELTA + 1 elements receiving the polynomial z(x) - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - * @param[in] degree Integer that is the degree of polynomial sigma - * @param[in] syndromes Array of 2 * PARAM_DELTA storing the syndromes - */ -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes) { - size_t i, j; - uint16_t mask; - - z[0] = 1; - - for (i = 1; i < PARAM_DELTA + 1; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] = mask & sigma[i]; - } - - z[1] ^= syndromes[0]; - - for (i = 2; i <= PARAM_DELTA; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] ^= mask & syndromes[i - 1]; - - for (j = 1; j < i; ++j) { - z[i] ^= mask & PQCLEAN_HQCRMRS128_AVX2_gf_mul(sigma[j], syndromes[i - j - 1]); - } - } -} - - - -/** - * @brief Computes the error values - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] error_values Array of PARAM_DELTA elements receiving the error values - * @param[in] z Array of PARAM_DELTA + 1 elements storing the polynomial z(x) - * @param[in] z_degree Integer that is the degree of polynomial z(x) - * @param[in] error_compact Array of PARAM_DELTA + PARAM_N1 storing compact representation of the error - */ -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error) { - uint16_t beta_j[PARAM_DELTA] = {0}; - uint16_t e_j[PARAM_DELTA] = {0}; - - uint16_t delta_counter; - uint16_t delta_real_value; - uint16_t found; - uint16_t mask1; - uint16_t mask2; - uint16_t tmp1; - uint16_t tmp2; - uint16_t inverse; - uint16_t inverse_power_j; - - // Compute the beta_{j_i} page 31 of the documentation - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; i++) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - beta_j[j] += mask1 & mask2 & gf_exp[i]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } - delta_real_value = delta_counter; - - // Compute the e_{j_i} page 31 of the documentation - for (size_t i = 0; i < PARAM_DELTA; ++i) { - tmp1 = 1; - tmp2 = 1; - inverse = PQCLEAN_HQCRMRS128_AVX2_gf_inverse(beta_j[i]); - inverse_power_j = 1; - - for (size_t j = 1; j <= PARAM_DELTA; ++j) { - inverse_power_j = PQCLEAN_HQCRMRS128_AVX2_gf_mul(inverse_power_j, inverse); - tmp1 ^= PQCLEAN_HQCRMRS128_AVX2_gf_mul(inverse_power_j, z[j]); - } - for (size_t k = 1; k < PARAM_DELTA; ++k) { - tmp2 = PQCLEAN_HQCRMRS128_AVX2_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS128_AVX2_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA]))); - } - mask1 = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value - e_j[i] = mask1 & PQCLEAN_HQCRMRS128_AVX2_gf_mul(tmp1, PQCLEAN_HQCRMRS128_AVX2_gf_inverse(tmp2)); - } - - // Place the delta e_{j_i} values at the right coordinates of the output vector - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; ++i) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - error_values[i] += mask1 & mask2 & e_j[j]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } -} - - - -/** - * @brief Correct the errors - * - * @param[out] cdw Array of PARAM_N1 elements receiving the corrected vector - * @param[in] error Array of the error vector - * @param[in] error_values Array of PARAM_DELTA elements storing the error values - */ -static void correct_errors(uint8_t *cdw, const uint16_t *error_values) { - for (size_t i = 0; i < PARAM_N1; ++i) { - cdw[i] ^= error_values[i]; - } -} - - - -/** - * @brief Decodes the received word - * - * This function relies on six steps: - *
    - *
  1. The first step, is the computation of the 2*PARAM_DELTA syndromes. - *
  2. The second step is the computation of the error-locator polynomial sigma. - *
  3. The third step, done by additive FFT, is finding the error-locator numbers by calculating the roots of the polynomial sigma and takings their inverses. - *
  4. The fourth step, is the polynomial z(x). - *
  5. The fifth step, is the computation of the error values. - *
  6. The sixth step is the correction of the errors in the received polynomial. - *
- * For a more complete picture on Reed-Solomon decoding, see Shu. Lin and Daniel J. Costello in Error Control Coding: Fundamentals and Applications @cite lin1983error - * - * @param[out] msg Array of size VEC_K_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS128_AVX2_reed_solomon_decode(uint8_t *msg, uint8_t *cdw) { - uint16_t syndromes[2 * PARAM_DELTA] = {0}; - uint16_t sigma[1 << PARAM_FFT] = {0}; - uint8_t error[1 << PARAM_M] = {0}; - uint16_t z[PARAM_N1] = {0}; - uint16_t error_values[PARAM_N1] = {0}; - uint16_t deg; - - // Calculate the 2*PARAM_DELTA syndromes - compute_syndromes(syndromes, cdw); - - // Compute the error locator polynomial sigma - // Sigma's degree is at most PARAM_DELTA but the FFT requires the extra room - deg = compute_elp(sigma, syndromes); - - // Compute the error polynomial error - compute_roots(error, sigma); - - // Compute the polynomial z(x) - compute_z_poly(z, sigma, deg, syndromes); - - // Compute the error values - compute_error_values(error_values, z, error); - - // Correct the errors - correct_errors(cdw, error_values); - - // Retrieve the message from the decoded codeword - memcpy(msg, cdw + (PARAM_G - 1), PARAM_K); - -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/reed_solomon.h b/crypto_kem/hqc-rmrs-128/avx2/reed_solomon.h deleted file mode 100644 index f42de097..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/reed_solomon.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef REED_SOLOMON_H -#define REED_SOLOMON_H - - -/** - * @file reed_solomon.h - * Header file of reed_solomon.c - */ -#include "parameters.h" -#include -#include - -static const uint16_t alpha_ij_pow [48][79] = {{2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60, 120, 240}, {4, 16, 64, 29, 116, 205, 19, 76, 45, 180, 234, 143, 6, 24, 96, 157, 78, 37, 148, 106, 181, 238, 159, 70, 5, 20, 80, 93, 105, 185, 222, 95, 97, 153, 94, 101, 137, 30, 120, 253, 211, 107, 177, 254, 223, 91, 113, 217, 67, 17, 68, 13, 52, 208, 103, 129, 62, 248, 199, 59, 236, 151, 102, 133, 46, 184, 218, 79, 33, 132, 42, 168, 154, 82, 85, 73, 57, 228, 183}, {8, 64, 58, 205, 38, 45, 117, 143, 12, 96, 39, 37, 53, 181, 193, 70, 10, 80, 186, 185, 161, 97, 47, 101, 15, 120, 231, 107, 127, 223, 182, 217, 134, 68, 26, 208, 206, 62, 237, 59, 197, 102, 23, 184, 169, 33, 21, 168, 41, 85, 146, 228, 115, 191, 145, 252, 179, 241, 219, 150, 196, 110, 87, 130, 100, 7, 56, 221, 166, 89, 242, 195, 86, 138, 36, 61, 245, 251, 139}, {16, 29, 205, 76, 180, 143, 24, 157, 37, 106, 238, 70, 20, 93, 185, 95, 153, 101, 30, 253, 107, 254, 91, 217, 17, 13, 208, 129, 248, 59, 151, 133, 184, 79, 132, 168, 82, 73, 228, 230, 198, 252, 123, 227, 150, 149, 165, 130, 200, 28, 221, 81, 121, 195, 172, 18, 61, 247, 203, 44, 250, 27, 173, 2, 32, 58, 135, 152, 117, 3, 48, 39, 74, 212, 193, 140, 40, 186, 111}, {32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59, 51, 46, 169, 132, 77, 85, 114, 230, 145, 215, 255, 150, 55, 174, 100, 28, 167, 89, 239, 172, 36, 244, 235, 44, 233, 108, 1, 32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59, 51, 46, 169, 132}, {64, 205, 45, 143, 96, 37, 181, 70, 80, 185, 97, 101, 120, 107, 223, 217, 68, 208, 62, 59, 102, 184, 33, 168, 85, 228, 191, 252, 241, 150, 110, 130, 7, 221, 89, 195, 138, 61, 251, 44, 207, 173, 8, 58, 38, 117, 12, 39, 53, 193, 10, 186, 161, 47, 15, 231, 127, 182, 134, 26, 206, 237, 197, 23, 169, 21, 41, 146, 115, 145, 179, 219, 196, 87, 100, 56, 166, 242, 86}, {128, 19, 117, 24, 156, 181, 140, 93, 161, 94, 60, 107, 163, 67, 26, 129, 147, 102, 109, 132, 41, 57, 209, 252, 255, 98, 87, 200, 224, 89, 155, 18, 245, 11, 233, 173, 16, 232, 45, 3, 157, 53, 159, 40, 185, 194, 137, 231, 254, 226, 68, 189, 248, 197, 46, 158, 168, 170, 183, 145, 123, 75, 110, 25, 28, 166, 249, 69, 61, 235, 176, 54, 2, 29, 38, 234, 48, 37, 119}, {29, 76, 143, 157, 106, 70, 93, 95, 101, 253, 254, 217, 13, 129, 59, 133, 79, 168, 73, 230, 252, 227, 149, 130, 28, 81, 195, 18, 247, 44, 27, 2, 58, 152, 3, 39, 212, 140, 186, 190, 202, 231, 225, 175, 26, 31, 118, 23, 158, 77, 146, 209, 229, 219, 55, 25, 56, 162, 155, 36, 243, 88, 54, 4, 116, 45, 6, 78, 181, 5, 105, 97, 137, 211, 223, 67, 52, 62, 236}, {58, 45, 12, 37, 193, 80, 161, 101, 231, 223, 134, 208, 237, 102, 169, 168, 146, 191, 179, 150, 87, 7, 166, 195, 36, 251, 125, 173, 64, 38, 143, 39, 181, 10, 185, 47, 120, 127, 217, 26, 62, 197, 184, 21, 85, 115, 252, 219, 110, 100, 221, 242, 138, 245, 44, 54, 8, 205, 117, 96, 53, 70, 186, 97, 15, 107, 182, 68, 206, 59, 23, 33, 41, 228, 145, 241, 196, 130, 56}, {116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44, 108, 32, 38, 3, 156, 193, 160, 190, 15, 214, 226, 26, 124, 51, 169, 77, 114, 145, 255, 55, 100, 167, 239, 36, 235, 233, 1, 116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44, 108, 32, 38, 3}, {232, 234, 39, 238, 160, 97, 60, 254, 134, 103, 118, 184, 84, 57, 145, 227, 220, 7, 162, 172, 245, 176, 71, 58, 180, 192, 181, 40, 95, 15, 177, 175, 208, 147, 46, 21, 73, 99, 241, 55, 200, 166, 43, 122, 44, 216, 128, 45, 48, 106, 10, 222, 202, 107, 226, 52, 237, 133, 66, 85, 209, 123, 196, 50, 167, 195, 144, 11, 54, 32, 76, 12, 148, 140, 185, 188, 211, 182, 13}, {205, 143, 37, 70, 185, 101, 107, 217, 208, 59, 184, 168, 228, 252, 150, 130, 221, 195, 61, 44, 173, 58, 117, 39, 193, 186, 47, 231, 182, 26, 237, 23, 21, 146, 145, 219, 87, 56, 242, 36, 139, 54, 64, 45, 96, 181, 80, 97, 120, 223, 68, 62, 102, 33, 85, 191, 241, 110, 7, 89, 138, 251, 207, 8, 38, 12, 53, 10, 161, 15, 127, 134, 206, 197, 169, 41, 115, 179, 196}, {135, 6, 53, 20, 190, 120, 163, 13, 237, 46, 84, 228, 229, 98, 100, 81, 69, 251, 131, 32, 45, 192, 238, 186, 94, 187, 217, 189, 236, 169, 82, 209, 241, 220, 28, 242, 72, 22, 173, 116, 201, 37, 140, 222, 15, 254, 34, 62, 204, 132, 146, 63, 75, 130, 167, 43, 245, 250, 4, 38, 24, 212, 80, 194, 253, 182, 52, 147, 184, 77, 183, 179, 149, 141, 89, 9, 203, 54, 128}, {19, 24, 181, 93, 94, 107, 67, 129, 102, 132, 57, 252, 98, 200, 89, 18, 11, 173, 232, 3, 53, 40, 194, 231, 226, 189, 197, 158, 170, 145, 75, 25, 166, 69, 235, 54, 29, 234, 37, 5, 95, 120, 91, 52, 59, 218, 82, 191, 227, 174, 221, 43, 247, 207, 32, 90, 39, 35, 111, 15, 225, 136, 237, 92, 77, 115, 246, 220, 56, 239, 122, 125, 4, 76, 96, 238, 105, 101, 177}, {38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145}, {76, 157, 70, 95, 253, 217, 129, 133, 168, 230, 227, 130, 81, 18, 44, 2, 152, 39, 140, 190, 231, 175, 31, 23, 77, 209, 219, 25, 162, 36, 88, 4, 45, 78, 5, 97, 211, 67, 62, 46, 154, 191, 171, 50, 89, 72, 176, 8, 90, 156, 10, 194, 187, 134, 124, 92, 41, 99, 75, 100, 178, 144, 125, 16, 180, 37, 20, 153, 107, 17, 248, 184, 82, 198, 150, 200, 121, 61, 250}, {152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153}, {45, 37, 80, 101, 223, 208, 102, 168, 191, 150, 7, 195, 251, 173, 38, 39, 10, 47, 127, 26, 197, 21, 115, 219, 100, 242, 245, 54, 205, 96, 70, 97, 107, 68, 59, 33, 228, 241, 130, 89, 61, 207, 58, 12, 193, 161, 231, 134, 237, 169, 146, 179, 87, 166, 36, 125, 64, 143, 181, 185, 120, 217, 62, 184, 85, 252, 110, 221, 138, 44, 8, 117, 53, 186, 15, 182, 206, 23, 41}, {90, 148, 186, 30, 226, 62, 109, 73, 179, 174, 162, 61, 131, 232, 96, 140, 153, 127, 52, 51, 168, 99, 98, 56, 172, 22, 8, 234, 212, 185, 240, 67, 237, 79, 114, 241, 25, 121, 245, 108, 19, 39, 20, 188, 223, 189, 133, 41, 63, 55, 221, 9, 176, 64, 3, 238, 161, 211, 34, 59, 66, 183, 219, 200, 239, 251, 71, 152, 37, 160, 137, 182, 129, 92, 85, 229, 165, 166, 72}, {180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36, 233, 116, 96, 5, 94, 223, 103, 46, 85, 215, 174, 89, 244, 108, 38, 156, 160, 15, 226, 124, 169, 114, 255, 100, 239, 235, 1, 180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36, 233, 116, 96, 5}, {117, 181, 161, 107, 26, 102, 41, 252, 87, 89, 245, 173, 45, 53, 185, 231, 68, 197, 168, 145, 110, 166, 61, 54, 38, 37, 186, 120, 134, 59, 21, 191, 196, 221, 36, 207, 205, 39, 80, 15, 217, 237, 33, 115, 150, 56, 138, 125, 58, 96, 10, 101, 182, 62, 169, 228, 219, 7, 86, 44, 64, 12, 70, 47, 223, 206, 184, 146, 241, 100, 195, 139, 8, 143, 193, 97, 127, 208, 23}, {234, 238, 97, 254, 103, 184, 57, 227, 7, 172, 176, 58, 192, 40, 15, 175, 147, 21, 99, 55, 166, 122, 216, 45, 106, 222, 107, 52, 133, 85, 123, 50, 195, 11, 32, 12, 140, 188, 182, 124, 158, 115, 49, 224, 36, 131, 19, 37, 105, 253, 68, 151, 154, 252, 174, 121, 251, 2, 201, 193, 194, 225, 206, 109, 114, 219, 14, 69, 125, 116, 157, 80, 30, 67, 59, 42, 198, 110, 81}, {201, 159, 47, 91, 124, 33, 209, 149, 166, 244, 71, 117, 238, 194, 223, 31, 79, 115, 98, 167, 61, 216, 90, 181, 190, 254, 206, 218, 213, 150, 224, 72, 54, 152, 106, 161, 177, 189, 184, 114, 171, 56, 18, 131, 38, 148, 111, 107, 104, 46, 146, 227, 14, 138, 233, 135, 37, 210, 211, 26, 133, 170, 241, 141, 172, 125, 232, 78, 186, 253, 136, 102, 164, 123, 100, 43, 88, 58, 157}, {143, 70, 101, 217, 59, 168, 252, 130, 195, 44, 58, 39, 186, 231, 26, 23, 146, 219, 56, 36, 54, 45, 181, 97, 223, 62, 33, 191, 110, 89, 251, 8, 12, 10, 15, 134, 197, 41, 179, 100, 86, 125, 205, 37, 185, 107, 208, 184, 228, 150, 221, 61, 173, 117, 193, 47, 182, 237, 21, 145, 87, 242, 139, 64, 96, 80, 120, 68, 102, 85, 241, 7, 138, 207, 38, 53, 161, 127, 206}, {3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223, 124, 132, 145, 174, 239, 44, 116, 156, 185, 214, 103, 169, 230, 55, 89, 235, 32, 96, 160, 253, 26, 46, 114, 150, 167, 244, 1, 3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223, 124, 132, 145, 174}, {6, 20, 120, 13, 46, 228, 98, 81, 251, 32, 192, 186, 187, 189, 169, 209, 220, 242, 22, 116, 37, 222, 254, 62, 132, 63, 130, 43, 250, 38, 212, 194, 182, 147, 77, 179, 141, 9, 54, 180, 159, 101, 67, 151, 85, 227, 112, 61, 142, 3, 10, 60, 136, 23, 114, 49, 166, 243, 16, 96, 93, 211, 208, 218, 230, 110, 121, 11, 58, 156, 111, 127, 31, 66, 145, 65, 155, 125, 19}, {12, 80, 231, 208, 169, 191, 87, 195, 125, 38, 181, 47, 217, 197, 85, 219, 221, 245, 8, 96, 186, 107, 206, 33, 145, 130, 86, 207, 45, 193, 101, 134, 102, 146, 150, 166, 251, 64, 39, 185, 127, 62, 21, 252, 100, 138, 54, 117, 70, 15, 68, 23, 228, 196, 89, 139, 58, 37, 161, 223, 237, 168, 179, 7, 36, 173, 143, 10, 120, 26, 184, 115, 110, 242, 44, 205, 53, 97, 182}, {24, 93, 107, 129, 132, 252, 200, 18, 173, 3, 40, 231, 189, 158, 145, 25, 69, 54, 234, 5, 120, 52, 218, 191, 174, 43, 207, 90, 35, 15, 136, 92, 115, 220, 239, 125, 76, 238, 101, 17, 133, 228, 149, 121, 44, 135, 212, 47, 175, 51, 146, 49, 162, 139, 116, 148, 97, 113, 236, 85, 171, 83, 251, 128, 156, 161, 163, 147, 41, 255, 224, 245, 16, 157, 185, 254, 248, 168, 123}, {48, 105, 127, 248, 77, 241, 224, 247, 64, 156, 95, 182, 236, 170, 150, 162, 11, 205, 212, 94, 134, 133, 213, 110, 239, 250, 45, 35, 30, 26, 218, 99, 130, 69, 108, 143, 40, 211, 206, 132, 229, 7, 144, 2, 96, 210, 254, 237, 154, 255, 221, 243, 128, 37, 190, 113, 197, 73, 49, 89, 22, 135, 181, 188, 17, 23, 183, 220, 195, 233, 90, 70, 60, 52, 169, 198, 25, 138, 216}, {96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15}, {192, 222, 182, 151, 114, 110, 155, 27, 143, 160, 177, 237, 82, 75, 89, 88, 152, 70, 240, 103, 21, 123, 224, 251, 116, 212, 101, 136, 218, 145, 200, 144, 8, 78, 190, 217, 204, 183, 87, 172, 216, 12, 105, 225, 59, 170, 98, 242, 250, 180, 10, 211, 31, 168, 255, 83, 139, 135, 238, 15, 52, 158, 252, 14, 244, 64, 74, 153, 134, 46, 209, 130, 9, 142, 96, 111, 91, 197, 57}, {157, 95, 217, 133, 230, 130, 18, 2, 39, 190, 175, 23, 209, 25, 36, 4, 78, 97, 67, 46, 191, 50, 72, 8, 156, 194, 134, 92, 99, 100, 144, 16, 37, 153, 17, 184, 198, 200, 61, 32, 74, 47, 34, 109, 145, 141, 122, 64, 148, 94, 68, 218, 63, 7, 244, 128, 53, 188, 136, 169, 126, 14, 245, 29, 106, 101, 13, 79, 252, 28, 247, 58, 212, 202, 26, 158, 229, 56, 243}, {39, 97, 134, 184, 145, 7, 245, 58, 181, 15, 208, 21, 241, 166, 44, 45, 10, 107, 237, 85, 196, 195, 54, 12, 185, 182, 102, 115, 130, 36, 8, 37, 47, 68, 169, 252, 56, 251, 205, 193, 120, 206, 168, 219, 89, 125, 117, 80, 127, 59, 146, 110, 86, 173, 96, 161, 217, 23, 191, 100, 61, 64, 53, 101, 26, 33, 179, 221, 139, 38, 70, 231, 62, 41, 150, 242, 207, 143, 186}, {78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79}, {156, 94, 26, 132, 255, 89, 233, 3, 185, 226, 46, 145, 28, 235, 38, 5, 214, 59, 114, 174, 36, 32, 106, 15, 103, 77, 150, 239, 108, 96, 190, 17, 169, 215, 167, 44, 180, 160, 223, 51, 230, 100, 244, 116, 193, 253, 124, 85, 55, 172, 1, 156, 94, 26, 132, 255, 89, 233, 3, 185, 226, 46, 145, 28, 235, 38, 5, 214, 59, 114, 174, 36, 32, 106, 15, 103, 77, 150, 239}, {37, 101, 208, 168, 150, 195, 173, 39, 47, 26, 21, 219, 242, 54, 96, 97, 68, 33, 241, 89, 207, 12, 161, 134, 169, 179, 166, 125, 143, 185, 217, 184, 252, 221, 44, 117, 186, 182, 23, 145, 56, 139, 45, 80, 223, 102, 191, 7, 251, 38, 10, 127, 197, 115, 100, 245, 205, 70, 107, 59, 228, 130, 61, 58, 193, 231, 237, 146, 87, 36, 64, 181, 120, 62, 85, 110, 138, 8, 53}, {74, 137, 206, 82, 55, 138, 16, 212, 120, 124, 73, 87, 72, 29, 193, 211, 147, 228, 25, 244, 205, 140, 177, 197, 230, 141, 251, 76, 40, 223, 204, 198, 56, 11, 180, 186, 113, 92, 252, 167, 176, 143, 111, 67, 169, 123, 162, 207, 24, 190, 68, 66, 227, 242, 108, 157, 47, 52, 84, 150, 155, 142, 37, 202, 103, 41, 149, 69, 8, 106, 60, 62, 170, 165, 36, 128, 238, 231, 199}, {148, 30, 62, 73, 174, 61, 232, 140, 127, 51, 99, 56, 22, 234, 185, 67, 79, 241, 121, 108, 39, 188, 189, 41, 55, 9, 64, 238, 211, 59, 183, 200, 251, 152, 160, 182, 92, 229, 166, 233, 24, 97, 13, 42, 150, 43, 2, 53, 60, 124, 146, 65, 122, 205, 5, 254, 102, 198, 112, 44, 201, 111, 134, 158, 255, 242, 216, 78, 101, 103, 82, 110, 18, 128, 193, 187, 118, 115, 141}, {53, 120, 237, 228, 100, 251, 45, 186, 217, 169, 241, 242, 173, 37, 15, 62, 146, 130, 245, 38, 80, 182, 184, 179, 89, 54, 39, 101, 206, 85, 87, 61, 205, 10, 223, 23, 252, 166, 207, 96, 47, 208, 41, 110, 36, 58, 70, 127, 102, 145, 221, 125, 12, 97, 26, 168, 196, 138, 64, 193, 107, 197, 191, 56, 44, 143, 161, 68, 21, 150, 86, 8, 181, 231, 59, 115, 7, 139, 117}, {106, 253, 59, 230, 28, 44, 3, 190, 26, 77, 55, 36, 116, 5, 223, 46, 215, 89, 108, 156, 15, 124, 114, 100, 235, 180, 185, 17, 132, 150, 172, 32, 193, 214, 51, 145, 167, 233, 96, 94, 103, 85, 174, 244, 38, 160, 226, 169, 255, 239, 1, 106, 253, 59, 230, 28, 44, 3, 190, 26, 77, 55, 36, 116, 5, 223, 46, 215, 89, 108, 156, 15, 124, 114, 100, 235, 180, 185, 17}, {212, 211, 197, 198, 167, 207, 157, 202, 62, 114, 200, 139, 201, 95, 26, 154, 220, 61, 19, 160, 217, 158, 171, 86, 32, 159, 127, 133, 229, 89, 216, 74, 120, 147, 230, 56, 176, 24, 47, 103, 170, 130, 243, 90, 185, 34, 42, 196, 18, 116, 10, 91, 109, 241, 239, 2, 181, 187, 151, 145, 83, 131, 39, 137, 124, 228, 141, 11, 143, 190, 52, 41, 165, 122, 38, 93, 175, 33, 75}, {181, 107, 102, 252, 89, 173, 53, 231, 197, 145, 166, 54, 37, 120, 59, 191, 221, 207, 39, 15, 237, 115, 56, 125, 96, 101, 62, 228, 7, 44, 12, 47, 206, 146, 100, 139, 143, 97, 208, 85, 130, 251, 117, 161, 26, 41, 87, 245, 45, 185, 68, 168, 110, 61, 38, 186, 134, 21, 196, 36, 205, 80, 217, 33, 150, 138, 58, 10, 182, 169, 219, 86, 64, 70, 223, 184, 241, 195, 8}, {119, 177, 23, 123, 239, 8, 159, 225, 184, 255, 43, 64, 140, 91, 169, 171, 69, 58, 20, 226, 33, 49, 18, 205, 160, 67, 21, 149, 144, 38, 105, 34, 168, 220, 244, 45, 111, 13, 41, 174, 243, 117, 95, 104, 85, 25, 203, 143, 194, 103, 146, 200, 22, 12, 94, 31, 228, 14, 176, 96, 202, 248, 115, 112, 233, 39, 30, 147, 191, 167, 27, 37, 240, 236, 145, 81, 216, 53, 211}, {238, 254, 184, 227, 172, 58, 40, 175, 21, 55, 122, 45, 222, 52, 85, 50, 11, 12, 188, 124, 115, 224, 131, 37, 253, 151, 252, 121, 2, 193, 225, 109, 219, 69, 116, 80, 67, 42, 110, 244, 90, 161, 104, 170, 100, 22, 24, 101, 248, 230, 221, 27, 74, 231, 51, 229, 242, 4, 159, 223, 218, 171, 138, 232, 160, 134, 84, 220, 245, 180, 95, 208, 73, 200, 44, 48, 202, 237, 209}, {193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44}, {159, 91, 33, 149, 244, 117, 194, 31, 115, 167, 216, 181, 254, 218, 150, 72, 152, 161, 189, 114, 56, 131, 148, 107, 46, 227, 138, 135, 210, 26, 170, 141, 125, 78, 253, 102, 123, 43, 58, 160, 34, 41, 25, 22, 96, 30, 236, 252, 249, 32, 10, 175, 84, 87, 235, 6, 101, 199, 198, 89, 2, 35, 182, 66, 55, 245, 234, 153, 62, 230, 83, 173, 119, 225, 169, 49, 144, 45, 95}, {35, 113, 21, 165, 235, 12, 137, 118, 252, 239, 128, 80, 34, 82, 100, 176, 78, 231, 133, 255, 138, 19, 111, 208, 114, 112, 54, 212, 254, 169, 98, 122, 117, 153, 124, 191, 162, 2, 70, 226, 42, 87, 203, 24, 15, 236, 229, 195, 29, 160, 68, 164, 200, 125, 156, 211, 23, 227, 9, 38, 222, 189, 228, 224, 108, 181, 225, 79, 196, 244, 234, 47, 248, 99, 89, 4, 140, 217, 84}, {70, 217, 168, 130, 44, 39, 231, 23, 219, 36, 45, 97, 62, 191, 89, 8, 10, 134, 41, 100, 125, 37, 107, 184, 150, 61, 117, 47, 237, 145, 242, 64, 80, 68, 85, 7, 207, 53, 127, 169, 196, 245, 143, 101, 59, 252, 195, 58, 186, 26, 146, 56, 54, 181, 223, 33, 110, 251, 12, 15, 197, 179, 86, 205, 185, 208, 228, 221, 173, 193, 182, 21, 87, 139, 96, 120, 102, 241, 138}}; - -void PQCLEAN_HQCRMRS128_AVX2_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS128_AVX2_reed_solomon_decode(uint8_t *msg, uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/avx2/vector.c b/crypto_kem/hqc-rmrs-128/avx2/vector.c deleted file mode 100644 index 1fe644ec..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/vector.c +++ /dev/null @@ -1,178 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -#include -/** - * @file vector.c - * @brief Implementation of vectors sampling and some utilities for the HQC scheme - */ - - - -/** - * @brief Generates a vector of a given Hamming weight - * - * This function generates uniformly at random a binary vector of a Hamming weight equal to the parameter weight. - * To generate the vector we have to sample uniformly at random values in the interval [0, PARAM_N -1]. Suppose the PARAM_N is equal to \f$ 70853 \f$, to select a position \f$ r\f$ the function works as follow: - * 1. It makes a call to the seedexpander function to obtain a random number \f$ x\f$ in \f$ [0, 2^{24}[ \f$. - * 2. Let \f$ t = \lfloor {2^{24} \over 70853} \rfloor \times 70853\f$ - * 3. If \f$ x \geq t\f$, go to 1 - * 4. It return \f$ r = x \mod 70853\f$ - * - * The parameter \f$ t \f$ is precomputed and it's denoted by UTILS_REJECTION_THRESHOLD (see the file parameters.h). - * - * @param[in] v Pointer to an array - * @param[in] weight Integer that is the Hamming weight - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS128_AVX2_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight) { - size_t random_bytes_size = 3 * weight; - uint8_t rand_bytes[3 * PARAM_OMEGA_R] = {0}; - uint32_t tmp[PARAM_OMEGA_R] = {0}; - __m256i bit256[PARAM_OMEGA_R]; - __m256i bloc256[PARAM_OMEGA_R]; - __m256i posCmp256 = _mm256_set_epi64x(3, 2, 1, 0); - __m256i pos256; - __m256i mask256; - __m256i aux; - __m256i i256; - uint64_t bloc, pos, bit64; - uint8_t inc; - size_t i, j, k; - - i = 0; - j = random_bytes_size; - while (i < weight) { - do { - if (j == random_bytes_size) { - seedexpander(ctx, rand_bytes, random_bytes_size); - j = 0; - } - - tmp[i] = ((uint32_t) rand_bytes[j++]) << 16; - tmp[i] |= ((uint32_t) rand_bytes[j++]) << 8; - tmp[i] |= rand_bytes[j++]; - - } while (tmp[i] >= UTILS_REJECTION_THRESHOLD); - - tmp[i] = tmp[i] % PARAM_N; - - inc = 1; - for (k = 0; k < i; k++) { - if (tmp[k] == tmp[i]) { - inc = 0; - } - } - i += inc; - } - - for (i = 0; i < weight; i++) { - // we store the bloc number and bit position of each vb[i] - bloc = tmp[i] >> 6; - bloc256[i] = _mm256_set1_epi64x(bloc >> 2); - pos = (bloc & 0x3UL); - pos256 = _mm256_set1_epi64x(pos); - mask256 = _mm256_cmpeq_epi64(pos256, posCmp256); - bit64 = 1ULL << (tmp[i] & 0x3f); - bit256[i] = _mm256_set1_epi64x(bit64)&mask256; - } - - for (i = 0; i < CEIL_DIVIDE(PARAM_N, 256); i++) { - aux = _mm256_loadu_si256(((__m256i *)v) + i); - i256 = _mm256_set1_epi64x(i); - - for (j = 0; j < weight; j++) { - mask256 = _mm256_cmpeq_epi64(bloc256[j], i256); - aux ^= bit256[j] & mask256; - } - _mm256_storeu_si256(((__m256i *)v) + i, aux); - } - -} - - - -/** - * @brief Generates a random vector of dimension PARAM_N - * - * This function generates a random binary vector of dimension PARAM_N. It generates a random - * array of bytes using the seedexpander function, and drop the extra bits using a mask. - * - * @param[in] v Pointer to an array - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS128_AVX2_vect_set_random(AES_XOF_struct *ctx, uint64_t *v) { - uint8_t rand_bytes[VEC_N_SIZE_BYTES] = {0}; - - seedexpander(ctx, rand_bytes, VEC_N_SIZE_BYTES); - - PQCLEAN_HQCRMRS128_AVX2_load8_arr(v, VEC_N_SIZE_64, rand_bytes, VEC_N_SIZE_BYTES); - v[VEC_N_SIZE_64 - 1] &= RED_MASK; -} - - - -/** - * @brief Adds two vectors - * - * @param[out] o Pointer to an array that is the result - * @param[in] v1 Pointer to an array that is the first vector - * @param[in] v2 Pointer to an array that is the second vector - * @param[in] size Integer that is the size of the vectors - */ -void PQCLEAN_HQCRMRS128_AVX2_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size) { - for (uint32_t i = 0; i < size; ++i) { - o[i] = v1[i] ^ v2[i]; - } -} - - - -/** - * @brief Compares two vectors - * - * @param[in] v1 Pointer to an array that is first vector - * @param[in] v2 Pointer to an array that is second vector - * @param[in] size Integer that is the size of the vectors - * @returns 0 if the vectors are equals and a negative/psotive value otherwise - */ -uint8_t PQCLEAN_HQCRMRS128_AVX2_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size) { - uint64_t r = 0; - for (size_t i = 0; i < size; i++) { - r |= v1[i] ^ v2[i]; - } - r = (~r + 1) >> 63; - return (uint8_t) r; -} - - - -/** - * @brief Resize a vector so that it contains size_o bits - * - * @param[out] o Pointer to the output vector - * @param[in] size_o Integer that is the size of the output vector in bits - * @param[in] v Pointer to the input vector - * @param[in] size_v Integer that is the size of the input vector in bits - */ -void PQCLEAN_HQCRMRS128_AVX2_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v) { - uint64_t mask = 0x7FFFFFFFFFFFFFFF; - int8_t val = 0; - if (size_o < size_v) { - if (size_o % 64) { - val = 64 - (size_o % 64); - } - - memcpy(o, v, VEC_N1N2_SIZE_BYTES); - - for (int8_t i = 0; i < val; ++i) { - o[VEC_N1N2_SIZE_64 - 1] &= (mask >> i); - } - } else { - memcpy(o, v, CEIL_DIVIDE(size_v, 8)); - } -} diff --git a/crypto_kem/hqc-rmrs-128/avx2/vector.h b/crypto_kem/hqc-rmrs-128/avx2/vector.h deleted file mode 100644 index cba09fef..00000000 --- a/crypto_kem/hqc-rmrs-128/avx2/vector.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef VECTOR_H -#define VECTOR_H - - -/** - * @file vector.h - * @brief Header file for vector.c - */ -#include "nistseedexpander.h" -#include "randombytes.h" -#include - -void PQCLEAN_HQCRMRS128_AVX2_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight); - -void PQCLEAN_HQCRMRS128_AVX2_vect_set_random(AES_XOF_struct *ctx, uint64_t *v); - -void PQCLEAN_HQCRMRS128_AVX2_vect_set_random_from_randombytes(uint64_t *v); - - -void PQCLEAN_HQCRMRS128_AVX2_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size); - -uint8_t PQCLEAN_HQCRMRS128_AVX2_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size); - -void PQCLEAN_HQCRMRS128_AVX2_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/LICENSE b/crypto_kem/hqc-rmrs-128/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/hqc-rmrs-128/clean/Makefile.Microsoft_nmake b/crypto_kem/hqc-rmrs-128/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 4a7b8081..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libhqc-rmrs-128_clean.lib -OBJECTS=code.obj fft.obj gf2x.obj gf.obj hqc.obj kem.obj parsing.obj reed_muller.obj reed_solomon.obj vector.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/hqc-rmrs-128/clean/api.h b/crypto_kem/hqc-rmrs-128/clean/api.h deleted file mode 100644 index 87447acc..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/api.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_HQCRMRS128_CLEAN_API_H -#define PQCLEAN_HQCRMRS128_CLEAN_API_H -/** - * @file api.h - * @brief NIST KEM API used by the HQC_KEM IND-CCA2 scheme - */ - -#define PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_ALGNAME "HQC-RMRS-128" - -#define PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_SECRETKEYBYTES 2289 -#define PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_PUBLICKEYBYTES 2249 -#define PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_BYTES 64 -#define PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_CIPHERTEXTBYTES 4481 - -// As a technicality, the public key is appended to the secret key in order to respect the NIST API. -// Without this constraint, PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_SECRETKEYBYTES would be defined as 32 - -int PQCLEAN_HQCRMRS128_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_HQCRMRS128_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - -int PQCLEAN_HQCRMRS128_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/code.c b/crypto_kem/hqc-rmrs-128/clean/code.c deleted file mode 100644 index 92a853a4..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/code.c +++ /dev/null @@ -1,46 +0,0 @@ -#include "code.h" -#include "parameters.h" -#include "reed_muller.h" -#include "reed_solomon.h" -#include -#include -/** - * @file code.c - * @brief Implementation of concatenated code - */ - - - -/** - * - * @brief Encoding the message m to a code word em using the concatenated code - * - * First we encode the message using the Reed-Solomon code, then with the duplicated Reed-Muller code we obtain - * a concatenated code word. - * - * @param[out] em Pointer to an array that is the tensor code word - * @param[in] m Pointer to an array that is the message - */ -void PQCLEAN_HQCRMRS128_CLEAN_code_encode(uint8_t *em, const uint8_t *m) { - uint8_t tmp[VEC_N1_SIZE_BYTES] = {0}; - - PQCLEAN_HQCRMRS128_CLEAN_reed_solomon_encode(tmp, m); - PQCLEAN_HQCRMRS128_CLEAN_reed_muller_encode(em, tmp); - -} - - - -/** - * @brief Decoding the code word em to a message m using the concatenated code - * - * @param[out] m Pointer to an array that is the message - * @param[in] em Pointer to an array that is the code word - */ -void PQCLEAN_HQCRMRS128_CLEAN_code_decode(uint8_t *m, const uint8_t *em) { - uint8_t tmp[VEC_N1_SIZE_BYTES] = {0}; - - PQCLEAN_HQCRMRS128_CLEAN_reed_muller_decode(tmp, em); - PQCLEAN_HQCRMRS128_CLEAN_reed_solomon_decode(m, tmp); - -} diff --git a/crypto_kem/hqc-rmrs-128/clean/code.h b/crypto_kem/hqc-rmrs-128/clean/code.h deleted file mode 100644 index d7c439fa..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/code.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef CODE_H -#define CODE_H - - -/** - * @file code.h - * Header file of code.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS128_CLEAN_code_encode(uint8_t *em, const uint8_t *message); - -void PQCLEAN_HQCRMRS128_CLEAN_code_decode(uint8_t *m, const uint8_t *em); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/fft.c b/crypto_kem/hqc-rmrs-128/clean/fft.c deleted file mode 100644 index 83a47013..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/fft.c +++ /dev/null @@ -1,351 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include -#include -/** - * @file fft.c - * Implementation of the additive FFT and its transpose. - * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf - */ - - -static void compute_fft_betas(uint16_t *betas); -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size); -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas); - - -/** - * @brief Computes the basis of betas (omitting 1) used in the additive FFT and its transpose - * - * @param[out] betas Array of size PARAM_M-1 - */ -static void compute_fft_betas(uint16_t *betas) { - size_t i; - for (i = 0; i < PARAM_M - 1; ++i) { - betas[i] = 1 << (PARAM_M - 1 - i); - } -} - - - -/** - * @brief Computes the subset sums of the given set - * - * The array subset_sums is such that its ith element is - * the subset sum of the set elements given by the binary form of i. - * - * @param[out] subset_sums Array of size 2^set_size receiving the subset sums - * @param[in] set Array of set_size elements - * @param[in] set_size Size of the array set - */ -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size) { - uint16_t i, j; - subset_sums[0] = 0; - - for (i = 0; i < set_size; ++i) { - for (j = 0; j < (1 << i); ++j) { - subset_sums[(1 << i) + j] = set[i] ^ subset_sums[j]; - } - } -} - - - -/** - * @brief Computes the radix conversion of a polynomial f in GF(2^m)[x] - * - * Computes f0 and f1 such that f(x) = f0(x^2-x) + x.f1(x^2-x) - * as proposed by Bernstein, Chou and Schwabe: - * https://binary.cr.yp.to/mcbits-20130616.pdf - * - * @param[out] f0 Array half the size of f - * @param[out] f1 Array half the size of f - * @param[in] f Array of size a power of 2 - * @param[in] m_f 2^{m_f} is the smallest power of 2 greater or equal to the number of coefficients of f - */ -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - switch (m_f) { - case 4: - f0[4] = f[8] ^ f[12]; - f0[6] = f[12] ^ f[14]; - f0[7] = f[14] ^ f[15]; - f1[5] = f[11] ^ f[13]; - f1[6] = f[13] ^ f[14]; - f1[7] = f[15]; - f0[5] = f[10] ^ f[12] ^ f1[5]; - f1[4] = f[9] ^ f[13] ^ f0[5]; - - f0[0] = f[0]; - f1[3] = f[7] ^ f[11] ^ f[15]; - f0[3] = f[6] ^ f[10] ^ f[14] ^ f1[3]; - f0[2] = f[4] ^ f0[4] ^ f0[3] ^ f1[3]; - f1[1] = f[3] ^ f[5] ^ f[9] ^ f[13] ^ f1[3]; - f1[2] = f[3] ^ f1[1] ^ f0[3]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 3: - f0[0] = f[0]; - f0[2] = f[4] ^ f[6]; - f0[3] = f[6] ^ f[7]; - f1[1] = f[3] ^ f[5] ^ f[7]; - f1[2] = f[5] ^ f[6]; - f1[3] = f[7]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 2: - f0[0] = f[0]; - f0[1] = f[2] ^ f[3]; - f1[0] = f[1] ^ f0[1]; - f1[1] = f[3]; - break; - - case 1: - f0[0] = f[0]; - f1[0] = f[1]; - break; - - default: - radix_big(f0, f1, f, m_f); - break; - } -} - -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - uint16_t Q[2 * (1 << (PARAM_FFT - 2))] = {0}; - uint16_t R[2 * (1 << (PARAM_FFT - 2))] = {0}; - - uint16_t Q0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t Q1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R1[1 << (PARAM_FFT - 2)] = {0}; - - size_t i, n; - - n = 1; - n <<= (m_f - 2); - memcpy(Q, f + 3 * n, 2 * n); - memcpy(Q + n, f + 3 * n, 2 * n); - memcpy(R, f, 4 * n); - - for (i = 0; i < n; ++i) { - Q[i] ^= f[2 * n + i]; - R[n + i] ^= Q[i]; - } - - radix(Q0, Q1, Q, m_f - 1); - radix(R0, R1, R, m_f - 1); - - memcpy(f0, R0, 2 * n); - memcpy(f0 + n, Q0, 2 * n); - memcpy(f1, R1, 2 * n); - memcpy(f1 + n, Q1, 2 * n); -} - - - -/** - * @brief Evaluates f at all subset sums of a given set - * - * This function is a subroutine of the function PQCLEAN_HQCRMRS128_CLEAN_fft. - * - * @param[out] w Array - * @param[in] f Array - * @param[in] f_coeffs Number of coefficients of f - * @param[in] m Number of betas - * @param[in] m_f Number of coefficients of f (one more than its degree) - * @param[in] betas FFT constants - */ -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas) { - uint16_t f0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t gammas[PARAM_M - 2] = {0}; - uint16_t deltas[PARAM_M - 2] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 2)] = {0}; - uint16_t u[1 << (PARAM_M - 2)] = {0}; - uint16_t v[1 << (PARAM_M - 2)] = {0}; - uint16_t tmp[PARAM_M - (PARAM_FFT - 1)] = {0}; - - uint16_t beta_m_pow; - size_t i, j, k; - size_t x; - - // Step 1 - if (m_f == 1) { - for (i = 0; i < m; ++i) { - tmp[i] = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(betas[i], f[1]); - } - - w[0] = f[0]; - x = 1; - for (j = 0; j < m; ++j) { - for (k = 0; k < x; ++k) { - w[x + k] = w[k] ^ tmp[j]; - } - x <<= 1; - } - - return; - } - - // Step 2: compute g - if (betas[m - 1] != 1) { - beta_m_pow = 1; - x = 1; - x <<= m_f; - for (i = 1; i < x; ++i) { - beta_m_pow = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(beta_m_pow, betas[m - 1]); - f[i] = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(beta_m_pow, f[i]); - } - } - - // Step 3 - radix(f0, f1, f, m_f); - - // Step 4: compute gammas and deltas - for (i = 0; i + 1 < m; ++i) { - gammas[i] = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(betas[i], PQCLEAN_HQCRMRS128_CLEAN_gf_inverse(betas[m - 1])); - deltas[i] = PQCLEAN_HQCRMRS128_CLEAN_gf_square(gammas[i]) ^ gammas[i]; - } - - // Compute gammas sums - compute_subset_sums(gammas_sums, gammas, m - 1); - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, m - 1, m_f - 1, deltas); - - k = 1; - k <<= ((m - 1) & 0xf); // &0xf is to let the compiler know that m-1 is small. - if (f_coeffs <= 3) { // 3-coefficient polynomial f case: f1 is constant - w[0] = u[0]; - w[k] = u[0] ^ f1[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS128_CLEAN_gf_mul(gammas_sums[i], f1[0]); - w[k + i] = w[i] ^ f1[0]; - } - } else { - fft_rec(v, f1, f_coeffs / 2, m - 1, m_f - 1, deltas); - - // Step 6 - memcpy(w + k, v, 2 * k); - w[0] = u[0]; - w[k] ^= u[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS128_CLEAN_gf_mul(gammas_sums[i], v[i]); - w[k + i] ^= w[i]; - } - } -} - - - -/** - * @brief Evaluates f on all fields elements using an additive FFT algorithm - * - * f_coeffs is the number of coefficients of f (one less than its degree).
- * The FFT proceeds recursively to evaluate f at all subset sums of a basis B.
- * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf
- * Note that on this first call (as opposed to the recursive calls to fft_rec), gammas are equal to betas, - * meaning the first gammas subset sums are actually the subset sums of betas (except 1).
- * Also note that f is altered during computation (twisted at each level). - * - * @param[out] w Array - * @param[in] f Array of 2^PARAM_FFT elements - * @param[in] f_coeffs Number coefficients of f (i.e. deg(f)+1) - */ -void PQCLEAN_HQCRMRS128_CLEAN_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs) { - uint16_t betas[PARAM_M - 1] = {0}; - uint16_t betas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t f0[1 << (PARAM_FFT - 1)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 1)] = {0}; - uint16_t deltas[PARAM_M - 1] = {0}; - uint16_t u[1 << (PARAM_M - 1)] = {0}; - uint16_t v[1 << (PARAM_M - 1)] = {0}; - - size_t i, k; - - // Follows Gao and Mateer algorithm - compute_fft_betas(betas); - - // Step 1: PARAM_FFT > 1, nothing to do - - // Compute gammas sums - compute_subset_sums(betas_sums, betas, PARAM_M - 1); - - // Step 2: beta_m = 1, nothing to do - - // Step 3 - radix(f0, f1, f, PARAM_FFT); - - // Step 4: Compute deltas - for (i = 0; i < PARAM_M - 1; ++i) { - deltas[i] = PQCLEAN_HQCRMRS128_CLEAN_gf_square(betas[i]) ^ betas[i]; - } - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - fft_rec(v, f1, f_coeffs / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - - k = 1 << (PARAM_M - 1); - // Step 6, 7 and error polynomial computation - memcpy(w + k, v, 2 * k); - - // Check if 0 is root - w[0] = u[0]; - - // Check if 1 is root - w[k] ^= u[0]; - - // Find other roots - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS128_CLEAN_gf_mul(betas_sums[i], v[i]); - w[k + i] ^= w[i]; - } -} - - - -/** - * @brief Retrieves the error polynomial error from the evaluations w of the ELP (Error Locator Polynomial) on all field elements. - * - * @param[out] error Array with the error - * @param[out] error_compact Array with the error in a compact form - * @param[in] w Array of size 2^PARAM_M - */ -void PQCLEAN_HQCRMRS128_CLEAN_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w) { - uint16_t gammas[PARAM_M - 1] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t k; - size_t i, index; - - compute_fft_betas(gammas); - compute_subset_sums(gammas_sums, gammas, PARAM_M - 1); - - k = 1 << (PARAM_M - 1); - error[0] ^= 1 ^ ((uint16_t) - w[0] >> 15); - error[0] ^= 1 ^ ((uint16_t) - w[k] >> 15); - - for (i = 1; i < k; ++i) { - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i]]; - error[index] ^= 1 ^ ((uint16_t) - w[i] >> 15); - - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i] ^ 1]; - error[index] ^= 1 ^ ((uint16_t) - w[k + i] >> 15); - } -} diff --git a/crypto_kem/hqc-rmrs-128/clean/fft.h b/crypto_kem/hqc-rmrs-128/clean/fft.h deleted file mode 100644 index 7c8ddd86..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/fft.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef FFT_H -#define FFT_H - - -/** - * @file fft.h - * Header file of fft.c - */ - -#include -#include - -void PQCLEAN_HQCRMRS128_CLEAN_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs); - -void PQCLEAN_HQCRMRS128_CLEAN_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/gf.c b/crypto_kem/hqc-rmrs-128/clean/gf.c deleted file mode 100644 index a7a3a1de..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/gf.c +++ /dev/null @@ -1,63 +0,0 @@ -#include "gf.h" -#include "parameters.h" -#include -/** - * @file gf.c - * Galois field implementation with multiplication using lookup tables - */ - - -/** - * @brief Multiplies nonzero element a by element b - * @returns the product a*b - * @param[in] a First element of GF(2^PARAM_M) to multiply (cannot be zero) - * @param[in] b Second element of GF(2^PARAM_M) to multiply (cannot be zero) - */ -uint16_t PQCLEAN_HQCRMRS128_CLEAN_gf_mul(uint16_t a, uint16_t b) { - uint16_t mask; - mask = (uint16_t) (-((int32_t) a) >> 31); // a != 0 - mask &= (uint16_t) (-((int32_t) b) >> 31); // b != 0 - return mask & gf_exp[PQCLEAN_HQCRMRS128_CLEAN_gf_mod(gf_log[a] + gf_log[b])]; -} - - - -/** - * @brief Squares an element of GF(2^PARAM_M) - * @returns a^2 - * @param[in] a Element of GF(2^PARAM_M) - */ -uint16_t PQCLEAN_HQCRMRS128_CLEAN_gf_square(uint16_t a) { - int16_t mask = (uint16_t) (-((int32_t) a) >> 31); // a != 0 - return mask & gf_exp[PQCLEAN_HQCRMRS128_CLEAN_gf_mod(2 * gf_log[a])]; -} - - - -/** - * @brief Computes the inverse of an element of GF(2^PARAM_M) - * @returns the inverse of a - * @param[in] a Element of GF(2^PARAM_M) - */ -uint16_t PQCLEAN_HQCRMRS128_CLEAN_gf_inverse(uint16_t a) { - int16_t mask = (uint16_t) (-((int32_t) a) >> 31); // a != 0 - return mask & gf_exp[PARAM_GF_MUL_ORDER - gf_log[a]]; -} - - - -/** - * @brief Returns i modulo 2^PARAM_M-1 - * i must be less than 2*(2^PARAM_M-1). - * Therefore, the return value is either i or i-2^PARAM_M+1. - * @returns i mod (2^PARAM_M-1) - * @param[in] i The integer whose modulo is taken - */ -uint16_t PQCLEAN_HQCRMRS128_CLEAN_gf_mod(uint16_t i) { - uint16_t tmp = (uint16_t) (i - PARAM_GF_MUL_ORDER); - - // mask = 0xffff if(i < PARAM_GF_MUL_ORDER) - uint16_t mask = -(tmp >> 15); - - return tmp + (mask & PARAM_GF_MUL_ORDER); -} diff --git a/crypto_kem/hqc-rmrs-128/clean/gf.h b/crypto_kem/hqc-rmrs-128/clean/gf.h deleted file mode 100644 index 16f753ea..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/gf.h +++ /dev/null @@ -1,39 +0,0 @@ -#ifndef GF_H -#define GF_H - - -/** - * @file gf.h - * Header file of gf.c - */ - -#include -#include - - -/** - * Powers of the root alpha of 1 + x^2 + x^3 + x^4 + x^8. - * The last two elements are needed by the PQCLEAN_HQCRMRS128_CLEAN_gf_mul function - * (for example if both elements to multiply are zero). - */ -static const uint16_t gf_exp[258] = { 1, 2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60, 120, 240, 253, 231, 211, 187, 107, 214, 177, 127, 254, 225, 223, 163, 91, 182, 113, 226, 217, 175, 67, 134, 17, 34, 68, 136, 13, 26, 52, 104, 208, 189, 103, 206, 129, 31, 62, 124, 248, 237, 199, 147, 59, 118, 236, 197, 151, 51, 102, 204, 133, 23, 46, 92, 184, 109, 218, 169, 79, 158, 33, 66, 132, 21, 42, 84, 168, 77, 154, 41, 82, 164, 85, 170, 73, 146, 57, 114, 228, 213, 183, 115, 230, 209, 191, 99, 198, 145, 63, 126, 252, 229, 215, 179, 123, 246, 241, 255, 227, 219, 171, 75, 150, 49, 98, 196, 149, 55, 110, 220, 165, 87, 174, 65, 130, 25, 50, 100, 200, 141, 7, 14, 28, 56, 112, 224, 221, 167, 83, 166, 81, 162, 89, 178, 121, 242, 249, 239, 195, 155, 43, 86, 172, 69, 138, 9, 18, 36, 72, 144, 61, 122, 244, 245, 247, 243, 251, 235, 203, 139, 11, 22, 44, 88, 176, 125, 250, 233, 207, 131, 27, 54, 108, 216, 173, 71, 142, 1, 2, 4 }; - - - -/** - * Logarithm of elements of GF(2^8) to the base alpha (root of 1 + x^2 + x^3 + x^4 + x^8). - * The logarithm of 0 is set to 0 by convention. - */ -static const uint16_t gf_log[256] = { 0, 0, 1, 25, 2, 50, 26, 198, 3, 223, 51, 238, 27, 104, 199, 75, 4, 100, 224, 14, 52, 141, 239, 129, 28, 193, 105, 248, 200, 8, 76, 113, 5, 138, 101, 47, 225, 36, 15, 33, 53, 147, 142, 218, 240, 18, 130, 69, 29, 181, 194, 125, 106, 39, 249, 185, 201, 154, 9, 120, 77, 228, 114, 166, 6, 191, 139, 98, 102, 221, 48, 253, 226, 152, 37, 179, 16, 145, 34, 136, 54, 208, 148, 206, 143, 150, 219, 189, 241, 210, 19, 92, 131, 56, 70, 64, 30, 66, 182, 163, 195, 72, 126, 110, 107, 58, 40, 84, 250, 133, 186, 61, 202, 94, 155, 159, 10, 21, 121, 43, 78, 212, 229, 172, 115, 243, 167, 87, 7, 112, 192, 247, 140, 128, 99, 13, 103, 74, 222, 237, 49, 197, 254, 24, 227, 165, 153, 119, 38, 184, 180, 124, 17, 68, 146, 217, 35, 32, 137, 46, 55, 63, 209, 91, 149, 188, 207, 205, 144, 135, 151, 178, 220, 252, 190, 97, 242, 86, 211, 171, 20, 42, 93, 158, 132, 60, 57, 83, 71, 109, 65, 162, 31, 45, 67, 216, 183, 123, 164, 118, 196, 23, 73, 236, 127, 12, 111, 246, 108, 161, 59, 82, 41, 157, 85, 170, 251, 96, 134, 177, 187, 204, 62, 90, 203, 89, 95, 176, 156, 169, 160, 81, 11, 245, 22, 235, 122, 117, 44, 215, 79, 174, 213, 233, 230, 231, 173, 232, 116, 214, 244, 234, 168, 80, 88, 175 }; - - -uint16_t PQCLEAN_HQCRMRS128_CLEAN_gf_mul(uint16_t a, uint16_t b); - -uint16_t PQCLEAN_HQCRMRS128_CLEAN_gf_square(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS128_CLEAN_gf_inverse(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS128_CLEAN_gf_mod(uint16_t i); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/gf2x.c b/crypto_kem/hqc-rmrs-128/clean/gf2x.c deleted file mode 100644 index 1923ab2c..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/gf2x.c +++ /dev/null @@ -1,154 +0,0 @@ -#include "gf2x.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include -/** - * \file gf2x.c - * \brief Implementation of multiplication of two polynomials - */ - - -static inline void swap(uint16_t *tab, uint16_t elt1, uint16_t elt2); -static void reduce(uint64_t *o, const uint64_t *a); -static void fast_convolution_mult(uint8_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx); - -/** - * @brief swap two elements in a table - * - * This function exchanges tab[elt1] with tab[elt2] - * - * @param[in] tab Pointer to the table - * @param[in] elt1 Index of the first element - * @param[in] elt2 Index of the second element - */ -static inline void swap(uint16_t *tab, uint16_t elt1, uint16_t elt2) { - uint16_t tmp = tab[elt1]; - - tab[elt1] = tab[elt2]; - tab[elt2] = tmp; -} - - - -/** - * @brief Compute o(x) = a(x) mod \f$ X^n - 1\f$ - * - * This function computes the modular reduction of the polynomial a(x) - * - * @param[in] a Pointer to the polynomial a(x) - * @param[out] o Pointer to the result - */ -static void reduce(uint64_t *o, const uint64_t *a) { - size_t i; - uint64_t r; - uint64_t carry; - - for (i = 0; i < VEC_N_SIZE_64; i++) { - r = a[i + VEC_N_SIZE_64 - 1] >> (PARAM_N & 63); - carry = (uint64_t) (a[i + VEC_N_SIZE_64] << (64 - (PARAM_N & 63))); - o[i] = a[i] ^ r ^ carry; - } - - o[VEC_N_SIZE_64 - 1] &= RED_MASK; -} - - - -/** - * @brief computes product of the polynomial a1(x) with the sparse polynomial a2 - * - * o(x) = a1(x)a2(x) - * - * @param[out] o Pointer to the result - * @param[in] a1 Pointer to the sparse polynomial a2 (list of degrees of the monomials which appear in a2) - * @param[in] a2 Pointer to the polynomial a1(x) - * @param[in] weight Hamming wifht of the sparse polynomial a2 - * @param[in] ctx Pointer to a seed expander used to randomize the multiplication process - */ -static void fast_convolution_mult(uint8_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx) { -//static uint32_t fast_convolution_mult(const uint64_t *A, const uint32_t *vB, uint64_t *C, const uint16_t w, AES_XOF_struct *ctx) - uint64_t carry; - uint32_t dec, s; - uint64_t table[16 * (VEC_N_SIZE_64 + 1)]; - uint16_t permuted_table[16]; - uint16_t permutation_table[16]; - uint16_t permuted_sparse_vect[PARAM_OMEGA_E]; - uint16_t permutation_sparse_vect[PARAM_OMEGA_E]; - uint64_t tmp; - uint64_t *pt; - uint8_t *res; - size_t i, j; - - for (i = 0; i < 16; i++) { - permuted_table[i] = (uint16_t) i; - } - - seedexpander(ctx, (uint8_t *) permutation_table, 16 * sizeof(uint16_t)); - - for (i = 0; i < 15; i++) { - swap(permuted_table + i, 0, permutation_table[i] % (16 - i)); - } - - pt = table + (permuted_table[0] * (VEC_N_SIZE_64 + 1)); - for (j = 0; j < VEC_N_SIZE_64; j++) { - pt[j] = a2[j]; - } - pt[VEC_N_SIZE_64] = 0x0; - - for (i = 1; i < 16; i++) { - carry = 0; - pt = table + (permuted_table[i] * (VEC_N_SIZE_64 + 1)); - for (j = 0; j < VEC_N_SIZE_64; j++) { - pt[j] = (a2[j] << i) ^ carry; - carry = (a2[j] >> ((64 - i))); - } - pt[VEC_N_SIZE_64] = carry; - } - - for (i = 0; i < weight; i++) { - permuted_sparse_vect[i] = (uint16_t) i; - } - - seedexpander(ctx, (uint8_t *) permutation_sparse_vect, weight * sizeof(uint16_t)); - - for (i = 0; i + 1 < weight; i++) { - swap(permuted_sparse_vect + i, 0, (uint16_t) (permutation_sparse_vect[i] % (weight - i))); - } - - for (i = 0; i < weight; i++) { - dec = a1[permuted_sparse_vect[i]] & 0xf; - s = a1[permuted_sparse_vect[i]] >> 4; - res = o + 2 * s; - pt = table + (permuted_table[dec] * (VEC_N_SIZE_64 + 1)); - - for (j = 0; j < VEC_N_SIZE_64 + 1; j++) { - tmp = PQCLEAN_HQCRMRS128_CLEAN_load8(res); - PQCLEAN_HQCRMRS128_CLEAN_store8(res, tmp ^ pt[j]); - res += 8; - } - } -} - - - -/** - * @brief Multiply two polynomials modulo \f$ X^n - 1\f$. - * - * This functions multiplies a sparse polynomial a1 (of Hamming weight equal to weight) - * and a dense polynomial a2. The multiplication is done modulo \f$ X^n - 1\f$. - * - * @param[out] o Pointer to the result - * @param[in] a1 Pointer to the sparse polynomial - * @param[in] a2 Pointer to the dense polynomial - * @param[in] weight Integer that is the weigt of the sparse polynomial - * @param[in] ctx Pointer to the randomness context - */ -void PQCLEAN_HQCRMRS128_CLEAN_vect_mul(uint64_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx) { - uint64_t tmp[2 * VEC_N_SIZE_64 + 1] = {0}; - - fast_convolution_mult((uint8_t *) tmp, a1, a2, weight, ctx); - PQCLEAN_HQCRMRS128_CLEAN_load8_arr(tmp, 2 * VEC_N_SIZE_64 + 1, (uint8_t *) tmp, sizeof(tmp)); - reduce(o, tmp); -} diff --git a/crypto_kem/hqc-rmrs-128/clean/gf2x.h b/crypto_kem/hqc-rmrs-128/clean/gf2x.h deleted file mode 100644 index 1b353318..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/gf2x.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef GF2X_H -#define GF2X_H - - -/** - * @file gf2x.h - * @brief Header file for gf2x.c - */ -#include "nistseedexpander.h" -#include "randombytes.h" -#include - -void PQCLEAN_HQCRMRS128_CLEAN_vect_mul(uint64_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/hqc.c b/crypto_kem/hqc-rmrs-128/clean/hqc.c deleted file mode 100644 index 8784986f..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/hqc.c +++ /dev/null @@ -1,144 +0,0 @@ -#include "code.h" -#include "gf2x.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -/** - * @file hqc.c - * @brief Implementation of hqc.h - */ - - - -/** - * @brief Keygen of the HQC_PKE IND_CPA scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_keygen(unsigned char *pk, unsigned char *sk) { - AES_XOF_struct sk_seedexpander; - AES_XOF_struct pk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - uint8_t pk_seed[SEED_BYTES] = {0}; - uint64_t x[VEC_N_SIZE_64] = {0}; - uint32_t y[PARAM_OMEGA] = {0}; - uint64_t h[VEC_N_SIZE_64] = {0}; - uint64_t s[VEC_N_SIZE_64] = {0}; - - // Create seed_expanders for public key and secret key - randombytes(sk_seed, SEED_BYTES); - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - randombytes(pk_seed, SEED_BYTES); - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - // Compute secret key - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight_by_coordinates(&sk_seedexpander, y, PARAM_OMEGA); - - // Compute public key - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random(&pk_seedexpander, h); - PQCLEAN_HQCRMRS128_CLEAN_vect_mul(s, y, h, PARAM_OMEGA, &sk_seedexpander); - PQCLEAN_HQCRMRS128_CLEAN_vect_add(s, x, s, VEC_N_SIZE_64); - - // Parse keys to string - PQCLEAN_HQCRMRS128_CLEAN_hqc_public_key_to_string(pk, pk_seed, s); - PQCLEAN_HQCRMRS128_CLEAN_hqc_secret_key_to_string(sk, sk_seed, pk); - -} - - - -/** - * @brief Encryption of the HQC_PKE IND_CPA scheme - * - * The cihertext is composed of vectors u and v. - * - * @param[out] u Vector u (first part of the ciphertext) - * @param[out] v Vector v (second part of the ciphertext) - * @param[in] m Vector representing the message to encrypt - * @param[in] theta Seed used to derive randomness required for encryption - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk) { - AES_XOF_struct seedexpander; - uint64_t h[VEC_N_SIZE_64] = {0}; - uint64_t s[VEC_N_SIZE_64] = {0}; - uint64_t r1[VEC_N_SIZE_64] = {0}; - uint32_t r2[PARAM_OMEGA_R] = {0}; - uint64_t e[VEC_N_SIZE_64] = {0}; - uint64_t tmp1[VEC_N_SIZE_64] = {0}; - uint64_t tmp2[VEC_N_SIZE_64] = {0}; - - // Create seed_expander from theta - seedexpander_init(&seedexpander, theta, theta + 32, SEEDEXPANDER_MAX_LENGTH); - - // Retrieve h and s from public key - PQCLEAN_HQCRMRS128_CLEAN_hqc_public_key_from_string(h, s, pk); - - // Generate r1, r2 and e - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight(&seedexpander, r1, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight_by_coordinates(&seedexpander, r2, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight(&seedexpander, e, PARAM_OMEGA_E); - - // Compute u = r1 + r2.h - PQCLEAN_HQCRMRS128_CLEAN_vect_mul(u, r2, h, PARAM_OMEGA_R, &seedexpander); - PQCLEAN_HQCRMRS128_CLEAN_vect_add(u, r1, u, VEC_N_SIZE_64); - - // Compute v = m.G by encoding the message - PQCLEAN_HQCRMRS128_CLEAN_code_encode((uint8_t *)v, m); - PQCLEAN_HQCRMRS128_CLEAN_load8_arr(v, VEC_N1N2_SIZE_64, (uint8_t *)v, VEC_N1N2_SIZE_BYTES); - PQCLEAN_HQCRMRS128_CLEAN_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - - // Compute v = m.G + s.r2 + e - PQCLEAN_HQCRMRS128_CLEAN_vect_mul(tmp2, r2, s, PARAM_OMEGA_R, &seedexpander); - PQCLEAN_HQCRMRS128_CLEAN_vect_add(tmp2, e, tmp2, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS128_CLEAN_vect_add(tmp2, tmp1, tmp2, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS128_CLEAN_vect_resize(v, PARAM_N1N2, tmp2, PARAM_N); - -} - - - -/** - * @brief Decryption of the HQC_PKE IND_CPA scheme - * - * @param[out] m Vector representing the decrypted message - * @param[in] u Vector u (first part of the ciphertext) - * @param[in] v Vector v (second part of the ciphertext) - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk) { - uint8_t pk[PUBLIC_KEY_BYTES] = {0}; - uint64_t tmp1[VEC_N_SIZE_64] = {0}; - uint64_t tmp2[VEC_N_SIZE_64] = {0}; - uint32_t y[PARAM_OMEGA] = {0}; - AES_XOF_struct perm_seedexpander; - uint8_t perm_seed[SEED_BYTES] = {0}; - - // Retrieve x, y, pk from secret key - PQCLEAN_HQCRMRS128_CLEAN_hqc_secret_key_from_string(tmp1, y, pk, sk); - - randombytes(perm_seed, SEED_BYTES); - seedexpander_init(&perm_seedexpander, perm_seed, perm_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - // Compute v - u.y - PQCLEAN_HQCRMRS128_CLEAN_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - PQCLEAN_HQCRMRS128_CLEAN_vect_mul(tmp2, y, u, PARAM_OMEGA, &perm_seedexpander); - PQCLEAN_HQCRMRS128_CLEAN_vect_add(tmp2, tmp1, tmp2, VEC_N_SIZE_64); - - - // Compute m by decoding v - u.y - PQCLEAN_HQCRMRS128_CLEAN_store8_arr((uint8_t *)tmp1, VEC_N_SIZE_BYTES, tmp2, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS128_CLEAN_code_decode(m, (uint8_t *)tmp1); -} diff --git a/crypto_kem/hqc-rmrs-128/clean/hqc.h b/crypto_kem/hqc-rmrs-128/clean/hqc.h deleted file mode 100644 index c7344f3a..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/hqc.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef HQC_H -#define HQC_H - - -/** - * @file hqc.h - * @brief Functions of the HQC_PKE IND_CPA scheme - */ - -#include - -void PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_keygen(unsigned char *pk, unsigned char *sk); - -void PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk); - -void PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/kem.c b/crypto_kem/hqc-rmrs-128/clean/kem.c deleted file mode 100644 index dd49c3a6..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/kem.c +++ /dev/null @@ -1,140 +0,0 @@ -#include "api.h" -#include "fips202.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "sha2.h" -#include "vector.h" -#include -#include -/** - * @file kem.c - * @brief Implementation of api.h - */ - - - -/** - * @brief Keygen of the HQC_KEM IND_CAA2 scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - * @returns 0 if keygen is successful - */ -int PQCLEAN_HQCRMRS128_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - - PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_keygen(pk, sk); - return 0; -} - - - -/** - * @brief Encapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ct String containing the ciphertext - * @param[out] ss String containing the shared secret - * @param[in] pk String containing the public key - * @returns 0 if encapsulation is successful - */ -int PQCLEAN_HQCRMRS128_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - uint8_t theta[SHA512_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - uint64_t u[VEC_N_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Computing m - randombytes(m, VEC_K_SIZE_BYTES); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m - PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_encrypt(u, v, m, theta, pk); - - // Computing d - sha512(d, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS128_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS128_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Computing ciphertext - PQCLEAN_HQCRMRS128_CLEAN_hqc_ciphertext_to_string(ct, u, v, d); - - - return 0; -} - - - -/** - * @brief Decapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ss String containing the shared secret - * @param[in] ct String containing the cipĥertext - * @param[in] sk String containing the secret key - * @returns 0 if decapsulation is successful, -1 otherwise - */ -int PQCLEAN_HQCRMRS128_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - - uint8_t result; - uint64_t u[VEC_N_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char pk[PUBLIC_KEY_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - uint8_t theta[SHA512_BYTES] = {0}; - uint64_t u2[VEC_N_SIZE_64] = {0}; - uint64_t v2[VEC_N1N2_SIZE_64] = {0}; - unsigned char d2[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Retrieving u, v and d from ciphertext - PQCLEAN_HQCRMRS128_CLEAN_hqc_ciphertext_from_string(u, v, d, ct); - - // Retrieving pk from sk - memcpy(pk, sk + SEED_BYTES, PUBLIC_KEY_BYTES); - - // Decryting - PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_decrypt(m, u, v, sk); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m' - PQCLEAN_HQCRMRS128_CLEAN_hqc_pke_encrypt(u2, v2, m, theta, pk); - - // Computing d' - sha512(d2, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS128_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS128_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Abort if c != c' or d != d' - result = PQCLEAN_HQCRMRS128_CLEAN_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS128_CLEAN_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS128_CLEAN_vect_compare(d, d2, SHA512_BYTES); - result = (uint8_t) (-((int16_t) result) >> 15); - for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] &= ~result; - } - - - return -(result & 1); -} diff --git a/crypto_kem/hqc-rmrs-128/clean/parameters.h b/crypto_kem/hqc-rmrs-128/clean/parameters.h deleted file mode 100644 index 2ecb16d1..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/parameters.h +++ /dev/null @@ -1,98 +0,0 @@ -#ifndef HQC_PARAMETERS_H -#define HQC_PARAMETERS_H - - -/** - * @file parameters.h - * @brief Parameters of the HQC_KEM IND-CCA2 scheme - */ -#include "api.h" - - -#define CEIL_DIVIDE(a, b) (((a)+(b)-1)/(b)) /*!< Divide a by b and ceil the result*/ - -/* - #define PARAM_N Define the parameter n of the scheme - #define PARAM_N1 Define the parameter n1 of the scheme (length of Reed-Solomon code) - #define PARAM_N2 Define the parameter n2 of the scheme (length of Duplicated Reed-Muller code) - #define PARAM_N1N2 Define the length in bits of the Concatenated code - #define PARAM_OMEGA Define the parameter omega of the scheme - #define PARAM_OMEGA_E Define the parameter omega_e of the scheme - #define PARAM_OMEGA_R Define the parameter omega_r of the scheme - #define PARAM_SECURITY Define the security level corresponding to the chosen parameters - #define PARAM_DFR_EXP Define the decryption failure rate corresponding to the chosen parameters - - #define SECRET_KEY_BYTES Define the size of the secret key in bytes - #define PUBLIC_KEY_BYTES Define the size of the public key in bytes - #define SHARED_SECRET_BYTES Define the size of the shared secret in bytes - #define CIPHERTEXT_BYTES Define the size of the ciphertext in bytes - - #define UTILS_REJECTION_THRESHOLD Define the rejection threshold used to generate given weight vectors (see vector_set_random_fixed_weight function) - #define VEC_N_SIZE_BYTES Define the size of the array used to store a PARAM_N sized vector in bytes - #define VEC_K_SIZE_BYTES Define the size of the array used to store a PARAM_K sized vector in bytes - #define VEC_N1Y_SIZE_BYTES Define the size of the array used to store a PARAM_N1 sized vector in bytes - #define VEC_N1N2_SIZE_BYTES Define the size of the array used to store a PARAM_N1N2 sized vector in bytes - - #define VEC_N_SIZE_64 Define the size of the array used to store a PARAM_N sized vector in 64 bits - #define VEC_K_SIZE_64 Define the size of the array used to store a PARAM_K sized vector in 64 bits - #define VEC_N1_SIZE_64 Define the size of the array used to store a PARAM_N1 sized vector in 64 bits - #define VEC_N1N2_SIZE_64 Define the size of the array used to store a PARAM_N1N2 sized vector in 64 bits - - #define PARAM_DELTA Define the parameter delta of the scheme (correcting capacity of the Reed-Solomon code) - #define PARAM_M Define a positive integer - #define PARAM_GF_POLY Generator polynomial of galois field GF(2^PARAM_M), represented in hexadecimial form - #define PARAM_GF_MUL_ORDER Define the size of the multiplicative group of GF(2^PARAM_M), i.e 2^PARAM_M -1 - #define PARAM_K Define the size of the information bits of the Reed-Solomon code - #define PARAM_G Define the size of the generator polynomial of Reed-Solomon code - #define PARAM_FFT The additive FFT takes a 2^PARAM_FFT polynomial as input - We use the FFT to compute the roots of sigma, whose degree if PARAM_DELTA=24 - The smallest power of 2 greater than 24+1 is 32=2^5 - #define RS_POLY_COEFS Coefficients of the generator polynomial of the Reed-Solomon code - - #define RED_MASK A mask fot the higher bits of a vector - #define SHA512_BYTES Define the size of SHA512 output in bytes - #define SEED_BYTES Define the size of the seed in bytes - #define SEEDEXPANDER_MAX_LENGTH Define the seed expander max length -*/ - -#define PARAM_N 17669 -#define PARAM_N1 46 -#define PARAM_N2 384 -#define PARAM_N1N2 17664 -#define PARAM_OMEGA 66 -#define PARAM_OMEGA_E 75 -#define PARAM_OMEGA_R 75 -#define PARAM_SECURITY 128 -#define PARAM_DFR_EXP 128 - -#define SECRET_KEY_BYTES PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_SECRETKEYBYTES -#define PUBLIC_KEY_BYTES PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_PUBLICKEYBYTES -#define SHARED_SECRET_BYTES PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_BYTES -#define CIPHERTEXT_BYTES PQCLEAN_HQCRMRS128_CLEAN_CRYPTO_CIPHERTEXTBYTES - -#define UTILS_REJECTION_THRESHOLD 16767881 -#define VEC_N_SIZE_BYTES CEIL_DIVIDE(PARAM_N, 8) -#define VEC_K_SIZE_BYTES PARAM_K -#define VEC_N1_SIZE_BYTES PARAM_N1 -#define VEC_N1N2_SIZE_BYTES CEIL_DIVIDE(PARAM_N1N2, 8) - -#define VEC_N_SIZE_64 CEIL_DIVIDE(PARAM_N, 64) -#define VEC_K_SIZE_64 CEIL_DIVIDE(PARAM_K, 8) -#define VEC_N1_SIZE_64 CEIL_DIVIDE(PARAM_N1, 8) -#define VEC_N1N2_SIZE_64 CEIL_DIVIDE(PARAM_N1N2, 64) - -#define PARAM_DELTA 15 -#define PARAM_M 8 -#define PARAM_GF_POLY 0x11D -#define PARAM_GF_MUL_ORDER 255 -#define PARAM_K 16 -#define PARAM_G 31 -#define PARAM_FFT 5 -#define RS_POLY_COEFS 89,69,153,116,176,117,111,75,73,233,242,233,65,210,21,139,103,173,67,118,105,210,174,110,74,69,228,82,255,181,1 - -#define RED_MASK 0x1f -#define SHA512_BYTES 64 -#define SEED_BYTES 40 -#define SEEDEXPANDER_MAX_LENGTH 4294967295 - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/parsing.c b/crypto_kem/hqc-rmrs-128/clean/parsing.c deleted file mode 100644 index fe9e73b7..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/parsing.c +++ /dev/null @@ -1,186 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -/** - * @file parsing.c - * @brief Functions to parse secret key, public key and ciphertext of the HQC scheme - */ - - -void PQCLEAN_HQCRMRS128_CLEAN_store8(unsigned char *out, uint64_t in) { - out[0] = (in >> 0x00) & 0xFF; - out[1] = (in >> 0x08) & 0xFF; - out[2] = (in >> 0x10) & 0xFF; - out[3] = (in >> 0x18) & 0xFF; - out[4] = (in >> 0x20) & 0xFF; - out[5] = (in >> 0x28) & 0xFF; - out[6] = (in >> 0x30) & 0xFF; - out[7] = (in >> 0x38) & 0xFF; -} - - -uint64_t PQCLEAN_HQCRMRS128_CLEAN_load8(const unsigned char *in) { - uint64_t ret = in[7]; - - for (int8_t i = 6; i >= 0; i--) { - ret <<= 8; - ret |= in[i]; - } - - return ret; -} - -void PQCLEAN_HQCRMRS128_CLEAN_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen) { - size_t index_in = 0; - size_t index_out = 0; - - // first copy by 8 bytes - if (inlen >= 8 && outlen >= 1) { - while (index_out < outlen && index_in + 8 <= inlen) { - out64[index_out] = PQCLEAN_HQCRMRS128_CLEAN_load8(in8 + index_in); - - index_in += 8; - index_out += 1; - } - } - - // we now need to do the last 7 bytes if necessary - if (index_in >= inlen || index_out >= outlen) { - return; - } - out64[index_out] = in8[inlen - 1]; - for (int8_t i = (int8_t)(inlen - index_in) - 2; i >= 0; i--) { - out64[index_out] <<= 8; - out64[index_out] |= in8[index_in + i]; - } -} - -void PQCLEAN_HQCRMRS128_CLEAN_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen) { - for (size_t index_out = 0, index_in = 0; index_out < outlen && index_in < inlen;) { - out8[index_out] = (in64[index_in] >> ((index_out % 8) * 8)) & 0xFF; - index_out++; - if (index_out % 8 == 0) { - index_in++; - } - } -} - - -/** - * @brief Parse a secret key into a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] sk String containing the secret key - * @param[in] sk_seed Seed used to generate the secret key - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS128_CLEAN_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk) { - memcpy(sk, sk_seed, SEED_BYTES); - sk += SEED_BYTES; - memcpy(sk, pk, PUBLIC_KEY_BYTES); -} - -/** - * @brief Parse a secret key from a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] x uint64_t representation of vector x - * @param[out] y uint32_t representation of vector y - * @param[out] pk String containing the public key - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS128_CLEAN_hqc_secret_key_from_string(uint64_t *x, uint32_t *y, uint8_t *pk, const uint8_t *sk) { - AES_XOF_struct sk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - - memcpy(sk_seed, sk, SEED_BYTES); - sk += SEED_BYTES; - memcpy(pk, sk, PUBLIC_KEY_BYTES); - - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight_by_coordinates(&sk_seedexpander, y, PARAM_OMEGA); -} - -/** - * @brief Parse a public key into a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] pk String containing the public key - * @param[in] pk_seed Seed used to generate the public key - * @param[in] s uint8_t representation of vector s - */ -void PQCLEAN_HQCRMRS128_CLEAN_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s) { - memcpy(pk, pk_seed, SEED_BYTES); - PQCLEAN_HQCRMRS128_CLEAN_store8_arr(pk + SEED_BYTES, VEC_N_SIZE_BYTES, s, VEC_N_SIZE_64); -} - - - -/** - * @brief Parse a public key from a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] h uint8_t representation of vector h - * @param[out] s uint8_t representation of vector s - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS128_CLEAN_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk) { - AES_XOF_struct pk_seedexpander; - uint8_t pk_seed[SEED_BYTES] = {0}; - - memcpy(pk_seed, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_HQCRMRS128_CLEAN_load8_arr(s, VEC_N_SIZE_64, pk, VEC_N_SIZE_BYTES); - - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random(&pk_seedexpander, h); -} - - -/** - * @brief Parse a ciphertext into a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] ct String containing the ciphertext - * @param[in] u uint8_t representation of vector u - * @param[in] v uint8_t representation of vector v - * @param[in] d String containing the hash d - */ -void PQCLEAN_HQCRMRS128_CLEAN_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d) { - PQCLEAN_HQCRMRS128_CLEAN_store8_arr(ct, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS128_CLEAN_store8_arr(ct, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(ct, d, SHA512_BYTES); -} - - -/** - * @brief Parse a ciphertext from a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] u uint8_t representation of vector u - * @param[out] v uint8_t representation of vector v - * @param[out] d String containing the hash d - * @param[in] ct String containing the ciphertext - */ -void PQCLEAN_HQCRMRS128_CLEAN_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct) { - PQCLEAN_HQCRMRS128_CLEAN_load8_arr(u, VEC_N_SIZE_64, ct, VEC_N_SIZE_BYTES); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS128_CLEAN_load8_arr(v, VEC_N1N2_SIZE_64, ct, VEC_N1N2_SIZE_BYTES); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(d, ct, SHA512_BYTES); -} diff --git a/crypto_kem/hqc-rmrs-128/clean/parsing.h b/crypto_kem/hqc-rmrs-128/clean/parsing.h deleted file mode 100644 index f351af7b..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/parsing.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PARSING_H -#define PARSING_H - - -/** - * @file parsing.h - * @brief Header file for parsing.c - */ - -#include - -void PQCLEAN_HQCRMRS128_CLEAN_store8(unsigned char *out, uint64_t in); - -uint64_t PQCLEAN_HQCRMRS128_CLEAN_load8(const unsigned char *in); - -void PQCLEAN_HQCRMRS128_CLEAN_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen); - -void PQCLEAN_HQCRMRS128_CLEAN_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen); - - -void PQCLEAN_HQCRMRS128_CLEAN_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk); - -void PQCLEAN_HQCRMRS128_CLEAN_hqc_secret_key_from_string(uint64_t *x, uint32_t *y, uint8_t *pk, const uint8_t *sk); - - -void PQCLEAN_HQCRMRS128_CLEAN_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s); - -void PQCLEAN_HQCRMRS128_CLEAN_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk); - - -void PQCLEAN_HQCRMRS128_CLEAN_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d); - -void PQCLEAN_HQCRMRS128_CLEAN_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/reed_muller.c b/crypto_kem/hqc-rmrs-128/clean/reed_muller.c deleted file mode 100644 index 1273d9f9..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/reed_muller.c +++ /dev/null @@ -1,237 +0,0 @@ -#include "parameters.h" -#include "reed_muller.h" -#include -#include -/** - * @file reed_muller.c - * Constant time implementation of Reed-Muller code RM(1,7) - */ - - - -// number of repeated code words -#define MULTIPLICITY CEIL_DIVIDE(PARAM_N2, 128) - -// copy bit 0 into all bits of a 32 bit value -#define BIT0MASK(x) (-((x) & 1)) - - -static void encode(uint8_t *word, uint8_t message); -static void hadamard(uint16_t src[128], uint16_t dst[128]); -static void expand_and_sum(uint16_t dest[128], const uint8_t src[16 * MULTIPLICITY]); -static uint8_t find_peaks(const uint16_t transform[128]); - - - -/** - * @brief Encode a single byte into a single codeword using RM(1,7) - * - * Encoding matrix of this code: - * bit pattern (note that bits are numbered big endian) - * 0 aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa - * 1 cccccccc cccccccc cccccccc cccccccc - * 2 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 - * 3 ff00ff00 ff00ff00 ff00ff00 ff00ff00 - * 4 ffff0000 ffff0000 ffff0000 ffff0000 - * 5 ffffffff 00000000 ffffffff 00000000 - * 6 ffffffff ffffffff 00000000 00000000 - * 7 ffffffff ffffffff ffffffff ffffffff - * - * @param[out] word An RM(1,7) codeword - * @param[in] message A message - */ -static void encode(uint8_t *word, uint8_t message) { - uint32_t e; - // bit 7 flips all the bits, do that first to save work - e = BIT0MASK(message >> 7); - // bits 0, 1, 2, 3, 4 are the same for all four longs - // (Warning: in the bit matrix above, low bits are at the left!) - e ^= BIT0MASK(message >> 0) & 0xaaaaaaaa; - e ^= BIT0MASK(message >> 1) & 0xcccccccc; - e ^= BIT0MASK(message >> 2) & 0xf0f0f0f0; - e ^= BIT0MASK(message >> 3) & 0xff00ff00; - e ^= BIT0MASK(message >> 4) & 0xffff0000; - // we can store this in the first quarter - word[0 + 0] = (e >> 0x00) & 0xff; - word[0 + 1] = (e >> 0x08) & 0xff; - word[0 + 2] = (e >> 0x10) & 0xff; - word[0 + 3] = (e >> 0x18) & 0xff; - // bit 5 flips entries 1 and 3; bit 6 flips 2 and 3 - e ^= BIT0MASK(message >> 5); - word[4 + 0] = (e >> 0x00) & 0xff; - word[4 + 1] = (e >> 0x08) & 0xff; - word[4 + 2] = (e >> 0x10) & 0xff; - word[4 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 6); - word[12 + 0] = (e >> 0x00) & 0xff; - word[12 + 1] = (e >> 0x08) & 0xff; - word[12 + 2] = (e >> 0x10) & 0xff; - word[12 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 5); - word[8 + 0] = (e >> 0x00) & 0xff; - word[8 + 1] = (e >> 0x08) & 0xff; - word[8 + 2] = (e >> 0x10) & 0xff; - word[8 + 3] = (e >> 0x18) & 0xff; -} - - - -/** - * @brief Hadamard transform - * - * Perform hadamard transform of src and store result in dst - * src is overwritten: it is also used as intermediate buffer - * Method is best explained if we use H(3) instead of H(7): - * - * The routine multiplies by the matrix H(3): - * [1 1 1 1 1 1 1 1] - * [1 -1 1 -1 1 -1 1 -1] - * [1 1 -1 -1 1 1 -1 -1] - * [a b c d e f g h] * [1 -1 -1 1 1 -1 -1 1] = result of routine - * [1 1 1 1 -1 -1 -1 -1] - * [1 -1 1 -1 -1 1 -1 1] - * [1 1 -1 -1 -1 -1 1 1] - * [1 -1 -1 1 -1 1 1 -1] - * You can do this in three passes, where each pass does this: - * set lower half of buffer to pairwise sums, - * and upper half to differences - * index 0 1 2 3 4 5 6 7 - * input: a, b, c, d, e, f, g, h - * pass 1: a+b, c+d, e+f, g+h, a-b, c-d, e-f, g-h - * pass 2: a+b+c+d, e+f+g+h, a-b+c-d, e-f+g-h, a+b-c-d, e+f-g-h, a-b-c+d, e-f-g+h - * pass 3: a+b+c+d+e+f+g+h a+b-c-d+e+f-g-h a+b+c+d-e-f-g-h a+b-c-d-e+-f+g+h - * a-b+c-d+e-f+g-h a-b-c+d+e-f-g+h a-b+c-d-e+f-g+h a-b-c+d-e+f+g-h - * This order of computation is chosen because it vectorises well. - * Likewise, this routine multiplies by H(7) in seven passes. - * - * @param[out] src Structure that contain the expanded codeword - * @param[out] dst Structure that contain the expanded codeword - */ -static void hadamard(uint16_t src[128], uint16_t dst[128]) { - // the passes move data: - // src -> dst -> src -> dst -> src -> dst -> src -> dst - // using p1 and p2 alternately - uint16_t *p1 = src; - uint16_t *p2 = dst; - uint16_t *p3; - for (uint32_t pass = 0; pass < 7; pass++) { - for (uint32_t i = 0; i < 64; i++) { - p2[i] = p1[2 * i] + p1[2 * i + 1]; - p2[i + 64] = p1[2 * i] - p1[2 * i + 1]; - } - // swap p1, p2 for next round - p3 = p1; - p1 = p2; - p2 = p3; - } -} - - - -/** - * @brief Add multiple codewords into expanded codeword - * - * Accesses memory in order - * Note: this does not write the codewords as -1 or +1 as the green machine does - * instead, just 0 and 1 is used. - * The resulting hadamard transform has: - * all values are halved - * the first entry is 64 too high - * - * @param[out] dest Structure that contain the expanded codeword - * @param[in] src Structure that contain the codeword - */ -static void expand_and_sum(uint16_t dest[128], const uint8_t src[16 * MULTIPLICITY]) { - size_t part, bit, copy; - // start with the first copy - for (part = 0; part < 16; part++) { - for (bit = 0; bit < 8; bit++) { - dest[part * 8 + bit] = (uint16_t) ((src[part] >> bit) & 1); - } - } - // sum the rest of the copies - for (copy = 1; copy < MULTIPLICITY; copy++) { - for (part = 0; part < 16; part++) { - for (bit = 0; bit < 8; bit++) { - dest[part * 8 + bit] += (uint16_t) ((src[16 * copy + part] >> bit) & 1); - } - } - } -} - - - -/** - * @brief Finding the location of the highest value - * - * This is the final step of the green machine: find the location of the highest value, - * and add 128 if the peak is positive - * if there are two identical peaks, the peak with smallest value - * in the lowest 7 bits it taken - * @param[in] transform Structure that contain the expanded codeword - */ -static uint8_t find_peaks(const uint16_t transform[128]) { - uint16_t peak_abs = 0; - uint16_t peak = 0; - uint16_t pos = 0; - uint16_t t, abs, mask; - for (uint16_t i = 0; i < 128; i++) { - t = transform[i]; - abs = t ^ ((-(t >> 15)) & (t ^ -t)); // t = abs(t) - mask = -(((uint16_t)(peak_abs - abs)) >> 15); - peak ^= mask & (peak ^ t); - pos ^= mask & (pos ^ i); - peak_abs ^= mask & (peak_abs ^ abs); - } - pos |= 128 & ((peak >> 15) - 1); - return (uint8_t) pos; -} - - - - -/** - * @brief Encodes the received word - * - * The message consists of N1 bytes each byte is encoded into PARAM_N2 bits, - * or MULTIPLICITY repeats of 128 bits - * - * @param[out] cdw Array of size VEC_N1N2_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_N1_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS128_CLEAN_reed_muller_encode(uint8_t *cdw, const uint8_t *msg) { - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // encode first word - encode(&cdw[16 * i * MULTIPLICITY], msg[i]); - // copy to other identical codewords - for (size_t copy = 1; copy < MULTIPLICITY; copy++) { - memcpy(&cdw[16 * i * MULTIPLICITY + 16 * copy], &cdw[16 * i * MULTIPLICITY], 16); - } - } -} - - - -/** - * @brief Decodes the received word - * - * Decoding uses fast hadamard transform, for a more complete picture on Reed-Muller decoding, see MacWilliams, Florence Jessie, and Neil James Alexander Sloane. - * The theory of error-correcting codes codes @cite macwilliams1977theory - * - * @param[out] msg Array of size VEC_N1_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1N2_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS128_CLEAN_reed_muller_decode(uint8_t *msg, const uint8_t *cdw) { - uint16_t expanded[128]; - uint16_t transform[128]; - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // collect the codewords - expand_and_sum(expanded, &cdw[16 * i * MULTIPLICITY]); - // apply hadamard transform - hadamard(expanded, transform); - // fix the first entry to get the half Hadamard transform - transform[0] -= 64 * MULTIPLICITY; - // finish the decoding - msg[i] = find_peaks(transform); - } -} diff --git a/crypto_kem/hqc-rmrs-128/clean/reed_muller.h b/crypto_kem/hqc-rmrs-128/clean/reed_muller.h deleted file mode 100644 index 0229e24a..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/reed_muller.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef REED_MULLER_H -#define REED_MULLER_H - - -/** - * @file reed_muller.h - * Header file of reed_muller.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS128_CLEAN_reed_muller_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS128_CLEAN_reed_muller_decode(uint8_t *msg, const uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/reed_solomon.c b/crypto_kem/hqc-rmrs-128/clean/reed_solomon.c deleted file mode 100644 index 9139ce10..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/reed_solomon.c +++ /dev/null @@ -1,349 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include "parsing.h" -#include "reed_solomon.h" -#include -#include -#include -/** - * @file reed_solomon.c - * Constant time implementation of Reed-Solomon codes - */ - - -static void compute_syndromes(uint16_t *syndromes, uint8_t *cdw); -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes); -static void compute_roots(uint8_t *error, uint16_t *sigma); -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes); -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error); -static void correct_errors(uint8_t *cdw, const uint16_t *error_values); - -/** - * @brief Encodes a message message of PARAM_K bits to a Reed-Solomon codeword codeword of PARAM_N1 bytes - * - * Following @cite lin1983error (Chapter 4 - Cyclic Codes), - * We perform a systematic encoding using a linear (PARAM_N1 - PARAM_K)-stage shift register - * with feedback connections based on the generator polynomial PARAM_RS_POLY of the Reed-Solomon code. - * - * @param[out] cdw Array of size VEC_N1_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_K_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS128_CLEAN_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg) { - size_t i, j, k; - uint8_t gate_value = 0; - - uint16_t tmp[PARAM_G] = {0}; - uint16_t PARAM_RS_POLY [] = {RS_POLY_COEFS}; - uint8_t prev, x; - - for (i = 0; i < PARAM_N1; ++i) { - cdw[i] = 0; - } - - for (i = 0; i < PARAM_K; ++i) { - gate_value = (uint8_t) (msg[PARAM_K - 1 - i] ^ cdw[PARAM_N1 - PARAM_K - 1]); - - for (j = 0; j < PARAM_G; ++j) { - tmp[j] = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(gate_value, PARAM_RS_POLY[j]); - } - - prev = 0; - for (k = 0; k < PARAM_N1 - PARAM_K; k++) { - x = cdw[k]; - cdw[k] = (uint8_t) (prev ^ tmp[k]); - prev = x; - } - } - - memcpy(cdw + PARAM_N1 - PARAM_K, msg, PARAM_K); -} - - - -/** - * @brief Computes 2 * PARAM_DELTA syndromes - * - * @param[out] syndromes Array of size 2 * PARAM_DELTA receiving the computed syndromes - * @param[in] cdw Array of size PARAM_N1 storing the received vector - */ -void compute_syndromes(uint16_t *syndromes, uint8_t *cdw) { - for (size_t i = 0; i < 2 * PARAM_DELTA; ++i) { - for (size_t j = 1; j < PARAM_N1; ++j) { - syndromes[i] ^= PQCLEAN_HQCRMRS128_CLEAN_gf_mul(cdw[j], alpha_ij_pow[i][j - 1]); - } - syndromes[i] ^= cdw[0]; - } -} - - - -/** - * @brief Computes the error locator polynomial (ELP) sigma - * - * This is a constant time implementation of Berlekamp's simplified algorithm (see @cite lin1983error (Chapter 6 - BCH Codes).
- * We use the letter p for rho which is initialized at -1.
- * The array X_sigma_p represents the polynomial X^(mu-rho)*sigma_p(X).
- * Instead of maintaining a list of sigmas, we update in place both sigma and X_sigma_p.
- * sigma_copy serves as a temporary save of sigma in case X_sigma_p needs to be updated.
- * We can properly correct only if the degree of sigma does not exceed PARAM_DELTA. - * This means only the first PARAM_DELTA + 1 coefficients of sigma are of value - * and we only need to save its first PARAM_DELTA - 1 coefficients. - * - * @returns the degree of the ELP sigma - * @param[out] sigma Array of size (at least) PARAM_DELTA receiving the ELP - * @param[in] syndromes Array of size (at least) 2*PARAM_DELTA storing the syndromes - */ -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes) { - uint16_t deg_sigma = 0; - uint16_t deg_sigma_p = 0; - uint16_t deg_sigma_copy = 0; - uint16_t sigma_copy[PARAM_DELTA + 1] = {0}; - uint16_t X_sigma_p[PARAM_DELTA + 1] = {0, 1}; - uint16_t pp = (uint16_t) -1; // 2*rho - uint16_t d_p = 1; - uint16_t d = syndromes[0]; - - uint16_t mask1, mask2, mask12; - uint16_t deg_X, deg_X_sigma_p; - uint16_t dd; - uint16_t mu; - - uint16_t i; - - sigma[0] = 1; - for (mu = 0; (mu < (2 * PARAM_DELTA)); ++mu) { - // Save sigma in case we need it to update X_sigma_p - memcpy(sigma_copy, sigma, 2 * (PARAM_DELTA)); - deg_sigma_copy = deg_sigma; - - dd = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(d, PQCLEAN_HQCRMRS128_CLEAN_gf_inverse(d_p)); - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - sigma[i] ^= PQCLEAN_HQCRMRS128_CLEAN_gf_mul(dd, X_sigma_p[i]); - } - - deg_X = mu - pp; - deg_X_sigma_p = deg_X + deg_sigma_p; - - // mask1 = 0xffff if(d != 0) and 0 otherwise - mask1 = -((uint16_t) - d >> 15); - - // mask2 = 0xffff if(deg_X_sigma_p > deg_sigma) and 0 otherwise - mask2 = -((uint16_t) (deg_sigma - deg_X_sigma_p) >> 15); - - // mask12 = 0xffff if the deg_sigma increased and 0 otherwise - mask12 = mask1 & mask2; - deg_sigma ^= mask12 & (deg_X_sigma_p ^ deg_sigma); - - if (mu == (2 * PARAM_DELTA - 1)) { - break; - } - - pp ^= mask12 & (mu ^ pp); - d_p ^= mask12 & (d ^ d_p); - for (i = PARAM_DELTA; i; --i) { - X_sigma_p[i] = (mask12 & sigma_copy[i - 1]) ^ (~mask12 & X_sigma_p[i - 1]); - } - - deg_sigma_p ^= mask12 & (deg_sigma_copy ^ deg_sigma_p); - d = syndromes[mu + 1]; - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - d ^= PQCLEAN_HQCRMRS128_CLEAN_gf_mul(sigma[i], syndromes[mu + 1 - i]); - } - } - - return deg_sigma; -} - - - -/** - * @brief Computes the error polynomial error from the error locator polynomial sigma - * - * See function PQCLEAN_HQCRMRS128_CLEAN_fft for more details. - * - * @param[out] error Array of 2^PARAM_M elements receiving the error polynomial - * @param[out] error_compact Array of PARAM_DELTA + PARAM_N1 elements receiving a compact representation of the vector error - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - */ -static void compute_roots(uint8_t *error, uint16_t *sigma) { - uint16_t w[1 << PARAM_M] = {0}; - - PQCLEAN_HQCRMRS128_CLEAN_fft(w, sigma, PARAM_DELTA + 1); - PQCLEAN_HQCRMRS128_CLEAN_fft_retrieve_error_poly(error, w); -} - - - -/** - * @brief Computes the polynomial z(x) - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] z Array of PARAM_DELTA + 1 elements receiving the polynomial z(x) - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - * @param[in] degree Integer that is the degree of polynomial sigma - * @param[in] syndromes Array of 2 * PARAM_DELTA storing the syndromes - */ -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes) { - size_t i, j; - uint16_t mask; - - z[0] = 1; - - for (i = 1; i < PARAM_DELTA + 1; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] = mask & sigma[i]; - } - - z[1] ^= syndromes[0]; - - for (i = 2; i <= PARAM_DELTA; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] ^= mask & syndromes[i - 1]; - - for (j = 1; j < i; ++j) { - z[i] ^= mask & PQCLEAN_HQCRMRS128_CLEAN_gf_mul(sigma[j], syndromes[i - j - 1]); - } - } -} - - - -/** - * @brief Computes the error values - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] error_values Array of PARAM_DELTA elements receiving the error values - * @param[in] z Array of PARAM_DELTA + 1 elements storing the polynomial z(x) - * @param[in] z_degree Integer that is the degree of polynomial z(x) - * @param[in] error_compact Array of PARAM_DELTA + PARAM_N1 storing compact representation of the error - */ -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error) { - uint16_t beta_j[PARAM_DELTA] = {0}; - uint16_t e_j[PARAM_DELTA] = {0}; - - uint16_t delta_counter; - uint16_t delta_real_value; - uint16_t found; - uint16_t mask1; - uint16_t mask2; - uint16_t tmp1; - uint16_t tmp2; - uint16_t inverse; - uint16_t inverse_power_j; - - // Compute the beta_{j_i} page 31 of the documentation - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; i++) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - beta_j[j] += mask1 & mask2 & gf_exp[i]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } - delta_real_value = delta_counter; - - // Compute the e_{j_i} page 31 of the documentation - for (size_t i = 0; i < PARAM_DELTA; ++i) { - tmp1 = 1; - tmp2 = 1; - inverse = PQCLEAN_HQCRMRS128_CLEAN_gf_inverse(beta_j[i]); - inverse_power_j = 1; - - for (size_t j = 1; j <= PARAM_DELTA; ++j) { - inverse_power_j = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(inverse_power_j, inverse); - tmp1 ^= PQCLEAN_HQCRMRS128_CLEAN_gf_mul(inverse_power_j, z[j]); - } - for (size_t k = 1; k < PARAM_DELTA; ++k) { - tmp2 = PQCLEAN_HQCRMRS128_CLEAN_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS128_CLEAN_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA]))); - } - mask1 = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value - e_j[i] = mask1 & PQCLEAN_HQCRMRS128_CLEAN_gf_mul(tmp1, PQCLEAN_HQCRMRS128_CLEAN_gf_inverse(tmp2)); - } - - // Place the delta e_{j_i} values at the right coordinates of the output vector - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; ++i) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - error_values[i] += mask1 & mask2 & e_j[j]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } -} - - - -/** - * @brief Correct the errors - * - * @param[out] cdw Array of PARAM_N1 elements receiving the corrected vector - * @param[in] error Array of the error vector - * @param[in] error_values Array of PARAM_DELTA elements storing the error values - */ -static void correct_errors(uint8_t *cdw, const uint16_t *error_values) { - for (size_t i = 0; i < PARAM_N1; ++i) { - cdw[i] ^= error_values[i]; - } -} - - - -/** - * @brief Decodes the received word - * - * This function relies on six steps: - *
    - *
  1. The first step, is the computation of the 2*PARAM_DELTA syndromes. - *
  2. The second step is the computation of the error-locator polynomial sigma. - *
  3. The third step, done by additive FFT, is finding the error-locator numbers by calculating the roots of the polynomial sigma and takings their inverses. - *
  4. The fourth step, is the polynomial z(x). - *
  5. The fifth step, is the computation of the error values. - *
  6. The sixth step is the correction of the errors in the received polynomial. - *
- * For a more complete picture on Reed-Solomon decoding, see Shu. Lin and Daniel J. Costello in Error Control Coding: Fundamentals and Applications @cite lin1983error - * - * @param[out] msg Array of size VEC_K_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS128_CLEAN_reed_solomon_decode(uint8_t *msg, uint8_t *cdw) { - uint16_t syndromes[2 * PARAM_DELTA] = {0}; - uint16_t sigma[1 << PARAM_FFT] = {0}; - uint8_t error[1 << PARAM_M] = {0}; - uint16_t z[PARAM_N1] = {0}; - uint16_t error_values[PARAM_N1] = {0}; - uint16_t deg; - - // Calculate the 2*PARAM_DELTA syndromes - compute_syndromes(syndromes, cdw); - - // Compute the error locator polynomial sigma - // Sigma's degree is at most PARAM_DELTA but the FFT requires the extra room - deg = compute_elp(sigma, syndromes); - - // Compute the error polynomial error - compute_roots(error, sigma); - - // Compute the polynomial z(x) - compute_z_poly(z, sigma, deg, syndromes); - - // Compute the error values - compute_error_values(error_values, z, error); - - // Correct the errors - correct_errors(cdw, error_values); - - // Retrieve the message from the decoded codeword - memcpy(msg, cdw + (PARAM_G - 1), PARAM_K); - -} diff --git a/crypto_kem/hqc-rmrs-128/clean/reed_solomon.h b/crypto_kem/hqc-rmrs-128/clean/reed_solomon.h deleted file mode 100644 index 84fc97cc..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/reed_solomon.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef REED_SOLOMON_H -#define REED_SOLOMON_H - - -/** - * @file reed_solomon.h - * Header file of reed_solomon.c - */ -#include "parameters.h" -#include -#include - -static const uint16_t alpha_ij_pow [30][45] = {{2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193}, {4, 16, 64, 29, 116, 205, 19, 76, 45, 180, 234, 143, 6, 24, 96, 157, 78, 37, 148, 106, 181, 238, 159, 70, 5, 20, 80, 93, 105, 185, 222, 95, 97, 153, 94, 101, 137, 30, 120, 253, 211, 107, 177, 254, 223}, {8, 64, 58, 205, 38, 45, 117, 143, 12, 96, 39, 37, 53, 181, 193, 70, 10, 80, 186, 185, 161, 97, 47, 101, 15, 120, 231, 107, 127, 223, 182, 217, 134, 68, 26, 208, 206, 62, 237, 59, 197, 102, 23, 184, 169}, {16, 29, 205, 76, 180, 143, 24, 157, 37, 106, 238, 70, 20, 93, 185, 95, 153, 101, 30, 253, 107, 254, 91, 217, 17, 13, 208, 129, 248, 59, 151, 133, 184, 79, 132, 168, 82, 73, 228, 230, 198, 252, 123, 227, 150}, {32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59, 51, 46, 169, 132, 77, 85, 114, 230, 145, 215, 255, 150, 55, 174, 100, 28, 167, 89, 239, 172, 36}, {64, 205, 45, 143, 96, 37, 181, 70, 80, 185, 97, 101, 120, 107, 223, 217, 68, 208, 62, 59, 102, 184, 33, 168, 85, 228, 191, 252, 241, 150, 110, 130, 7, 221, 89, 195, 138, 61, 251, 44, 207, 173, 8, 58, 38}, {128, 19, 117, 24, 156, 181, 140, 93, 161, 94, 60, 107, 163, 67, 26, 129, 147, 102, 109, 132, 41, 57, 209, 252, 255, 98, 87, 200, 224, 89, 155, 18, 245, 11, 233, 173, 16, 232, 45, 3, 157, 53, 159, 40, 185}, {29, 76, 143, 157, 106, 70, 93, 95, 101, 253, 254, 217, 13, 129, 59, 133, 79, 168, 73, 230, 252, 227, 149, 130, 28, 81, 195, 18, 247, 44, 27, 2, 58, 152, 3, 39, 212, 140, 186, 190, 202, 231, 225, 175, 26}, {58, 45, 12, 37, 193, 80, 161, 101, 231, 223, 134, 208, 237, 102, 169, 168, 146, 191, 179, 150, 87, 7, 166, 195, 36, 251, 125, 173, 64, 38, 143, 39, 181, 10, 185, 47, 120, 127, 217, 26, 62, 197, 184, 21, 85}, {116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44, 108, 32, 38, 3, 156, 193, 160, 190, 15, 214, 226, 26, 124, 51, 169, 77, 114, 145, 255, 55, 100}, {232, 234, 39, 238, 160, 97, 60, 254, 134, 103, 118, 184, 84, 57, 145, 227, 220, 7, 162, 172, 245, 176, 71, 58, 180, 192, 181, 40, 95, 15, 177, 175, 208, 147, 46, 21, 73, 99, 241, 55, 200, 166, 43, 122, 44}, {205, 143, 37, 70, 185, 101, 107, 217, 208, 59, 184, 168, 228, 252, 150, 130, 221, 195, 61, 44, 173, 58, 117, 39, 193, 186, 47, 231, 182, 26, 237, 23, 21, 146, 145, 219, 87, 56, 242, 36, 139, 54, 64, 45, 96}, {135, 6, 53, 20, 190, 120, 163, 13, 237, 46, 84, 228, 229, 98, 100, 81, 69, 251, 131, 32, 45, 192, 238, 186, 94, 187, 217, 189, 236, 169, 82, 209, 241, 220, 28, 242, 72, 22, 173, 116, 201, 37, 140, 222, 15}, {19, 24, 181, 93, 94, 107, 67, 129, 102, 132, 57, 252, 98, 200, 89, 18, 11, 173, 232, 3, 53, 40, 194, 231, 226, 189, 197, 158, 170, 145, 75, 25, 166, 69, 235, 54, 29, 234, 37, 5, 95, 120, 91, 52, 59}, {38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145}, {76, 157, 70, 95, 253, 217, 129, 133, 168, 230, 227, 130, 81, 18, 44, 2, 152, 39, 140, 190, 231, 175, 31, 23, 77, 209, 219, 25, 162, 36, 88, 4, 45, 78, 5, 97, 211, 67, 62, 46, 154, 191, 171, 50, 89}, {152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1}, {45, 37, 80, 101, 223, 208, 102, 168, 191, 150, 7, 195, 251, 173, 38, 39, 10, 47, 127, 26, 197, 21, 115, 219, 100, 242, 245, 54, 205, 96, 70, 97, 107, 68, 59, 33, 228, 241, 130, 89, 61, 207, 58, 12, 193}, {90, 148, 186, 30, 226, 62, 109, 73, 179, 174, 162, 61, 131, 232, 96, 140, 153, 127, 52, 51, 168, 99, 98, 56, 172, 22, 8, 234, 212, 185, 240, 67, 237, 79, 114, 241, 25, 121, 245, 108, 19, 39, 20, 188, 223}, {180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36, 233, 116, 96, 5, 94, 223, 103, 46, 85, 215, 174, 89, 244, 108, 38, 156, 160, 15, 226, 124, 169}, {117, 181, 161, 107, 26, 102, 41, 252, 87, 89, 245, 173, 45, 53, 185, 231, 68, 197, 168, 145, 110, 166, 61, 54, 38, 37, 186, 120, 134, 59, 21, 191, 196, 221, 36, 207, 205, 39, 80, 15, 217, 237, 33, 115, 150}, {234, 238, 97, 254, 103, 184, 57, 227, 7, 172, 176, 58, 192, 40, 15, 175, 147, 21, 99, 55, 166, 122, 216, 45, 106, 222, 107, 52, 133, 85, 123, 50, 195, 11, 32, 12, 140, 188, 182, 124, 158, 115, 49, 224, 36}, {201, 159, 47, 91, 124, 33, 209, 149, 166, 244, 71, 117, 238, 194, 223, 31, 79, 115, 98, 167, 61, 216, 90, 181, 190, 254, 206, 218, 213, 150, 224, 72, 54, 152, 106, 161, 177, 189, 184, 114, 171, 56, 18, 131, 38}, {143, 70, 101, 217, 59, 168, 252, 130, 195, 44, 58, 39, 186, 231, 26, 23, 146, 219, 56, 36, 54, 45, 181, 97, 223, 62, 33, 191, 110, 89, 251, 8, 12, 10, 15, 134, 197, 41, 179, 100, 86, 125, 205, 37, 185}, {3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223, 124, 132, 145, 174, 239, 44, 116, 156, 185, 214, 103, 169, 230, 55, 89, 235, 32, 96, 160, 253, 26}, {6, 20, 120, 13, 46, 228, 98, 81, 251, 32, 192, 186, 187, 189, 169, 209, 220, 242, 22, 116, 37, 222, 254, 62, 132, 63, 130, 43, 250, 38, 212, 194, 182, 147, 77, 179, 141, 9, 54, 180, 159, 101, 67, 151, 85}, {12, 80, 231, 208, 169, 191, 87, 195, 125, 38, 181, 47, 217, 197, 85, 219, 221, 245, 8, 96, 186, 107, 206, 33, 145, 130, 86, 207, 45, 193, 101, 134, 102, 146, 150, 166, 251, 64, 39, 185, 127, 62, 21, 252, 100}, {24, 93, 107, 129, 132, 252, 200, 18, 173, 3, 40, 231, 189, 158, 145, 25, 69, 54, 234, 5, 120, 52, 218, 191, 174, 43, 207, 90, 35, 15, 136, 92, 115, 220, 239, 125, 76, 238, 101, 17, 133, 228, 149, 121, 44}, {48, 105, 127, 248, 77, 241, 224, 247, 64, 156, 95, 182, 236, 170, 150, 162, 11, 205, 212, 94, 134, 133, 213, 110, 239, 250, 45, 35, 30, 26, 218, 99, 130, 69, 108, 143, 40, 211, 206, 132, 229, 7, 144, 2, 96}, {96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15}}; - -void PQCLEAN_HQCRMRS128_CLEAN_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS128_CLEAN_reed_solomon_decode(uint8_t *msg, uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-128/clean/vector.c b/crypto_kem/hqc-rmrs-128/clean/vector.c deleted file mode 100644 index 8d4485c8..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/vector.c +++ /dev/null @@ -1,176 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -/** - * @file vector.c - * @brief Implementation of vectors sampling and some utilities for the HQC scheme - */ - - -/** - * @brief Generates a vector of a given Hamming weight - * - * This function generates uniformly at random a binary vector of a Hamming weight equal to the parameter weight. The vector - * is stored by position. - * To generate the vector we have to sample uniformly at random values in the interval [0, PARAM_N -1]. Suppose the PARAM_N is equal to \f$ 70853 \f$, to select a position \f$ r\f$ the function works as follow: - * 1. It makes a call to the seedexpander function to obtain a random number \f$ x\f$ in \f$ [0, 2^{24}[ \f$. - * 2. Let \f$ t = \lfloor {2^{24} \over 70853} \rfloor \times 70853\f$ - * 3. If \f$ x \geq t\f$, go to 1 - * 4. It return \f$ r = x \mod 70853\f$ - * - * The parameter \f$ t \f$ is precomputed and it's denoted by UTILS_REJECTION_THRESHOLD (see the file parameters.h). - * - * @param[in] v Pointer to an array - * @param[in] weight Integer that is the Hamming weight - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight_by_coordinates(AES_XOF_struct *ctx, uint32_t *v, uint16_t weight) { - size_t random_bytes_size = 3 * weight; - uint8_t rand_bytes[3 * PARAM_OMEGA_R] = {0}; // weight is expected to be <= PARAM_OMEGA_R - uint8_t inc; - size_t i, j; - - i = 0; - j = random_bytes_size; - while (i < weight) { - do { - if (j == random_bytes_size) { - seedexpander(ctx, rand_bytes, random_bytes_size); - j = 0; - } - - v[i] = ((uint32_t) rand_bytes[j++]) << 16; - v[i] |= ((uint32_t) rand_bytes[j++]) << 8; - v[i] |= rand_bytes[j++]; - - } while (v[i] >= UTILS_REJECTION_THRESHOLD); - - v[i] = v[i] % PARAM_N; - - inc = 1; - for (size_t k = 0; k < i; k++) { - if (v[k] == v[i]) { - inc = 0; - } - } - i += inc; - } -} - - - -/** - * @brief Generates a vector of a given Hamming weight - * - * This function generates uniformly at random a binary vector of a Hamming weight equal to the parameter weight. - * To generate the vector we have to sample uniformly at random values in the interval [0, PARAM_N -1]. Suppose the PARAM_N is equal to \f$ 70853 \f$, to select a position \f$ r\f$ the function works as follow: - * 1. It makes a call to the seedexpander function to obtain a random number \f$ x\f$ in \f$ [0, 2^{24}[ \f$. - * 2. Let \f$ t = \lfloor {2^{24} \over 70853} \rfloor \times 70853\f$ - * 3. If \f$ x \geq t\f$, go to 1 - * 4. It return \f$ r = x \mod 70853\f$ - * - * The parameter \f$ t \f$ is precomputed and it's denoted by UTILS_REJECTION_THRESHOLD (see the file parameters.h). - * - * @param[in] v Pointer to an array - * @param[in] weight Integer that is the Hamming weight - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight) { - uint32_t tmp[PARAM_OMEGA_R] = {0}; - - PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight_by_coordinates(ctx, tmp, weight); - - for (size_t i = 0; i < weight; ++i) { - int32_t index = tmp[i] / 64; - int32_t pos = tmp[i] % 64; - v[index] |= ((uint64_t) 1) << pos; - } -} - - - -/** - * @brief Generates a random vector of dimension PARAM_N - * - * This function generates a random binary vector of dimension PARAM_N. It generates a random - * array of bytes using the seedexpander function, and drop the extra bits using a mask. - * - * @param[in] v Pointer to an array - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS128_CLEAN_vect_set_random(AES_XOF_struct *ctx, uint64_t *v) { - uint8_t rand_bytes[VEC_N_SIZE_BYTES] = {0}; - - seedexpander(ctx, rand_bytes, VEC_N_SIZE_BYTES); - - PQCLEAN_HQCRMRS128_CLEAN_load8_arr(v, VEC_N_SIZE_64, rand_bytes, VEC_N_SIZE_BYTES); - v[VEC_N_SIZE_64 - 1] &= RED_MASK; -} - - - -/** - * @brief Adds two vectors - * - * @param[out] o Pointer to an array that is the result - * @param[in] v1 Pointer to an array that is the first vector - * @param[in] v2 Pointer to an array that is the second vector - * @param[in] size Integer that is the size of the vectors - */ -void PQCLEAN_HQCRMRS128_CLEAN_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size) { - for (uint32_t i = 0; i < size; ++i) { - o[i] = v1[i] ^ v2[i]; - } -} - - - -/** - * @brief Compares two vectors - * - * @param[in] v1 Pointer to an array that is first vector - * @param[in] v2 Pointer to an array that is second vector - * @param[in] size Integer that is the size of the vectors - * @returns 0 if the vectors are equals and a negative/psotive value otherwise - */ -uint8_t PQCLEAN_HQCRMRS128_CLEAN_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size) { - uint64_t r = 0; - for (size_t i = 0; i < size; i++) { - r |= v1[i] ^ v2[i]; - } - r = (~r + 1) >> 63; - return (uint8_t) r; -} - - - -/** - * @brief Resize a vector so that it contains size_o bits - * - * @param[out] o Pointer to the output vector - * @param[in] size_o Integer that is the size of the output vector in bits - * @param[in] v Pointer to the input vector - * @param[in] size_v Integer that is the size of the input vector in bits - */ -void PQCLEAN_HQCRMRS128_CLEAN_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v) { - if (size_o < size_v) { - uint64_t mask = 0x7FFFFFFFFFFFFFFF; - int8_t val = 0; - - if (size_o % 64) { - val = 64 - (size_o % 64); - } - - memcpy(o, v, 8 * VEC_N1N2_SIZE_64); - - for (int8_t i = 0; i < val; ++i) { - o[VEC_N1N2_SIZE_64 - 1] &= (mask >> i); - } - } else { - memcpy(o, v, 8 * CEIL_DIVIDE(size_v, 64)); - } -} diff --git a/crypto_kem/hqc-rmrs-128/clean/vector.h b/crypto_kem/hqc-rmrs-128/clean/vector.h deleted file mode 100644 index 17344bbb..00000000 --- a/crypto_kem/hqc-rmrs-128/clean/vector.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef VECTOR_H -#define VECTOR_H - - -/** - * @file vector.h - * @brief Header file for vector.c - */ -#include "nistseedexpander.h" -#include "randombytes.h" -#include - -void PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight_by_coordinates(AES_XOF_struct *ctx, uint32_t *v, uint16_t weight); - -void PQCLEAN_HQCRMRS128_CLEAN_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight); - -void PQCLEAN_HQCRMRS128_CLEAN_vect_set_random(AES_XOF_struct *ctx, uint64_t *v); - - -void PQCLEAN_HQCRMRS128_CLEAN_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size); - -uint8_t PQCLEAN_HQCRMRS128_CLEAN_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size); - -void PQCLEAN_HQCRMRS128_CLEAN_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/META.yml b/crypto_kem/hqc-rmrs-192/META.yml deleted file mode 100644 index 657a7d43..00000000 --- a/crypto_kem/hqc-rmrs-192/META.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: HQC-RMRS-192 -type: kem -claimed-nist-level: 3 -claimed-security: IND-CCA2 -length-ciphertext: 9026 -length-public-key: 4522 -length-secret-key: 4562 -length-shared-secret: 64 -nistkat-sha256: e0aaabf79ac558dc9d5e79a8abe88c313ecad1e55956de323f8811c81d0c0779 -principal-submitters: - - Carlos Aguilar Melchor - - Nicolas Aragon - - Slim Bettaieb - - Olivier Blazy - - Jurjen Bos - - Jean-Christophe Deneuville - - Philippe Gaborit - - Edoardo Persichetti - - Jean-Marc Robert - - Pascal Véron - - Gilles Zémor - - Loïc Bidoux -implementations: - - name: clean - version: hqc-submission_2020-10-01 via https://github.com/jschanck/package-pqclean/tree/c9181076/hqc - - name: avx2 - version: hqc-submission_2020-10-01 via https://github.com/jschanck/package-pqclean/tree/c9181076/hqc - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - avx2 - - bmi1 - - pclmulqdq diff --git a/crypto_kem/hqc-rmrs-192/avx2/LICENSE b/crypto_kem/hqc-rmrs-192/avx2/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/hqc-rmrs-192/avx2/api.h b/crypto_kem/hqc-rmrs-192/avx2/api.h deleted file mode 100644 index d4db5bc5..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/api.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_HQCRMRS192_AVX2_API_H -#define PQCLEAN_HQCRMRS192_AVX2_API_H -/** - * @file api.h - * @brief NIST KEM API used by the HQC_KEM IND-CCA2 scheme - */ - -#define PQCLEAN_HQCRMRS192_AVX2_CRYPTO_ALGNAME "HQC-RMRS-192" - -#define PQCLEAN_HQCRMRS192_AVX2_CRYPTO_SECRETKEYBYTES 4562 -#define PQCLEAN_HQCRMRS192_AVX2_CRYPTO_PUBLICKEYBYTES 4522 -#define PQCLEAN_HQCRMRS192_AVX2_CRYPTO_BYTES 64 -#define PQCLEAN_HQCRMRS192_AVX2_CRYPTO_CIPHERTEXTBYTES 9026 - -// As a technicality, the public key is appended to the secret key in order to respect the NIST API. -// Without this constraint, PQCLEAN_HQCRMRS192_AVX2_CRYPTO_SECRETKEYBYTES would be defined as 32 - -int PQCLEAN_HQCRMRS192_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_HQCRMRS192_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - -int PQCLEAN_HQCRMRS192_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/code.c b/crypto_kem/hqc-rmrs-192/avx2/code.c deleted file mode 100644 index b44aa4b3..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/code.c +++ /dev/null @@ -1,47 +0,0 @@ -#include "code.h" -#include "parameters.h" -#include "reed_muller.h" -#include "reed_solomon.h" -#include -#include -/** - * @file code.c - * @brief Implementation of concatenated code - */ - - - -/** - * - * @brief Encoding the message m to a code word em using the concatenated code - * - * First we encode the message using the Reed-Solomon code, then with the duplicated Reed-Muller code we obtain - * a concatenated code word. - * - * @param[out] em Pointer to an array that is the tensor code word - * @param[in] m Pointer to an array that is the message - */ -void PQCLEAN_HQCRMRS192_AVX2_code_encode(uint8_t *em, const uint8_t *m) { - uint8_t tmp[8 * VEC_N1_SIZE_64] = {0}; - - PQCLEAN_HQCRMRS192_AVX2_reed_solomon_encode(tmp, m); - PQCLEAN_HQCRMRS192_AVX2_reed_muller_encode(em, tmp); - -} - - - -/** - * @brief Decoding the code word em to a message m using the concatenated code - * - * @param[out] m Pointer to an array that is the message - * @param[in] em Pointer to an array that is the code word - */ -void PQCLEAN_HQCRMRS192_AVX2_code_decode(uint8_t *m, const uint8_t *em) { - uint8_t tmp[8 * VEC_N1_SIZE_64] = {0}; - - PQCLEAN_HQCRMRS192_AVX2_reed_muller_decode(tmp, em); - PQCLEAN_HQCRMRS192_AVX2_reed_solomon_decode(m, tmp); - - -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/code.h b/crypto_kem/hqc-rmrs-192/avx2/code.h deleted file mode 100644 index ead7caf7..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/code.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef CODE_H -#define CODE_H - - -/** - * @file code.h - * Header file of code.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS192_AVX2_code_encode(uint8_t *em, const uint8_t *message); - -void PQCLEAN_HQCRMRS192_AVX2_code_decode(uint8_t *m, const uint8_t *em); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/fft.c b/crypto_kem/hqc-rmrs-192/avx2/fft.c deleted file mode 100644 index c1b44b15..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/fft.c +++ /dev/null @@ -1,351 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include -#include -/** - * @file fft.c - * Implementation of the additive FFT and its transpose. - * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf - */ - - -static void compute_fft_betas(uint16_t *betas); -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size); -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas); - - -/** - * @brief Computes the basis of betas (omitting 1) used in the additive FFT and its transpose - * - * @param[out] betas Array of size PARAM_M-1 - */ -static void compute_fft_betas(uint16_t *betas) { - size_t i; - for (i = 0; i < PARAM_M - 1; ++i) { - betas[i] = 1 << (PARAM_M - 1 - i); - } -} - - - -/** - * @brief Computes the subset sums of the given set - * - * The array subset_sums is such that its ith element is - * the subset sum of the set elements given by the binary form of i. - * - * @param[out] subset_sums Array of size 2^set_size receiving the subset sums - * @param[in] set Array of set_size elements - * @param[in] set_size Size of the array set - */ -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size) { - uint16_t i, j; - subset_sums[0] = 0; - - for (i = 0; i < set_size; ++i) { - for (j = 0; j < (1 << i); ++j) { - subset_sums[(1 << i) + j] = set[i] ^ subset_sums[j]; - } - } -} - - - -/** - * @brief Computes the radix conversion of a polynomial f in GF(2^m)[x] - * - * Computes f0 and f1 such that f(x) = f0(x^2-x) + x.f1(x^2-x) - * as proposed by Bernstein, Chou and Schwabe: - * https://binary.cr.yp.to/mcbits-20130616.pdf - * - * @param[out] f0 Array half the size of f - * @param[out] f1 Array half the size of f - * @param[in] f Array of size a power of 2 - * @param[in] m_f 2^{m_f} is the smallest power of 2 greater or equal to the number of coefficients of f - */ -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - switch (m_f) { - case 4: - f0[4] = f[8] ^ f[12]; - f0[6] = f[12] ^ f[14]; - f0[7] = f[14] ^ f[15]; - f1[5] = f[11] ^ f[13]; - f1[6] = f[13] ^ f[14]; - f1[7] = f[15]; - f0[5] = f[10] ^ f[12] ^ f1[5]; - f1[4] = f[9] ^ f[13] ^ f0[5]; - - f0[0] = f[0]; - f1[3] = f[7] ^ f[11] ^ f[15]; - f0[3] = f[6] ^ f[10] ^ f[14] ^ f1[3]; - f0[2] = f[4] ^ f0[4] ^ f0[3] ^ f1[3]; - f1[1] = f[3] ^ f[5] ^ f[9] ^ f[13] ^ f1[3]; - f1[2] = f[3] ^ f1[1] ^ f0[3]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 3: - f0[0] = f[0]; - f0[2] = f[4] ^ f[6]; - f0[3] = f[6] ^ f[7]; - f1[1] = f[3] ^ f[5] ^ f[7]; - f1[2] = f[5] ^ f[6]; - f1[3] = f[7]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 2: - f0[0] = f[0]; - f0[1] = f[2] ^ f[3]; - f1[0] = f[1] ^ f0[1]; - f1[1] = f[3]; - break; - - case 1: - f0[0] = f[0]; - f1[0] = f[1]; - break; - - default: - radix_big(f0, f1, f, m_f); - break; - } -} - -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - uint16_t Q[2 * (1 << (PARAM_FFT - 2))] = {0}; - uint16_t R[2 * (1 << (PARAM_FFT - 2))] = {0}; - - uint16_t Q0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t Q1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R1[1 << (PARAM_FFT - 2)] = {0}; - - size_t i, n; - - n = 1; - n <<= (m_f - 2); - memcpy(Q, f + 3 * n, 2 * n); - memcpy(Q + n, f + 3 * n, 2 * n); - memcpy(R, f, 4 * n); - - for (i = 0; i < n; ++i) { - Q[i] ^= f[2 * n + i]; - R[n + i] ^= Q[i]; - } - - radix(Q0, Q1, Q, m_f - 1); - radix(R0, R1, R, m_f - 1); - - memcpy(f0, R0, 2 * n); - memcpy(f0 + n, Q0, 2 * n); - memcpy(f1, R1, 2 * n); - memcpy(f1 + n, Q1, 2 * n); -} - - - -/** - * @brief Evaluates f at all subset sums of a given set - * - * This function is a subroutine of the function PQCLEAN_HQCRMRS192_AVX2_fft. - * - * @param[out] w Array - * @param[in] f Array - * @param[in] f_coeffs Number of coefficients of f - * @param[in] m Number of betas - * @param[in] m_f Number of coefficients of f (one more than its degree) - * @param[in] betas FFT constants - */ -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas) { - uint16_t f0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t gammas[PARAM_M - 2] = {0}; - uint16_t deltas[PARAM_M - 2] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 2)] = {0}; - uint16_t u[1 << (PARAM_M - 2)] = {0}; - uint16_t v[1 << (PARAM_M - 2)] = {0}; - uint16_t tmp[PARAM_M - (PARAM_FFT - 1)] = {0}; - - uint16_t beta_m_pow; - size_t i, j, k; - size_t x; - - // Step 1 - if (m_f == 1) { - for (i = 0; i < m; ++i) { - tmp[i] = PQCLEAN_HQCRMRS192_AVX2_gf_mul(betas[i], f[1]); - } - - w[0] = f[0]; - x = 1; - for (j = 0; j < m; ++j) { - for (k = 0; k < x; ++k) { - w[x + k] = w[k] ^ tmp[j]; - } - x <<= 1; - } - - return; - } - - // Step 2: compute g - if (betas[m - 1] != 1) { - beta_m_pow = 1; - x = 1; - x <<= m_f; - for (i = 1; i < x; ++i) { - beta_m_pow = PQCLEAN_HQCRMRS192_AVX2_gf_mul(beta_m_pow, betas[m - 1]); - f[i] = PQCLEAN_HQCRMRS192_AVX2_gf_mul(beta_m_pow, f[i]); - } - } - - // Step 3 - radix(f0, f1, f, m_f); - - // Step 4: compute gammas and deltas - for (i = 0; i + 1 < m; ++i) { - gammas[i] = PQCLEAN_HQCRMRS192_AVX2_gf_mul(betas[i], PQCLEAN_HQCRMRS192_AVX2_gf_inverse(betas[m - 1])); - deltas[i] = PQCLEAN_HQCRMRS192_AVX2_gf_square(gammas[i]) ^ gammas[i]; - } - - // Compute gammas sums - compute_subset_sums(gammas_sums, gammas, m - 1); - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, m - 1, m_f - 1, deltas); - - k = 1; - k <<= ((m - 1) & 0xf); // &0xf is to let the compiler know that m-1 is small. - if (f_coeffs <= 3) { // 3-coefficient polynomial f case: f1 is constant - w[0] = u[0]; - w[k] = u[0] ^ f1[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS192_AVX2_gf_mul(gammas_sums[i], f1[0]); - w[k + i] = w[i] ^ f1[0]; - } - } else { - fft_rec(v, f1, f_coeffs / 2, m - 1, m_f - 1, deltas); - - // Step 6 - memcpy(w + k, v, 2 * k); - w[0] = u[0]; - w[k] ^= u[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS192_AVX2_gf_mul(gammas_sums[i], v[i]); - w[k + i] ^= w[i]; - } - } -} - - - -/** - * @brief Evaluates f on all fields elements using an additive FFT algorithm - * - * f_coeffs is the number of coefficients of f (one less than its degree).
- * The FFT proceeds recursively to evaluate f at all subset sums of a basis B.
- * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf
- * Note that on this first call (as opposed to the recursive calls to fft_rec), gammas are equal to betas, - * meaning the first gammas subset sums are actually the subset sums of betas (except 1).
- * Also note that f is altered during computation (twisted at each level). - * - * @param[out] w Array - * @param[in] f Array of 2^PARAM_FFT elements - * @param[in] f_coeffs Number coefficients of f (i.e. deg(f)+1) - */ -void PQCLEAN_HQCRMRS192_AVX2_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs) { - uint16_t betas[PARAM_M - 1] = {0}; - uint16_t betas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t f0[1 << (PARAM_FFT - 1)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 1)] = {0}; - uint16_t deltas[PARAM_M - 1] = {0}; - uint16_t u[1 << (PARAM_M - 1)] = {0}; - uint16_t v[1 << (PARAM_M - 1)] = {0}; - - size_t i, k; - - // Follows Gao and Mateer algorithm - compute_fft_betas(betas); - - // Step 1: PARAM_FFT > 1, nothing to do - - // Compute gammas sums - compute_subset_sums(betas_sums, betas, PARAM_M - 1); - - // Step 2: beta_m = 1, nothing to do - - // Step 3 - radix(f0, f1, f, PARAM_FFT); - - // Step 4: Compute deltas - for (i = 0; i < PARAM_M - 1; ++i) { - deltas[i] = PQCLEAN_HQCRMRS192_AVX2_gf_square(betas[i]) ^ betas[i]; - } - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - fft_rec(v, f1, f_coeffs / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - - k = 1 << (PARAM_M - 1); - // Step 6, 7 and error polynomial computation - memcpy(w + k, v, 2 * k); - - // Check if 0 is root - w[0] = u[0]; - - // Check if 1 is root - w[k] ^= u[0]; - - // Find other roots - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS192_AVX2_gf_mul(betas_sums[i], v[i]); - w[k + i] ^= w[i]; - } -} - - - -/** - * @brief Retrieves the error polynomial error from the evaluations w of the ELP (Error Locator Polynomial) on all field elements. - * - * @param[out] error Array with the error - * @param[out] error_compact Array with the error in a compact form - * @param[in] w Array of size 2^PARAM_M - */ -void PQCLEAN_HQCRMRS192_AVX2_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w) { - uint16_t gammas[PARAM_M - 1] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t k; - size_t i, index; - - compute_fft_betas(gammas); - compute_subset_sums(gammas_sums, gammas, PARAM_M - 1); - - k = 1 << (PARAM_M - 1); - error[0] ^= 1 ^ ((uint16_t) - w[0] >> 15); - error[0] ^= 1 ^ ((uint16_t) - w[k] >> 15); - - for (i = 1; i < k; ++i) { - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i]]; - error[index] ^= 1 ^ ((uint16_t) - w[i] >> 15); - - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i] ^ 1]; - error[index] ^= 1 ^ ((uint16_t) - w[k + i] >> 15); - } -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/fft.h b/crypto_kem/hqc-rmrs-192/avx2/fft.h deleted file mode 100644 index bb6b3ba1..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/fft.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef FFT_H -#define FFT_H - - -/** - * @file fft.h - * Header file of fft.c - */ - -#include -#include - -void PQCLEAN_HQCRMRS192_AVX2_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs); - -void PQCLEAN_HQCRMRS192_AVX2_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/gf.c b/crypto_kem/hqc-rmrs-192/avx2/gf.c deleted file mode 100644 index 048e046e..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/gf.c +++ /dev/null @@ -1,176 +0,0 @@ -#include "gf.h" -#include "parameters.h" -#include -/** - * @file gf.c - * Galois field implementation with multiplication using the pclmulqdq instruction - */ - - -static uint16_t gf_reduce(uint64_t x, size_t deg_x); - - - -/** - * Reduces polynomial x modulo primitive polynomial GF_POLY. - * @returns x mod GF_POLY - * @param[in] x Polynomial of degree less than 64 - * @param[in] deg_x The degree of polynomial x - */ -static uint16_t gf_reduce(uint64_t x, size_t deg_x) { - uint16_t z1, z2, rmdr, dist; - uint64_t mod; - size_t steps, i, j; - - // Deduce the number of steps of reduction - steps = CEIL_DIVIDE(deg_x - (PARAM_M - 1), PARAM_GF_POLY_M2); - - // Reduce - for (i = 0; i < steps; ++i) { - mod = x >> PARAM_M; - x &= (1 << PARAM_M) - 1; - x ^= mod; - - z1 = 0; - rmdr = PARAM_GF_POLY ^ 1; - for (j = PARAM_GF_POLY_WT - 2; j; --j) { - z2 = __tzcnt_u16(rmdr); - dist = (uint16_t) (z2 - z1); - mod <<= dist; - x ^= mod; - rmdr ^= 1 << z2; - z1 = z2; - } - } - - return x; -} - - - -/** - * Multiplies two elements of GF(2^GF_M). - * @returns the product a*b - * @param[in] a Element of GF(2^GF_M) - * @param[in] b Element of GF(2^GF_M) - */ -uint16_t PQCLEAN_HQCRMRS192_AVX2_gf_mul(uint16_t a, uint16_t b) { - __m128i va = _mm_cvtsi32_si128(a); - __m128i vb = _mm_cvtsi32_si128(b); - __m128i vab = _mm_clmulepi64_si128(va, vb, 0); - uint32_t ab = _mm_cvtsi128_si32(vab); - - return gf_reduce(ab, 2 * (PARAM_M - 1)); -} - - - -/** - * Compute 16 products in GF(2^GF_M). - * @returns the product (a0b0,a1b1,...,a15b15) , ai,bi in GF(2^GF_M) - * @param[in] a 256-bit register where a0,..,a15 are stored as 16 bit integers - * @param[in] b 256-bit register where b0,..,b15 are stored as 16 bit integer - * - */ -__m256i PQCLEAN_HQCRMRS192_AVX2_gf_mul_vect(__m256i a, __m256i b) { - __m128i al = _mm256_extractf128_si256(a, 0); - __m128i ah = _mm256_extractf128_si256(a, 1); - __m128i bl = _mm256_extractf128_si256(b, 0); - __m128i bh = _mm256_extractf128_si256(b, 1); - - __m128i abl0 = _mm_clmulepi64_si128(al & CONST128_MASKL, bl & CONST128_MASKL, 0x0); - abl0 &= CONST128_MIDDLEMASKL; - abl0 ^= (_mm_clmulepi64_si128(al & CONST128_MASKH, bl & CONST128_MASKH, 0x0) & CONST128_MIDDLEMASKH); - - __m128i abh0 = _mm_clmulepi64_si128(al & CONST128_MASKL, bl & CONST128_MASKL, 0x11); - abh0 &= CONST128_MIDDLEMASKL; - abh0 ^= (_mm_clmulepi64_si128(al & CONST128_MASKH, bl & CONST128_MASKH, 0x11) & CONST128_MIDDLEMASKH); - - abl0 = _mm_shuffle_epi8(abl0, CONST128_INDEXL); - abl0 ^= _mm_shuffle_epi8(abh0, CONST128_INDEXH); - - __m128i abl1 = _mm_clmulepi64_si128(ah & CONST128_MASKL, bh & CONST128_MASKL, 0x0); - abl1 &= CONST128_MIDDLEMASKL; - abl1 ^= (_mm_clmulepi64_si128(ah & CONST128_MASKH, bh & CONST128_MASKH, 0x0) & CONST128_MIDDLEMASKH); - - __m128i abh1 = _mm_clmulepi64_si128(ah & CONST128_MASKL, bh & CONST128_MASKL, 0x11); - abh1 &= CONST128_MIDDLEMASKL; - abh1 ^= (_mm_clmulepi64_si128(ah & CONST128_MASKH, bh & CONST128_MASKH, 0x11) & CONST128_MIDDLEMASKH); - - abl1 = _mm_shuffle_epi8(abl1, CONST128_INDEXL); - abl1 ^= _mm_shuffle_epi8(abh1, CONST128_INDEXH); - - __m256i ret = _mm256_set_m128i(abl1, abl0); - - __m256i aux = CONST256_MR0; - - for (int32_t i = 0; i < 7; i++) { - ret ^= red[i] & _mm256_cmpeq_epi16((ret & aux), aux); - aux = aux << 1; - } - - ret &= CONST256_LASTMASK; - return ret; -} - - - -/** - * Squares an element of GF(2^GF_M). - * @returns a^2 - * @param[in] a Element of GF(2^GF_M) - */ -uint16_t PQCLEAN_HQCRMRS192_AVX2_gf_square(uint16_t a) { - uint32_t b = a; - uint32_t s = b & 1; - for (size_t i = 1; i < PARAM_M; ++i) { - b <<= 1; - s ^= b & (1 << 2 * i); - } - - return gf_reduce(s, 2 * (PARAM_M - 1)); -} - - - -/** - * Computes the inverse of an element of GF(2^8), - * using the addition chain 1 2 3 4 7 11 15 30 60 120 127 254 - * @returns the inverse of a - * @param[in] a Element of GF(2^GF_M) - */ -uint16_t PQCLEAN_HQCRMRS192_AVX2_gf_inverse(uint16_t a) { - uint16_t inv = a; - uint16_t tmp1, tmp2; - - inv = PQCLEAN_HQCRMRS192_AVX2_gf_square(a); /* a^2 */ - tmp1 = PQCLEAN_HQCRMRS192_AVX2_gf_mul(inv, a); /* a^3 */ - inv = PQCLEAN_HQCRMRS192_AVX2_gf_square(inv); /* a^4 */ - tmp2 = PQCLEAN_HQCRMRS192_AVX2_gf_mul(inv, tmp1); /* a^7 */ - tmp1 = PQCLEAN_HQCRMRS192_AVX2_gf_mul(inv, tmp2); /* a^11 */ - inv = PQCLEAN_HQCRMRS192_AVX2_gf_mul(tmp1, inv); /* a^15 */ - inv = PQCLEAN_HQCRMRS192_AVX2_gf_square(inv); /* a^30 */ - inv = PQCLEAN_HQCRMRS192_AVX2_gf_square(inv); /* a^60 */ - inv = PQCLEAN_HQCRMRS192_AVX2_gf_square(inv); /* a^120 */ - inv = PQCLEAN_HQCRMRS192_AVX2_gf_mul(inv, tmp2); /* a^127 */ - inv = PQCLEAN_HQCRMRS192_AVX2_gf_square(inv); /* a^254 */ - return inv; -} - - - -/** - * Returns i modulo 2^GF_M-1. - * i must be less than 2*(2^GF_M-1). - * Therefore, the return value is either i or i-2^GF_M+1. - * @returns i mod (2^GF_M-1) - * @param[in] i The integer whose modulo is taken - */ -uint16_t PQCLEAN_HQCRMRS192_AVX2_gf_mod(uint16_t i) { - uint16_t tmp = (uint16_t) (i - PARAM_GF_MUL_ORDER); - - // mask = 0xffff if (i < GF_MUL_ORDER) - uint16_t mask = -(tmp >> 15); - - return tmp + (mask & PARAM_GF_MUL_ORDER); -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/gf.h b/crypto_kem/hqc-rmrs-192/avx2/gf.h deleted file mode 100644 index 603a0884..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/gf.h +++ /dev/null @@ -1,69 +0,0 @@ -#ifndef GF_H -#define GF_H - - -/** - * @file gf.h - * Header file of gf.c - */ - -#include -#include -#include - -#define _mm256_set_m128i(v0, v1) _mm256_insertf128_si256(_mm256_castsi128_si256(v1), (v0), 1) - -/** - * Powers of the root alpha of 1 + x^2 + x^3 + x^4 + x^8. - * The last two elements are needed by the PQCLEAN_HQCRMRS192_AVX2_gf_mul function - * (for example if both elements to multiply are zero). - */ -static const uint16_t gf_exp[258] = { 1, 2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60, 120, 240, 253, 231, 211, 187, 107, 214, 177, 127, 254, 225, 223, 163, 91, 182, 113, 226, 217, 175, 67, 134, 17, 34, 68, 136, 13, 26, 52, 104, 208, 189, 103, 206, 129, 31, 62, 124, 248, 237, 199, 147, 59, 118, 236, 197, 151, 51, 102, 204, 133, 23, 46, 92, 184, 109, 218, 169, 79, 158, 33, 66, 132, 21, 42, 84, 168, 77, 154, 41, 82, 164, 85, 170, 73, 146, 57, 114, 228, 213, 183, 115, 230, 209, 191, 99, 198, 145, 63, 126, 252, 229, 215, 179, 123, 246, 241, 255, 227, 219, 171, 75, 150, 49, 98, 196, 149, 55, 110, 220, 165, 87, 174, 65, 130, 25, 50, 100, 200, 141, 7, 14, 28, 56, 112, 224, 221, 167, 83, 166, 81, 162, 89, 178, 121, 242, 249, 239, 195, 155, 43, 86, 172, 69, 138, 9, 18, 36, 72, 144, 61, 122, 244, 245, 247, 243, 251, 235, 203, 139, 11, 22, 44, 88, 176, 125, 250, 233, 207, 131, 27, 54, 108, 216, 173, 71, 142, 1, 2, 4 }; - - - -/** - * Logarithm of elements of GF(2^8) to the base alpha (root of 1 + x^2 + x^3 + x^4 + x^8). - * The logarithm of 0 is set to 0 by convention. - */ -static const uint16_t gf_log[256] = { 0, 0, 1, 25, 2, 50, 26, 198, 3, 223, 51, 238, 27, 104, 199, 75, 4, 100, 224, 14, 52, 141, 239, 129, 28, 193, 105, 248, 200, 8, 76, 113, 5, 138, 101, 47, 225, 36, 15, 33, 53, 147, 142, 218, 240, 18, 130, 69, 29, 181, 194, 125, 106, 39, 249, 185, 201, 154, 9, 120, 77, 228, 114, 166, 6, 191, 139, 98, 102, 221, 48, 253, 226, 152, 37, 179, 16, 145, 34, 136, 54, 208, 148, 206, 143, 150, 219, 189, 241, 210, 19, 92, 131, 56, 70, 64, 30, 66, 182, 163, 195, 72, 126, 110, 107, 58, 40, 84, 250, 133, 186, 61, 202, 94, 155, 159, 10, 21, 121, 43, 78, 212, 229, 172, 115, 243, 167, 87, 7, 112, 192, 247, 140, 128, 99, 13, 103, 74, 222, 237, 49, 197, 254, 24, 227, 165, 153, 119, 38, 184, 180, 124, 17, 68, 146, 217, 35, 32, 137, 46, 55, 63, 209, 91, 149, 188, 207, 205, 144, 135, 151, 178, 220, 252, 190, 97, 242, 86, 211, 171, 20, 42, 93, 158, 132, 60, 57, 83, 71, 109, 65, 162, 31, 45, 67, 216, 183, 123, 164, 118, 196, 23, 73, 236, 127, 12, 111, 246, 108, 161, 59, 82, 41, 157, 85, 170, 251, 96, 134, 177, 187, 204, 62, 90, 203, 89, 95, 176, 156, 169, 160, 81, 11, 245, 22, 235, 122, 117, 44, 215, 79, 174, 213, 233, 230, 231, 173, 232, 116, 214, 244, 234, 168, 80, 88, 175 }; - -/** - * Masks needed for the computation of 16 mult in GF(2^M) - */ -#define CONST256_MR0 _mm256_set1_epi64x((long long) 0x0100010001000100) -#define CONST256_LASTMASK _mm256_set1_epi64x((long long) 0x00ff00ff00ff00ff) -#define CONST128_MASKL _mm_set1_epi64x((long long) 0x0000ffff0000ffff) -#define CONST128_MASKH _mm_set1_epi64x((long long) 0xffff0000ffff0000) -#define CONST128_MIDDLEMASKL _mm_set1_epi64x((long long) 0x000000000000ffff) -#define CONST128_MIDDLEMASKH _mm_set1_epi64x((long long) 0x0000ffff00000000) -#define CONST128_INDEXH _mm_set_epi64x((long long) 0x0d0c090805040100, (long long) 0xffffffffffffffff) -#define CONST128_INDEXL _mm_set_epi64x((long long) 0xffffffffffffffff, (long long) 0x0d0c090805040100) - -/** - * x^i modulo x^8+x^4+x^3+x^2+1 duplicate 4 times to fit a 256-bit register - */ -static const __m256i red[7] = { - {0x001d001d001d001dUL, 0x001d001d001d001dUL, 0x001d001d001d001dUL, 0x001d001d001d001dUL}, - {0x003a003a003a003aUL, 0x003a003a003a003aUL, 0x003a003a003a003aUL, 0x003a003a003a003aUL}, - {0x0074007400740074UL, 0x0074007400740074UL, 0x0074007400740074UL, 0x0074007400740074UL}, - {0x00e800e800e800e8UL, 0x00e800e800e800e8UL, 0x00e800e800e800e8UL, 0x00e800e800e800e8UL}, - {0x00cd00cd00cd00cdUL, 0x00cd00cd00cd00cdUL, 0x00cd00cd00cd00cdUL, 0x00cd00cd00cd00cdUL}, - {0x0087008700870087UL, 0x0087008700870087UL, 0x0087008700870087UL, 0x0087008700870087UL}, - {0x0013001300130013UL, 0x0013001300130013UL, 0x0013001300130013UL, 0x0013001300130013UL}, - -}; - - -uint16_t PQCLEAN_HQCRMRS192_AVX2_gf_mul(uint16_t a, uint16_t b); - -__m256i PQCLEAN_HQCRMRS192_AVX2_gf_mul_vect(__m256i a, __m256i b); - -uint16_t PQCLEAN_HQCRMRS192_AVX2_gf_square(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS192_AVX2_gf_inverse(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS192_AVX2_gf_mod(uint16_t i); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/gf2x.c b/crypto_kem/hqc-rmrs-192/avx2/gf2x.c deleted file mode 100644 index 3c6e1fa9..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/gf2x.c +++ /dev/null @@ -1,408 +0,0 @@ -#include "gf2x.h" -#include "parameters.h" -#include -#include -#include -#include -/** - * \file gf2x.c - * \brief AVX2 implementation of multiplication of two polynomials - */ - - - -#define VEC_N_SPLIT_3x3 CEIL_DIVIDE(PARAM_N/9, 256) -#define VEC_N_SPLIT_3 (3*VEC_N_SPLIT_3x3) - -static inline void reduce(uint64_t *o, const __m256i *a); -static inline void karat_mult_1(__m128i *C, const __m128i *A, const __m128i *B); -static inline void karat_mult_2(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult_4(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult_8(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult_16(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_three_way_mult(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult9(__m256i *C, const aligned_vec_t *A, const aligned_vec_t *B); - - -/** - * @brief Compute o(x) = a(x) mod \f$ X^n - 1\f$ - * - * This function computes the modular reduction of the polynomial a(x) - * - * @param[out] o Pointer to the result - * @param[in] a Pointer to the polynomial a(x) - */ -static inline void reduce(uint64_t *o, const __m256i *a256) { - size_t i, i2; - __m256i r256, carry256; - __m256i *o256 = (__m256i *)o; - const uint64_t *a64 = (const uint64_t *)a256; - uint64_t r, carry; - - i2 = 0; - for (i = (PARAM_N >> 6); i < (PARAM_N >> 5) - 4; i += 4) { - r256 = _mm256_lddqu_si256((const __m256i *) (& a64[i])); - r256 = _mm256_srli_epi64(r256, PARAM_N & 63); - carry256 = _mm256_lddqu_si256((const __m256i *) (& a64[i + 1])); - carry256 = _mm256_slli_epi64(carry256, (-PARAM_N) & 63); - r256 ^= carry256; - _mm256_storeu_si256(&o256[i2], a256[i2] ^ r256); - i2 += 1; - } - - i = i - (PARAM_N >> 6); - for (; i < (PARAM_N >> 6) + 1; i++) { - r = a64[i + (PARAM_N >> 6)] >> (PARAM_N & 63); - carry = a64[i + (PARAM_N >> 6) + 1] << ((-PARAM_N) & 63); - r ^= carry; - o[i] = a64[i] ^ r; - } - - o[PARAM_N >> 6] &= RED_MASK; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * A(x) and B(x) are stored in 128-bit registers - * This function computes A(x)*B(x) using Karatsuba - * - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_1(__m128i *C, const __m128i *A, const __m128i *B) { - __m128i D1[2]; - __m128i D0[2], D2[2]; - __m128i Al = _mm_loadu_si128(A); - __m128i Ah = _mm_loadu_si128(A + 1); - __m128i Bl = _mm_loadu_si128(B); - __m128i Bh = _mm_loadu_si128(B + 1); - - // Compute Al.Bl=D0 - __m128i DD0 = _mm_clmulepi64_si128(Al, Bl, 0); - __m128i DD2 = _mm_clmulepi64_si128(Al, Bl, 0x11); - __m128i AAlpAAh = _mm_xor_si128(Al, _mm_shuffle_epi32(Al, 0x4e)); - __m128i BBlpBBh = _mm_xor_si128(Bl, _mm_shuffle_epi32(Bl, 0x4e)); - __m128i DD1 = _mm_xor_si128(_mm_xor_si128(DD0, DD2), _mm_clmulepi64_si128(AAlpAAh, BBlpBBh, 0)); - D0[0] = _mm_xor_si128(DD0, _mm_unpacklo_epi64(_mm_setzero_si128(), DD1)); - D0[1] = _mm_xor_si128(DD2, _mm_unpackhi_epi64(DD1, _mm_setzero_si128())); - - // Compute Ah.Bh=D2 - DD0 = _mm_clmulepi64_si128(Ah, Bh, 0); - DD2 = _mm_clmulepi64_si128(Ah, Bh, 0x11); - AAlpAAh = _mm_xor_si128(Ah, _mm_shuffle_epi32(Ah, 0x4e)); - BBlpBBh = _mm_xor_si128(Bh, _mm_shuffle_epi32(Bh, 0x4e)); - DD1 = _mm_xor_si128(_mm_xor_si128(DD0, DD2), _mm_clmulepi64_si128(AAlpAAh, BBlpBBh, 0)); - D2[0] = _mm_xor_si128(DD0, _mm_unpacklo_epi64(_mm_setzero_si128(), DD1)); - D2[1] = _mm_xor_si128(DD2, _mm_unpackhi_epi64(DD1, _mm_setzero_si128())); - - // Compute AlpAh.BlpBh=D1 - // Initialisation of AlpAh and BlpBh - __m128i AlpAh = _mm_xor_si128(Al, Ah); - __m128i BlpBh = _mm_xor_si128(Bl, Bh); - DD0 = _mm_clmulepi64_si128(AlpAh, BlpBh, 0); - DD2 = _mm_clmulepi64_si128(AlpAh, BlpBh, 0x11); - AAlpAAh = _mm_xor_si128(AlpAh, _mm_shuffle_epi32(AlpAh, 0x4e)); - BBlpBBh = _mm_xor_si128(BlpBh, _mm_shuffle_epi32(BlpBh, 0x4e)); - DD1 = _mm_xor_si128(_mm_xor_si128(DD0, DD2), _mm_clmulepi64_si128(AAlpAAh, BBlpBBh, 0)); - D1[0] = _mm_xor_si128(DD0, _mm_unpacklo_epi64(_mm_setzero_si128(), DD1)); - D1[1] = _mm_xor_si128(DD2, _mm_unpackhi_epi64(DD1, _mm_setzero_si128())); - - // Final comutation of C - __m128i middle = _mm_xor_si128(D0[1], D2[0]); - C[0] = D0[0]; - C[1] = middle ^ D0[0] ^ D1[0]; - C[2] = middle ^ D1[1] ^ D2[1]; - C[3] = D2[1]; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_2(__m256i *C, const __m256i *A, const __m256i *B) { - __m256i D0[2], D1[2], D2[2], SAA, SBB; - const __m128i *A128 = (const __m128i *)A; - const __m128i *B128 = (const __m128i *)B; - __m256i middle; - - karat_mult_1((__m128i *) D0, A128, B128); - karat_mult_1((__m128i *) D2, A128 + 2, B128 + 2); - - SAA = A[0] ^ A[1]; - SBB = B[0] ^ B[1]; - karat_mult_1((__m128i *) D1, (__m128i *) &SAA, (__m128i *) &SBB); - middle = _mm256_xor_si256(D0[1], D2[0]); - - C[0] = D0[0]; - C[1] = middle ^ D0[0] ^ D1[0]; - C[2] = middle ^ D1[1] ^ D2[1]; - C[3] = D2[1]; -} - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_4(__m256i *C, const __m256i *A, const __m256i *B) { - __m256i D0[4], D1[4], D2[4], SAA[2], SBB[2]; - __m256i middle0; - __m256i middle1; - - karat_mult_2(D0, A, B); - karat_mult_2(D2, A + 2, B + 2); - - SAA[0] = A[0] ^ A[2]; - SBB[0] = B[0] ^ B[2]; - SAA[1] = A[1] ^ A[3]; - SBB[1] = B[1] ^ B[3]; - - karat_mult_2(D1, SAA, SBB); - - middle0 = _mm256_xor_si256(D0[2], D2[0]); - middle1 = _mm256_xor_si256(D0[3], D2[1]); - - C[0] = D0[0]; - C[1] = D0[1]; - C[2] = middle0 ^ D0[0] ^ D1[0]; - C[3] = middle1 ^ D0[1] ^ D1[1]; - C[4] = middle0 ^ D1[2] ^ D2[2]; - C[5] = middle1 ^ D1[3] ^ D2[3]; - C[6] = D2[2]; - C[7] = D2[3]; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_8(__m256i *C, const __m256i *A, const __m256i *B) { - size_t i, is, is2, is3; - __m256i D0[8], D1[8], D2[8], SAA[4], SBB[4]; - __m256i middle; - - karat_mult_4(D0, A, B); - karat_mult_4(D2, A + 4, B + 4); - - for (i = 0; i < 4; i++) { - is = i + 4; - SAA[i] = A[i] ^ A[is]; - SBB[i] = B[i] ^ B[is]; - } - - karat_mult_4(D1, SAA, SBB); - - for (i = 0; i < 4; i++) { - is = i + 4; - is2 = is + 4; - is3 = is2 + 4; - - middle = _mm256_xor_si256(D0[is], D2[i]); - - C[i] = D0[i]; - C[is] = middle ^ D0[i] ^ D1[i]; - C[is2] = middle ^ D1[is] ^ D2[is]; - C[is3] = D2[is]; - } -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -inline static void karat_mult_16(__m256i *C, const __m256i *A, const __m256i *B) { - size_t i, is, is2, is3; - __m256i middle; - __m256i D0[16], D1[16], D2[16], SAA[8], SBB[8]; - - karat_mult_8(D0, A, B); - karat_mult_8(D2, A + 8, B + 8); - - for (i = 0; i < 8; i++) { - is = i + 8; - SAA[i] = A[i] ^ A[is]; - SBB[i] = B[i] ^ B[is]; - } - - karat_mult_8(D1, SAA, SBB); - - for (i = 0; i < 8; i++) { - is = i + 8; - is2 = is + 8; - is3 = is2 + 8; - - middle = D0[is] ^ D2[i]; - - C[i] = D0[i]; - C[is] = middle ^ D0[i] ^ D1[i]; - C[is2] = middle ^ D1[is] ^ D2[is]; - C[is3] = D2[is]; - } -} - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba 3 part split - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_three_way_mult(__m256i *C, const __m256i *A, const __m256i *B) { - size_t i, j; - const __m256i *a0, *b0, *a1, *b1, *a2, *b2; - __m256i aa01[VEC_N_SPLIT_3x3], bb01[VEC_N_SPLIT_3x3], aa02[VEC_N_SPLIT_3x3], bb02[VEC_N_SPLIT_3x3], aa12[VEC_N_SPLIT_3x3], bb12[VEC_N_SPLIT_3x3]; - __m256i D0[2 * VEC_N_SPLIT_3x3], D1[2 * VEC_N_SPLIT_3x3], D2[2 * VEC_N_SPLIT_3x3], D3[2 * VEC_N_SPLIT_3x3], D4[2 * VEC_N_SPLIT_3x3], D5[2 * VEC_N_SPLIT_3x3]; - __m256i ro256[6 * VEC_N_SPLIT_3x3]; - __m256i middle0; - - a0 = A; - a1 = A + VEC_N_SPLIT_3x3; - a2 = A + (VEC_N_SPLIT_3x3 << 1); - - b0 = B; - b1 = B + VEC_N_SPLIT_3x3; - b2 = B + (VEC_N_SPLIT_3x3 << 1); - - for (i = 0; i < VEC_N_SPLIT_3x3; i++) { - aa01[i] = a0[i] ^ a1[i]; - bb01[i] = b0[i] ^ b1[i]; - - aa12[i] = a2[i] ^ a1[i]; - bb12[i] = b2[i] ^ b1[i]; - - aa02[i] = a0[i] ^ a2[i]; - bb02[i] = b0[i] ^ b2[i]; - } - - karat_mult_16(D0, a0, b0); - karat_mult_16(D1, a1, b1); - karat_mult_16(D2, a2, b2); - - karat_mult_16(D3, aa01, bb01); - karat_mult_16(D4, aa02, bb02); - karat_mult_16(D5, aa12, bb12); - - for (i = 0; i < VEC_N_SPLIT_3x3; i++) { - j = i + VEC_N_SPLIT_3x3; - middle0 = D0[i] ^ D1[i] ^ D0[j]; - ro256[i] = D0[i]; - ro256[j] = D3[i] ^ middle0; - ro256[j + VEC_N_SPLIT_3x3] = D4[i] ^ D2[i] ^ D3[j] ^ D1[j] ^ middle0; - middle0 = D1[j] ^ D2[i] ^ D2[j]; - ro256[j + (VEC_N_SPLIT_3x3 << 1)] = D5[i] ^ D4[j] ^ D0[j] ^ D1[i] ^ middle0; - ro256[i + (VEC_N_SPLIT_3x3 << 2)] = D5[j] ^ middle0; - ro256[j + (VEC_N_SPLIT_3x3 << 2)] = D2[j]; - } - - for (i = 0; i < 2 * VEC_N_SPLIT_3; i++) { - C[i] = ro256[i]; - } -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba 3 part split - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult9(__m256i *C, const aligned_vec_t *A, const aligned_vec_t *B) { - size_t i, j; - const __m256i *a0, *b0, *a1, *b1, *a2, *b2; - __m256i aa01[VEC_N_SPLIT_3], bb01[VEC_N_SPLIT_3], aa02[VEC_N_SPLIT_3], bb02[VEC_N_SPLIT_3], aa12[VEC_N_SPLIT_3], bb12[VEC_N_SPLIT_3]; - __m256i D0[2 * VEC_N_SPLIT_3], D1[2 * VEC_N_SPLIT_3], D2[2 * VEC_N_SPLIT_3], D3[2 * VEC_N_SPLIT_3], D4[2 * VEC_N_SPLIT_3], D5[2 * VEC_N_SPLIT_3]; - __m256i middle0; - - a0 = (__m256i *)(A->arr64); - a1 = a0 + VEC_N_SPLIT_3; - a2 = a0 + (2 * VEC_N_SPLIT_3); - - b0 = (__m256i *)(B->arr64); - b1 = b0 + VEC_N_SPLIT_3; - b2 = b0 + (2 * VEC_N_SPLIT_3); - - for (i = 0; i < VEC_N_SPLIT_3; i++) { - aa01[i] = a0[i] ^ a1[i]; - bb01[i] = b0[i] ^ b1[i]; - - aa12[i] = a2[i] ^ a1[i]; - bb12[i] = b2[i] ^ b1[i]; - - aa02[i] = a0[i] ^ a2[i]; - bb02[i] = b0[i] ^ b2[i]; - } - - karat_three_way_mult(D0, a0, b0); - karat_three_way_mult(D1, a1, b1); - karat_three_way_mult(D2, a2, b2); - - karat_three_way_mult(D3, aa01, bb01); - karat_three_way_mult(D4, aa02, bb02); - karat_three_way_mult(D5, aa12, bb12); - - for (i = 0; i < VEC_N_SPLIT_3; i++) { - j = i + VEC_N_SPLIT_3; - middle0 = D0[i] ^ D1[i] ^ D0[j]; - C[i] = D0[i]; - C[j] = D3[i] ^ middle0; - C[j + VEC_N_SPLIT_3] = D4[i] ^ D2[i] ^ D3[j] ^ D1[j] ^ middle0; - middle0 = D1[j] ^ D2[i] ^ D2[j]; - C[j + (VEC_N_SPLIT_3 << 1)] = D5[i] ^ D4[j] ^ D0[j] ^ D1[i] ^ middle0; - C[i + (VEC_N_SPLIT_3 << 2)] = D5[j] ^ middle0; - C[j + (VEC_N_SPLIT_3 << 2)] = D2[j]; - } -} - - - -/** - * @brief Multiply two polynomials modulo \f$ X^n - 1\f$. - * - * This functions multiplies a dense polynomial a1 (of Hamming weight equal to weight) - * and a dense polynomial a2. The multiplication is done modulo \f$ X^n - 1\f$. - * - * @param[out] o Pointer to the result - * @param[in] a1 Pointer to a polynomial - * @param[in] a2 Pointer to a polynomial - */ -void PQCLEAN_HQCRMRS192_AVX2_vect_mul(uint64_t *o, const aligned_vec_t *a1, const aligned_vec_t *a2) { - __m256i a1_times_a2[2 * PARAM_N_MULT + 1] = {0}; - karat_mult9(a1_times_a2, a1, a2); - reduce(o, a1_times_a2); -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/gf2x.h b/crypto_kem/hqc-rmrs-192/avx2/gf2x.h deleted file mode 100644 index 4e6b7fe0..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/gf2x.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef GF2X_H -#define GF2X_H - - -/** - * @file gf2x.h - * @brief Header file for gf2x.c - */ -#include "parameters.h" -#include -#include - -typedef union { - uint64_t arr64[VEC_N_256_SIZE_64]; - __m256i dummy; -} aligned_vec_t; - -void PQCLEAN_HQCRMRS192_AVX2_vect_mul(uint64_t *o, const aligned_vec_t *a1, const aligned_vec_t *a2); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/hqc.c b/crypto_kem/hqc-rmrs-192/avx2/hqc.c deleted file mode 100644 index 895fd9b1..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/hqc.c +++ /dev/null @@ -1,168 +0,0 @@ -#include "code.h" -#include "gf2x.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -#include -/** - * @file hqc.c - * @brief Implementation of hqc.h - */ - - - -/** - * @brief Keygen of the HQC_PKE IND_CPA scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS192_AVX2_hqc_pke_keygen(unsigned char *pk, unsigned char *sk) { - AES_XOF_struct sk_seedexpander; - AES_XOF_struct pk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - uint8_t pk_seed[SEED_BYTES] = {0}; - aligned_vec_t vx = {0}; - uint64_t *x = vx.arr64; - aligned_vec_t vy = {0}; - uint64_t *y = vy.arr64; - aligned_vec_t vh = {0}; - uint64_t *h = vh.arr64; - aligned_vec_t vs = {0}; - uint64_t *s = vs.arr64; - aligned_vec_t vtmp = {0}; - uint64_t *tmp = vtmp.arr64; - - // Create seed_expanders for public key and secret key - randombytes(sk_seed, SEED_BYTES); - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - randombytes(pk_seed, SEED_BYTES); - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - // Compute secret key - PQCLEAN_HQCRMRS192_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS192_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, y, PARAM_OMEGA); - - // Compute public key - PQCLEAN_HQCRMRS192_AVX2_vect_set_random(&pk_seedexpander, h); - PQCLEAN_HQCRMRS192_AVX2_vect_mul(tmp, &vy, &vh); - PQCLEAN_HQCRMRS192_AVX2_vect_add(s, x, tmp, VEC_N_256_SIZE_64); - - // Parse keys to string - PQCLEAN_HQCRMRS192_AVX2_hqc_public_key_to_string(pk, pk_seed, s); - PQCLEAN_HQCRMRS192_AVX2_hqc_secret_key_to_string(sk, sk_seed, pk); - -} - - - -/** - * @brief Encryption of the HQC_PKE IND_CPA scheme - * - * The cihertext is composed of vectors u and v. - * - * @param[out] u Vector u (first part of the ciphertext) - * @param[out] v Vector v (second part of the ciphertext) - * @param[in] m Vector representing the message to encrypt - * @param[in] theta Seed used to derive randomness required for encryption - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS192_AVX2_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk) { - AES_XOF_struct seedexpander; - aligned_vec_t vh = {0}; - uint64_t *h = vh.arr64; - aligned_vec_t vs = {0}; - uint64_t *s = vs.arr64; - aligned_vec_t vr1 = {0}; - uint64_t *r1 = vr1.arr64; - aligned_vec_t vr2 = {0}; - uint64_t *r2 = vr2.arr64; - aligned_vec_t ve = {0}; - uint64_t *e = ve.arr64; - aligned_vec_t vtmp1 = {0}; - uint64_t *tmp1 = vtmp1.arr64; - aligned_vec_t vtmp2 = {0}; - uint64_t *tmp2 = vtmp2.arr64; - aligned_vec_t vtmp3 = {0}; - uint64_t *tmp3 = vtmp3.arr64; - - // Create seed_expander from theta - seedexpander_init(&seedexpander, theta, theta + 32, SEEDEXPANDER_MAX_LENGTH); - - // Retrieve h and s from public key - PQCLEAN_HQCRMRS192_AVX2_hqc_public_key_from_string(h, s, pk); - - // Generate r1, r2 and e - PQCLEAN_HQCRMRS192_AVX2_vect_set_random_fixed_weight(&seedexpander, r1, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS192_AVX2_vect_set_random_fixed_weight(&seedexpander, r2, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS192_AVX2_vect_set_random_fixed_weight(&seedexpander, e, PARAM_OMEGA_E); - - - - // Compute u = r1 + r2.h - PQCLEAN_HQCRMRS192_AVX2_vect_mul(tmp1, &vr2, &vh); - PQCLEAN_HQCRMRS192_AVX2_vect_add(u, r1, tmp1, VEC_N_256_SIZE_64); - - // Compute v = m.G by encoding the message - PQCLEAN_HQCRMRS192_AVX2_code_encode((uint8_t *)v, m); - PQCLEAN_HQCRMRS192_AVX2_load8_arr(v, VEC_N1N2_256_SIZE_64, (uint8_t *)v, VEC_N1N2_SIZE_BYTES); - PQCLEAN_HQCRMRS192_AVX2_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - - // Compute v = m.G + s.r2 + e - PQCLEAN_HQCRMRS192_AVX2_vect_mul(tmp2, &vr2, &vs); - PQCLEAN_HQCRMRS192_AVX2_vect_add(tmp3, e, tmp2, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS192_AVX2_vect_add(tmp2, tmp1, tmp3, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS192_AVX2_vect_resize(v, PARAM_N1N2, tmp2, PARAM_N); - -} - - - -/** - * @brief Decryption of the HQC_PKE IND_CPA scheme - * - * @param[out] m Vector representing the decrypted message - * @param[in] u Vector u (first part of the ciphertext) - * @param[in] v Vector v (second part of the ciphertext) - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS192_AVX2_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk) { - uint8_t pk[PUBLIC_KEY_BYTES] = {0}; - aligned_vec_t vx = {0}; - uint64_t *x = vx.arr64; - aligned_vec_t vy = {0}; - uint64_t *y = vy.arr64; - aligned_vec_t vtmp1 = {0}; - uint64_t *tmp1 = vtmp1.arr64; - aligned_vec_t vtmp2 = {0}; - uint64_t *tmp2 = vtmp2.arr64; - aligned_vec_t vtmp3 = {0}; - uint64_t *tmp3 = vtmp3.arr64; - - // Retrieve x, y, pk from secret key - PQCLEAN_HQCRMRS192_AVX2_hqc_secret_key_from_string(x, y, pk, sk); - - // Compute v - u.y - PQCLEAN_HQCRMRS192_AVX2_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - for (size_t i = 0; i < VEC_N_256_SIZE_64; i++) { - tmp2[i] = u[i]; - } - PQCLEAN_HQCRMRS192_AVX2_vect_mul(tmp3, &vy, &vtmp2); - PQCLEAN_HQCRMRS192_AVX2_vect_add(tmp2, tmp1, tmp3, VEC_N_256_SIZE_64); - - - // Compute m by decoding v - u.y - PQCLEAN_HQCRMRS192_AVX2_store8_arr((uint8_t *)tmp1, VEC_N_SIZE_BYTES, tmp2, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS192_AVX2_code_decode(m, (uint8_t *)tmp1); -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/hqc.h b/crypto_kem/hqc-rmrs-192/avx2/hqc.h deleted file mode 100644 index 0642294d..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/hqc.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef HQC_H -#define HQC_H - - -/** - * @file hqc.h - * @brief Functions of the HQC_PKE IND_CPA scheme - */ - -#include - -void PQCLEAN_HQCRMRS192_AVX2_hqc_pke_keygen(unsigned char *pk, unsigned char *sk); - -void PQCLEAN_HQCRMRS192_AVX2_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk); - -void PQCLEAN_HQCRMRS192_AVX2_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/kem.c b/crypto_kem/hqc-rmrs-192/avx2/kem.c deleted file mode 100644 index 012d8eed..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/kem.c +++ /dev/null @@ -1,140 +0,0 @@ -#include "api.h" -#include "fips202.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "sha2.h" -#include "vector.h" -#include -#include -/** - * @file kem.c - * @brief Implementation of api.h - */ - - - -/** - * @brief Keygen of the HQC_KEM IND_CAA2 scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - * @returns 0 if keygen is successful - */ -int PQCLEAN_HQCRMRS192_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - - PQCLEAN_HQCRMRS192_AVX2_hqc_pke_keygen(pk, sk); - return 0; -} - - - -/** - * @brief Encapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ct String containing the ciphertext - * @param[out] ss String containing the shared secret - * @param[in] pk String containing the public key - * @returns 0 if encapsulation is successful - */ -int PQCLEAN_HQCRMRS192_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - uint8_t theta[SHA512_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - static uint64_t u[VEC_N_256_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Computing m - randombytes(m, VEC_K_SIZE_BYTES); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m - PQCLEAN_HQCRMRS192_AVX2_hqc_pke_encrypt(u, v, m, theta, pk); - - // Computing d - sha512(d, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS192_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS192_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Computing ciphertext - PQCLEAN_HQCRMRS192_AVX2_hqc_ciphertext_to_string(ct, u, v, d); - - - return 0; -} - - - -/** - * @brief Decapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ss String containing the shared secret - * @param[in] ct String containing the cipĥertext - * @param[in] sk String containing the secret key - * @returns 0 if decapsulation is successful, -1 otherwise - */ -int PQCLEAN_HQCRMRS192_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - - uint8_t result; - uint64_t u[VEC_N_256_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char pk[PUBLIC_KEY_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - uint8_t theta[SHA512_BYTES] = {0}; - uint64_t u2[VEC_N_256_SIZE_64] = {0}; - uint64_t v2[VEC_N1N2_256_SIZE_64] = {0}; - unsigned char d2[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Retrieving u, v and d from ciphertext - PQCLEAN_HQCRMRS192_AVX2_hqc_ciphertext_from_string(u, v, d, ct); - - // Retrieving pk from sk - memcpy(pk, sk + SEED_BYTES, PUBLIC_KEY_BYTES); - - // Decryting - PQCLEAN_HQCRMRS192_AVX2_hqc_pke_decrypt(m, u, v, sk); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m' - PQCLEAN_HQCRMRS192_AVX2_hqc_pke_encrypt(u2, v2, m, theta, pk); - - // Computing d' - sha512(d2, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS192_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS192_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Abort if c != c' or d != d' - result = PQCLEAN_HQCRMRS192_AVX2_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS192_AVX2_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS192_AVX2_vect_compare(d, d2, SHA512_BYTES); - result = (uint8_t) (-((int16_t) result) >> 15); - for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] &= ~result; - } - - - return -(result & 1); -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/parameters.h b/crypto_kem/hqc-rmrs-192/avx2/parameters.h deleted file mode 100644 index c893b7b7..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/parameters.h +++ /dev/null @@ -1,109 +0,0 @@ -#ifndef HQC_PARAMETERS_H -#define HQC_PARAMETERS_H - - -/** - * @file parameters.h - * @brief Parameters of the HQC_KEM IND-CCA2 scheme - */ -#include "api.h" - - -#define CEIL_DIVIDE(a, b) (((a)+(b)-1)/(b)) /*!< Divide a by b and ceil the result*/ - -/* - #define PARAM_N Define the parameter n of the scheme - #define PARAM_N1 Define the parameter n1 of the scheme (length of Reed-Solomon code) - #define PARAM_N2 Define the parameter n2 of the scheme (length of Duplicated Reed-Muller code) - #define PARAM_N1N2 Define the length in bits of the Concatenated code - #define PARAM_OMEGA Define the parameter omega of the scheme - #define PARAM_OMEGA_E Define the parameter omega_e of the scheme - #define PARAM_OMEGA_R Define the parameter omega_r of the scheme - #define PARAM_SECURITY Define the security level corresponding to the chosen parameters - #define PARAM_DFR_EXP Define the decryption failure rate corresponding to the chosen parameters - - #define SECRET_KEY_BYTES Define the size of the secret key in bytes - #define PUBLIC_KEY_BYTES Define the size of the public key in bytes - #define SHARED_SECRET_BYTES Define the size of the shared secret in bytes - #define CIPHERTEXT_BYTES Define the size of the ciphertext in bytes - - #define UTILS_REJECTION_THRESHOLD Define the rejection threshold used to generate given weight vectors (see vector_set_random_fixed_weight function) - #define VEC_N_SIZE_BYTES Define the size of the array used to store a PARAM_N sized vector in bytes - #define VEC_K_SIZE_BYTES Define the size of the array used to store a PARAM_K sized vector in bytes - #define VEC_N1Y_SIZE_BYTES Define the size of the array used to store a PARAM_N1 sized vector in bytes - #define VEC_N1N2_SIZE_BYTES Define the size of the array used to store a PARAM_N1N2 sized vector in bytes - - #define VEC_N_SIZE_64 Define the size of the array used to store a PARAM_N sized vector in 64 bits - #define VEC_K_SIZE_64 Define the size of the array used to store a PARAM_K sized vector in 64 bits - #define VEC_N1_SIZE_64 Define the size of the array used to store a PARAM_N1 sized vector in 64 bits - #define VEC_N1N2_SIZE_64 Define the size of the array used to store a PARAM_N1N2 sized vector in 64 bits - - #define VEC_N_256_SIZE_64 Define the size of the array of 64 bits elements used to store an array of size PARAM_N considered as elements of 256 bits - #define VEC_N1N2_256_SIZE_64 Define the size of the array of 64 bits elements used to store an array of size PARAM_N1N2 considered as elements of 256 bits - - #define PARAM_DELTA Define the parameter delta of the scheme (correcting capacity of the Reed-Solomon code) - #define PARAM_M Define a positive integer - #define PARAM_GF_POLY Generator polynomial of galois field GF(2^PARAM_M), represented in hexadecimial form - #define PARAM_GF_POLY_WT Hamming weight of PARAM_GF_POLY - #define PARAM_GF_POLY_M2 Distance between the primitive polynomial first two set bits - #define PARAM_GF_MUL_ORDER Define the size of the multiplicative group of GF(2^PARAM_M), i.e 2^PARAM_M -1 - #define PARAM_K Define the size of the information bits of the Reed-Solomon code - #define PARAM_G Define the size of the generator polynomial of Reed-Solomon code - #define PARAM_FFT The additive FFT takes a 2^PARAM_FFT polynomial as input - We use the FFT to compute the roots of sigma, whose degree if PARAM_DELTA=24 - The smallest power of 2 greater than 24+1 is 32=2^5 - #define RS_POLY_COEFS Coefficients of the generator polynomial of the Reed-Solomon code - - #define RED_MASK A mask fot the higher bits of a vector - #define SHA512_BYTES Define the size of SHA512 output in bytes - #define SEED_BYTES Define the size of the seed in bytes - #define SEEDEXPANDER_MAX_LENGTH Define the seed expander max length -*/ - -#define PARAM_N 35851 -#define PARAM_N1 56 -#define PARAM_N2 640 -#define PARAM_N1N2 35840 -#define PARAM_OMEGA 100 -#define PARAM_OMEGA_E 114 -#define PARAM_OMEGA_R 114 -#define PARAM_SECURITY 192 -#define PARAM_DFR_EXP 192 - -#define SECRET_KEY_BYTES PQCLEAN_HQCRMRS192_AVX2_CRYPTO_SECRETKEYBYTES -#define PUBLIC_KEY_BYTES PQCLEAN_HQCRMRS192_AVX2_CRYPTO_PUBLICKEYBYTES -#define SHARED_SECRET_BYTES PQCLEAN_HQCRMRS192_AVX2_CRYPTO_BYTES -#define CIPHERTEXT_BYTES PQCLEAN_HQCRMRS192_AVX2_CRYPTO_CIPHERTEXTBYTES - -#define UTILS_REJECTION_THRESHOLD 16742417 -#define VEC_N_SIZE_BYTES CEIL_DIVIDE(PARAM_N, 8) -#define VEC_K_SIZE_BYTES PARAM_K -#define VEC_N1_SIZE_BYTES PARAM_N1 -#define VEC_N1N2_SIZE_BYTES CEIL_DIVIDE(PARAM_N1N2, 8) - -#define VEC_N_SIZE_64 CEIL_DIVIDE(PARAM_N, 64) -#define VEC_K_SIZE_64 CEIL_DIVIDE(PARAM_K, 8) -#define VEC_N1_SIZE_64 CEIL_DIVIDE(PARAM_N1, 8) -#define VEC_N1N2_SIZE_64 CEIL_DIVIDE(PARAM_N1N2, 64) - -#define PARAM_N_MULT (9*256*CEIL_DIVIDE(CEIL_DIVIDE(PARAM_N, 9), 256)) -#define VEC_N_256_SIZE_64 (PARAM_N_MULT / 64) -#define VEC_N1N2_256_SIZE_64 (CEIL_DIVIDE(PARAM_N1N2, 256) << 2) - -#define PARAM_DELTA 16 -#define PARAM_M 8 -#define PARAM_GF_POLY 0x11D -#define PARAM_GF_POLY_WT 5 -#define PARAM_GF_POLY_M2 4 -#define PARAM_GF_MUL_ORDER 255 -#define PARAM_K 24 -#define PARAM_G 33 -#define PARAM_FFT 5 -#define RS_POLY_COEFS 45,216,239,24,253,104,27,40,107,50,163,210,227,134,224,158,119,13,158,1,238,164,82,43,15,232,246,142,50,189,29,232,1 - -#define RED_MASK 0x7ff -#define SHA512_BYTES 64 -#define SEED_BYTES 40 -#define SEEDEXPANDER_MAX_LENGTH 4294967295 - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/parsing.c b/crypto_kem/hqc-rmrs-192/avx2/parsing.c deleted file mode 100644 index 5ed99cc6..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/parsing.c +++ /dev/null @@ -1,186 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -/** - * @file parsing.c - * @brief Functions to parse secret key, public key and ciphertext of the HQC scheme - */ - - -void PQCLEAN_HQCRMRS192_AVX2_store8(unsigned char *out, uint64_t in) { - out[0] = (in >> 0x00) & 0xFF; - out[1] = (in >> 0x08) & 0xFF; - out[2] = (in >> 0x10) & 0xFF; - out[3] = (in >> 0x18) & 0xFF; - out[4] = (in >> 0x20) & 0xFF; - out[5] = (in >> 0x28) & 0xFF; - out[6] = (in >> 0x30) & 0xFF; - out[7] = (in >> 0x38) & 0xFF; -} - - -uint64_t PQCLEAN_HQCRMRS192_AVX2_load8(const unsigned char *in) { - uint64_t ret = in[7]; - - for (int8_t i = 6; i >= 0; i--) { - ret <<= 8; - ret |= in[i]; - } - - return ret; -} - -void PQCLEAN_HQCRMRS192_AVX2_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen) { - size_t index_in = 0; - size_t index_out = 0; - - // first copy by 8 bytes - if (inlen >= 8 && outlen >= 1) { - while (index_out < outlen && index_in + 8 <= inlen) { - out64[index_out] = PQCLEAN_HQCRMRS192_AVX2_load8(in8 + index_in); - - index_in += 8; - index_out += 1; - } - } - - // we now need to do the last 7 bytes if necessary - if (index_in >= inlen || index_out >= outlen) { - return; - } - out64[index_out] = in8[inlen - 1]; - for (int8_t i = (int8_t)(inlen - index_in) - 2; i >= 0; i--) { - out64[index_out] <<= 8; - out64[index_out] |= in8[index_in + i]; - } -} - -void PQCLEAN_HQCRMRS192_AVX2_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen) { - for (size_t index_out = 0, index_in = 0; index_out < outlen && index_in < inlen;) { - out8[index_out] = (in64[index_in] >> ((index_out % 8) * 8)) & 0xFF; - index_out++; - if (index_out % 8 == 0) { - index_in++; - } - } -} - - -/** - * @brief Parse a secret key into a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] sk String containing the secret key - * @param[in] sk_seed Seed used to generate the secret key - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS192_AVX2_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk) { - memcpy(sk, sk_seed, SEED_BYTES); - sk += SEED_BYTES; - memcpy(sk, pk, PUBLIC_KEY_BYTES); -} - -/** - * @brief Parse a secret key from a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] x uint64_t representation of vector x - * @param[out] y uint64_t representation of vector y - * @param[out] pk String containing the public key - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS192_AVX2_hqc_secret_key_from_string(uint64_t *x, uint64_t *y, uint8_t *pk, const uint8_t *sk) { - AES_XOF_struct sk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - - memcpy(sk_seed, sk, SEED_BYTES); - sk += SEED_BYTES; - memcpy(pk, sk, PUBLIC_KEY_BYTES); - - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS192_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS192_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, y, PARAM_OMEGA); -} - -/** - * @brief Parse a public key into a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] pk String containing the public key - * @param[in] pk_seed Seed used to generate the public key - * @param[in] s uint8_t representation of vector s - */ -void PQCLEAN_HQCRMRS192_AVX2_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s) { - memcpy(pk, pk_seed, SEED_BYTES); - PQCLEAN_HQCRMRS192_AVX2_store8_arr(pk + SEED_BYTES, VEC_N_SIZE_BYTES, s, VEC_N_SIZE_64); -} - - - -/** - * @brief Parse a public key from a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] h uint8_t representation of vector h - * @param[out] s uint8_t representation of vector s - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS192_AVX2_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk) { - AES_XOF_struct pk_seedexpander; - uint8_t pk_seed[SEED_BYTES] = {0}; - - memcpy(pk_seed, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_HQCRMRS192_AVX2_load8_arr(s, VEC_N_SIZE_64, pk, VEC_N_SIZE_BYTES); - - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS192_AVX2_vect_set_random(&pk_seedexpander, h); -} - - -/** - * @brief Parse a ciphertext into a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] ct String containing the ciphertext - * @param[in] u uint8_t representation of vector u - * @param[in] v uint8_t representation of vector v - * @param[in] d String containing the hash d - */ -void PQCLEAN_HQCRMRS192_AVX2_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d) { - PQCLEAN_HQCRMRS192_AVX2_store8_arr(ct, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS192_AVX2_store8_arr(ct, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(ct, d, SHA512_BYTES); -} - - -/** - * @brief Parse a ciphertext from a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] u uint8_t representation of vector u - * @param[out] v uint8_t representation of vector v - * @param[out] d String containing the hash d - * @param[in] ct String containing the ciphertext - */ -void PQCLEAN_HQCRMRS192_AVX2_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct) { - PQCLEAN_HQCRMRS192_AVX2_load8_arr(u, VEC_N_SIZE_64, ct, VEC_N_SIZE_BYTES); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS192_AVX2_load8_arr(v, VEC_N1N2_SIZE_64, ct, VEC_N1N2_SIZE_BYTES); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(d, ct, SHA512_BYTES); -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/parsing.h b/crypto_kem/hqc-rmrs-192/avx2/parsing.h deleted file mode 100644 index 2993e88f..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/parsing.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PARSING_H -#define PARSING_H - - -/** - * @file parsing.h - * @brief Header file for parsing.c - */ - -#include - -void PQCLEAN_HQCRMRS192_AVX2_store8(unsigned char *out, uint64_t in); - -uint64_t PQCLEAN_HQCRMRS192_AVX2_load8(const unsigned char *in); - -void PQCLEAN_HQCRMRS192_AVX2_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen); - -void PQCLEAN_HQCRMRS192_AVX2_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen); - - -void PQCLEAN_HQCRMRS192_AVX2_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk); - -void PQCLEAN_HQCRMRS192_AVX2_hqc_secret_key_from_string(uint64_t *x, uint64_t *y, uint8_t *pk, const uint8_t *sk); - - -void PQCLEAN_HQCRMRS192_AVX2_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s); - -void PQCLEAN_HQCRMRS192_AVX2_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk); - - -void PQCLEAN_HQCRMRS192_AVX2_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d); - -void PQCLEAN_HQCRMRS192_AVX2_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/reed_muller.c b/crypto_kem/hqc-rmrs-192/avx2/reed_muller.c deleted file mode 100644 index dbfd6a29..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/reed_muller.c +++ /dev/null @@ -1,389 +0,0 @@ -#include "parameters.h" -#include "reed_muller.h" -#include -#include -#include -/** - * @file reed_muller.c - * Constant time implementation of Reed-Muller code RM(1,7) - */ - - -// number of repeated code words -#define MULTIPLICITY CEIL_DIVIDE(PARAM_N2, 128) - -// copy bit 0 into all bits of a 64 bit value -#define BIT0MASK(x) (int64_t)(-((x) & 1)) - -static void encode(uint8_t *word, uint8_t message); -static void expand_and_sum(__m256i *dst, const uint64_t *src); -static void hadamard(__m256i *src, __m256i *dst); -static uint32_t find_peaks(__m256i *transform); - - - -/** - * @brief Encode a single byte into a single codeword using RM(1,7) - * - * Encoding matrix of this code: - * bit pattern (note that bits are numbered big endian) - * 0 aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa - * 1 cccccccc cccccccc cccccccc cccccccc - * 2 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 - * 3 ff00ff00 ff00ff00 ff00ff00 ff00ff00 - * 4 ffff0000 ffff0000 ffff0000 ffff0000 - * 5 00000000 ffffffff 00000000 ffffffff - * 6 00000000 00000000 ffffffff ffffffff - * 7 ffffffff ffffffff ffffffff ffffffff - * - * @param[out] word An RM(1,7) codeword - * @param[in] message A message to encode - */ -static void encode(uint8_t *word, uint8_t message) { - uint32_t e; - // bit 7 flips all the bits, do that first to save work - e = BIT0MASK(message >> 7); - // bits 0, 1, 2, 3, 4 are the same for all four longs - // (Warning: in the bit matrix above, low bits are at the left!) - e ^= BIT0MASK(message >> 0) & 0xaaaaaaaa; - e ^= BIT0MASK(message >> 1) & 0xcccccccc; - e ^= BIT0MASK(message >> 2) & 0xf0f0f0f0; - e ^= BIT0MASK(message >> 3) & 0xff00ff00; - e ^= BIT0MASK(message >> 4) & 0xffff0000; - // we can store this in the first quarter - word[0 + 0] = (e >> 0x00) & 0xff; - word[0 + 1] = (e >> 0x08) & 0xff; - word[0 + 2] = (e >> 0x10) & 0xff; - word[0 + 3] = (e >> 0x18) & 0xff; - // bit 5 flips entries 1 and 3; bit 6 flips 2 and 3 - e ^= BIT0MASK(message >> 5); - word[4 + 0] = (e >> 0x00) & 0xff; - word[4 + 1] = (e >> 0x08) & 0xff; - word[4 + 2] = (e >> 0x10) & 0xff; - word[4 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 6); - word[12 + 0] = (e >> 0x00) & 0xff; - word[12 + 1] = (e >> 0x08) & 0xff; - word[12 + 2] = (e >> 0x10) & 0xff; - word[12 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 5); - word[8 + 0] = (e >> 0x00) & 0xff; - word[8 + 1] = (e >> 0x08) & 0xff; - word[8 + 2] = (e >> 0x10) & 0xff; - word[8 + 3] = (e >> 0x18) & 0xff; -} - - - -/** - * @brief Add multiple codewords into expanded codeword - * - * Note: this does not write the codewords as -1 or +1 as the green machine does - * instead, just 0 and 1 is used. - * The resulting hadamard transform has: - * all values are halved - * the first entry is 64 too high - * - * @param[out] dst Structure that contain the expanded codeword - * @param[in] src Structure that contain the codeword - */ -inline void expand_and_sum(__m256i *dst, const uint64_t *src) { - uint16_t v[16]; - for (size_t part = 0; part < 8; part++) { - dst[part] = _mm256_setzero_si256(); - } - for (size_t copy = 0; copy < MULTIPLICITY; copy++) { - for (size_t part = 0; part < 8; part++) { - for (size_t bit = 0; bit < 16; bit++) { - v[bit] = (((uint16_t *)(&src[2 * copy]))[part] >> bit) & 1; - } - dst[part] += _mm256_set_epi16(v[15], v[14], v[13], v[12], v[11], v[10], v[9], v[8], - v[7], v[6], v[5], v[4], v[3], v[2], v[1], v[0]); - } - } -} - - - -/** - * @brief Hadamard transform - * - * Perform hadamard transform of src and store result in dst - * src is overwritten: it is also used as intermediate buffer - * Method is best explained if we use H(3) instead of H(7): - * - * The routine multiplies by the matrix H(3): - * [1 1 1 1 1 1 1 1] - * [1 -1 1 -1 1 -1 1 -1] - * [1 1 -1 -1 1 1 -1 -1] - * [a b c d e f g h] * [1 -1 -1 1 1 -1 -1 1] = result of routine - * [1 1 1 1 -1 -1 -1 -1] - * [1 -1 1 -1 -1 1 -1 1] - * [1 1 -1 -1 -1 -1 1 1] - * [1 -1 -1 1 -1 1 1 -1] - * You can do this in three passes, where each pass does this: - * set lower half of buffer to pairwise sums, - * and upper half to differences - * index 0 1 2 3 4 5 6 7 - * input: a, b, c, d, e, f, g, h - * pass 1: a+b, c+d, e+f, g+h, a-b, c-d, e-f, g-h - * pass 2: a+b+c+d, e+f+g+h, a-b+c-d, e-f+g-h, a+b-c-d, e+f-g-h, a-b-c+d, e-f-g+h - * pass 3: a+b+c+d+e+f+g+h a+b-c-d+e+f-g-h a+b+c+d-e-f-g-h a+b-c-d-e+-f+g+h - * a-b+c-d+e-f+g-h a-b-c+d+e-f-g+h a-b+c-d-e+f-g+h a-b-c+d-e+f+g-h - * This order of computation is chosen because it vectorises well. - * Likewise, this routine multiplies by H(7) in seven passes. - * - * @param[out] src Structure that contain the expanded codeword - * @param[out] dst Structure that contain the expanded codeword - */ -inline void hadamard(__m256i *src, __m256i *dst) { - // the passes move data: - // src -> dst -> src -> dst -> src -> dst -> src -> dst - // using p1 and p2 alternately - __m256i *p1 = src; - __m256i *p2 = dst; - __m256i *p3; - for (size_t pass = 0; pass < 7; pass++) { - // warning: hadd works "within lanes" as Intel call it - // so you have to swap the middle 64 bit blocks of the result - for (size_t part = 0; part < 4; part++) { - p2[part] = _mm256_permute4x64_epi64(_mm256_hadd_epi16(p1[2 * part], p1[2 * part + 1]), 0xd8); - p2[part + 4] = _mm256_permute4x64_epi64(_mm256_hsub_epi16(p1[2 * part], p1[2 * part + 1]), 0xd8); - } - // swap p1, p2 for next round - p3 = p1; - p1 = p2; - p2 = p3; - } -} - - - -/** - * @brief Finding the location of the highest value - * - * This is the final step of the green machine: find the location of the highest value, - * and add 128 if the peak is positive - * Notes on decoding - * The standard "Green machine" decoder words as follows: - * if the received codeword is W, compute (2 * W - 1) * H7 - * The entries of the resulting vector are always even and vary from - * -128 (= the complement is a code word, add bit 7 to decode) - * via 0 (this is a different codeword) - * to 128 (this is the code word). - * - * Our decoding differs in two ways: - * - We take W instead of 2 * W - 1 (so the entries are 0,1 instead of -1,1) - * - We take the sum of the repititions (so the entries are 0..MULTIPLICITY) - * This implies that we have to subtract 64M (M=MULTIPLICITY) - * from the first entry to make sure the first codewords is handled properly - * and that the entries vary from -64M to 64M. - * -64M or 64M stands for a perfect codeword. - * If there are fewer than 32M errors, there is always a unique codeword - * which an entry with absolute value > 32M; - * this is because an error changes an entry by 1. - * The highest number that seem to be decodable is 50 errors, so that the - * highest entries in the hadamard transform can be as low as 12. - * But this is different for the repeated code. - * Because multiple codewords are added, this changes: the lowest value of the - * hadamard transform of the sum of six words is seen to be as low as 43 (!), - * which is way less than 12*6. - * - * It is possible that there are more errors, but the word is still uniquely - * decodable: we found a word with distance of 50 from the nearest codeword. - * That means that the highest entry can be as low as 14M. - * Since we have to do binary search, we search for the range 1-64M - * which can be done in 6+l2g(M) steps. - * The binary search is based on (values>32M are unique): - * M 32M min> max> firstStep #steps - * 2 64 1 64 33 +- 16 6 - * 4 128 1 128 65 +- 32 7 - * 6 192 1 192 129 +- 64 8 - * - * As a check, we run a sample for M=6 to see the peak value; it ranged - * from 43 to 147, so my analysis looks right. Also, it shows that decoding - * far beyond the bound of 32M is needed. - * - * For the vectors, it would be tempting to use 8 bit ints, - * because the values "almost" fit in there. - * We could use some trickery to fit it in 8 bits, like saturated add or - * division by 2 in a late step. - * Unfortunately, these instructions do not exist. - * the adds _mm512_adds_epi8 is available only on the latest processors, - * and division, shift, mulhi are not available at all for 8 bits. - * So, we use 16 bit ints. - * - * For the search of the optimal comparison value, - * remember the transform contains 64M-d, - * where d are the distances to the codewords. - * The highest value gives the most likely codeword. - * There is not fast vectorized way to find this value, so we search for the - * maximum value itself. - * In each pass, we collect a bit map of the transform values that are, - * say >bound. There are three cases: - * bit map = 0: all code words are further away than 64M-bound (decrease bound) - * bit map has one bit: one unique code word has distance < 64M-bound - * bit map has multiple bits: multiple words (increase bound) - * We will search for the lowest value of bound that gives a nonzero bit map. - * - * @param[in] transform Structure that contain the expanded codeword - */ -inline uint32_t find_peaks(__m256i *transform) { - // a whole lot of vector variables - __m256i bitmap, abs_rows[8], bound, active_row, max_abs_rows; - __m256i tmp = _mm256_setzero_si256(); - __m256i vect_mask; - __m256i res; - int32_t lower; - int32_t width; - uint32_t message; - uint32_t mask; - int8_t index; - int8_t abs_value; - int8_t mask1; - int8_t mask2; - uint16_t result; - - // compute absolute value of transform - for (size_t i = 0; i < 8; i++) { - abs_rows[i] = _mm256_abs_epi16(transform[i]); - } - // compute a vector of 16 elements which contains the maximum somewhere - // (later used to compute bits 0 through 3 of message) - max_abs_rows = abs_rows[0]; - for (size_t i = 1; i < 8; i++) { - max_abs_rows = _mm256_max_epi16(max_abs_rows, abs_rows[i]); - } - - // do binary search for the highest value that is lower than the maximum - // loop invariant: lower gives bit map = 0, lower + width gives bit map > 0 - lower = 1; - // this gives 64, 128 or 256 for MULTIPLICITY = 2, 4, 6 - width = 1 << (5 + MULTIPLICITY / 2); - // if you don't unroll this loop, it fits in the loop cache - // uncomment the line below to speeding up the program by a few percent - // #pragma GCC unroll 0 - while (width > 1) { - width >>= 1; - // compare with lower + width; put result in bitmap - // make vector from value of new bound - bound = _mm256_broadcastw_epi16(_mm_cvtsi32_si128(lower + width)); - bitmap = _mm256_cmpgt_epi16(max_abs_rows, bound); - // step up if there are any matches - // rely on compiler to use conditional move here - mask = (uint32_t) _mm256_testz_si256(bitmap, bitmap); - mask = ~(uint32_t) ((-(int64_t) mask) >> 63); - lower += mask & width; - } - // lower+width contains the maximum value of the vector - // or less, if the maximum is very high (which is OK) - // normally, there is one maximum, but sometimes there are more - // find where the maxima occur in the maximum vector - // (each determines lower 4 bits of peak position) - // construct vector filled with bound-1 - bound = _mm256_broadcastw_epi16(_mm_cvtsi32_si128(lower + width - 1)); - - // find in which of the 8 groups a maximum occurs to compute bits 4, 5, 6 of message - // find lowest value by searching backwards skip first check to save time - message = 0x70; - for (size_t i = 0; i < 8; i++) { - bitmap = _mm256_cmpgt_epi16(abs_rows[7 - i], bound); - mask = (uint32_t) _mm256_testz_si256(bitmap, bitmap); - mask = ~(uint32_t) ((-(int64_t) mask) >> 63); - message ^= mask & (message ^ ((7 - i) << 4)); - } - // we decided which row of the matrix contains the lowest match - // select proper row - index = message >> 4; - - tmp = _mm256_setzero_si256(); - for (size_t i = 0; i < 8; i++) { - abs_value = (int8_t)(index - i); - mask1 = abs_value >> 7; - abs_value ^= mask1; - abs_value -= mask1; - mask2 = ((uint8_t) - abs_value >> 7); - mask = (-1ULL) + mask2; - vect_mask = _mm256_set1_epi32(mask); - res = _mm256_and_si256(abs_rows[i], vect_mask); - tmp = _mm256_or_si256(tmp, res); - } - - active_row = tmp; - - // get the column number of the vector element - // by setting the bits corresponding to the columns - // and then adding elements within two groups of 8 - vect_mask = _mm256_cmpgt_epi16(active_row, bound); - vect_mask &= _mm256_set_epi16(-32768, 16384, 8192, 4096, 2048, 1024, 512, 256, 128, 64, 32, 16, 8, 4, 2, 1); - for (size_t i = 0; i < 3; i++) { - vect_mask = _mm256_hadd_epi16(vect_mask, vect_mask); - } - // add low 4 bits of message - message |= __tzcnt_u16(_mm256_extract_epi16(vect_mask, 0) + _mm256_extract_epi16(vect_mask, 8)); - - // set bit 7 if sign of biggest value is positive - // make sure a jump isn't generated by the compiler - tmp = _mm256_setzero_si256(); - for (size_t i = 0; i < 8; i++) { - mask = ~(uint32_t) ((-(int64_t)(i ^ message / 16)) >> 63); - vect_mask = _mm256_set1_epi32(mask); - tmp = _mm256_or_si256(tmp, _mm256_and_si256(vect_mask, transform[i])); - } - result = 0; - for (size_t i = 0; i < 16; i++) { - mask = ~(uint32_t) ((-(int64_t)(i ^ message % 16)) >> 63); - result |= mask & ((uint16_t *)&tmp)[i]; - } - message |= (0x8000 & ~result) >> 8; - return message; -} - - - -/** - * @brief Encodes the received word - * - * The message consists of N1 bytes each byte is encoded into PARAM_N2 bits, - * or MULTIPLICITY repeats of 128 bits - * - * @param[out] cdw Array of size VEC_N1N2_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_N1_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS192_AVX2_reed_muller_encode(uint8_t *cdw, const uint8_t *msg) { - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // encode first word - encode(&cdw[16 * i * MULTIPLICITY], msg[i]); - // copy to other identical codewords - for (size_t copy = 1; copy < MULTIPLICITY; copy++) { - memcpy(&cdw[16 * i * MULTIPLICITY + 16 * copy], &cdw[16 * i * MULTIPLICITY], 16); - } - } -} - - - -/** - * @brief Decodes the received word - * - * Decoding uses fast hadamard transform, for a more complete picture on Reed-Muller decoding, see MacWilliams, Florence Jessie, and Neil James Alexander Sloane. - * The theory of error-correcting codes codes @cite macwilliams1977theory - * - * @param[out] msg Array of size VEC_N1_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1N2_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS192_AVX2_reed_muller_decode(uint8_t *msg, const uint8_t *cdw) { - __m256i expanded[8]; - __m256i transform[8]; - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // collect the codewords - expand_and_sum(expanded, (uint64_t *)&cdw[16 * i * MULTIPLICITY]); - // apply hadamard transform - hadamard(expanded, transform); - // fix the first entry to get the half Hadamard transform - transform[0] -= _mm256_set_epi16(0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 64 * MULTIPLICITY); - // finish the decoding - msg[i] = find_peaks(transform); - } -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/reed_muller.h b/crypto_kem/hqc-rmrs-192/avx2/reed_muller.h deleted file mode 100644 index 28960b77..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/reed_muller.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef REED_MULLER_H -#define REED_MULLER_H - - -/** - * @file reed_muller.h - * Header file of reed_muller.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS192_AVX2_reed_muller_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS192_AVX2_reed_muller_decode(uint8_t *msg, const uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/reed_solomon.c b/crypto_kem/hqc-rmrs-192/avx2/reed_solomon.c deleted file mode 100644 index 41bb74fd..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/reed_solomon.c +++ /dev/null @@ -1,476 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include "parsing.h" -#include "reed_solomon.h" -#include -#include -#include -/** - * @file reed_solomon.c - * Constant time implementation of Reed-Solomon codes - */ - - -static void compute_syndromes(uint16_t *syndromes, uint8_t *cdw); -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes); -static void compute_roots(uint8_t *error, uint16_t *sigma); -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes); -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error); -static void correct_errors(uint8_t *cdw, const uint16_t *error_values); - -static const __m256i alpha_ij256_1[55] = { - {0x0010000800040002, 0x001d008000400020, 0x00cd00e80074003a, 0x004c002600130087}, - {0x001d004000100004, 0x004c001300cd0074, 0x008f00ea00b4002d, 0x009d006000180006}, - {0x00cd003a00400008, 0x008f0075002d0026, 0x002500270060000c, 0x004600c100b50035}, - {0x004c00cd001d0010, 0x009d0018008f00b4, 0x004600ee006a0025, 0x005f00b9005d0014}, - {0x00b4002600740020, 0x006a009c00600003, 0x00b900a0000500c1, 0x00fd000f005e00be}, - {0x008f002d00cd0040, 0x004600b500250060, 0x0065006100b90050, 0x00d900df006b0078}, - {0x0018007500130080, 0x005d008c00b5009c, 0x006b003c005e00a1, 0x0081001a004300a3}, - {0x009d008f004c001d, 0x005f005d0046006a, 0x00d900fe00fd0065, 0x0085003b0081000d}, - {0x0025000c002d003a, 0x006500a1005000c1, 0x00d0008600df00e7, 0x00a800a9006600ed}, - {0x006a006000b40074, 0x00fd005e00b90005, 0x003b0067001100df, 0x00e600550084002e}, - {0x00ee002700ea00e8, 0x00fe003c006100a0, 0x00b8007600670086, 0x00e3009100390054}, - {0x00460025008f00cd, 0x00d9006b006500b9, 0x00a800b8003b00d0, 0x0082009600fc00e4}, - {0x0014003500060087, 0x000d00a3007800be, 0x00e40054002e00ed, 0x00510064006200e5}, - {0x005d00b500180013, 0x00810043006b005e, 0x00fc003900840066, 0x0012005900c80062}, - {0x00b900c100600026, 0x003b001a00df000f, 0x00960091005500a9, 0x002c002400590064}, - {0x005f0046009d004c, 0x0085008100d900fd, 0x008200e300e600a8, 0x0002002c00120051}, - {0x0099000a004e0098, 0x004f0093004400d6, 0x00dd00dc00d70092, 0x00980001000b0045}, - {0x006500500025002d, 0x00a8006600d000df, 0x00c30007009600bf, 0x0027002600ad00fb}, - {0x001e00ba0094005a, 0x0049006d003e00e2, 0x003d00a200ae00b3, 0x008c006000e80083}, - {0x00fd00b9006a00b4, 0x00e60084003b0011, 0x002c00ac001c0096, 0x00be00c100030020}, - {0x006b00a100b50075, 0x00fc00290066001a, 0x00ad00f500590057, 0x00e700b90035002d}, - {0x00fe006100ee00ea, 0x00e3003900b80067, 0x003a00b000ac0007, 0x00af000f002800c0}, - {0x005b002f009f00c9, 0x009500d10021007c, 0x0075004700f400a6, 0x001f00df00c200ee}, - {0x00d900650046008f, 0x008200fc00a8003b, 0x0027003a002c00c3, 0x0017001a00e700ba}, - {0x0011000f00050003, 0x001c00ff00550033, 0x00c100b4006c0024, 0x004d003b00e2005e}, - {0x000d007800140006, 0x0051006200e4002e, 0x00ba00c0002000fb, 0x00d100a900bd00bb}, - {0x00d000e70050000c, 0x00c3005700bf00a9, 0x002f00b50026007d, 0x00db005500c500d9}, - {0x0081006b005d0018, 0x001200c800fc0084, 0x00e70028000300ad, 0x00190091009e00bd}, - {0x00f8007f00690030, 0x00f700e000f1004d, 0x00b6005f009c0040, 0x00a2009600aa00ec}, - {0x003b00df00b90060, 0x002c005900960055, 0x001a000f00c10026, 0x00240064009100a9}, - {0x009700b600de00c0, 0x001b009b006e0072, 0x00ed00b100a0008f, 0x00580059004b0052}, - {0x008500d9005f009d, 0x00020012008200e6, 0x001700af00be0027, 0x00040024001900d1}, - {0x00b8008600610027, 0x003a00f500070091, 0x001500d0000f00b5, 0x002d002c00a600f1}, - {0x004f00440099004e, 0x0098000b00dd00d7, 0x0092009300d6000a, 0x004e0001004500dc}, - {0x0084001a005e009c, 0x000300e9005900ff, 0x0091002e00e200b9, 0x0005002600eb001c}, - {0x00a800d000650025, 0x002700ad00c30096, 0x00db0015001a002f, 0x00610060003600f2}, - {0x005200ce0089004a, 0x00d40010008a0037, 0x00570049007c0078, 0x00d300c1001d0048}, - {0x0049003e001e0094, 0x008c00e8003d00ae, 0x003800630033007f, 0x004300b900ea0016}, - {0x00e400ed00780035, 0x00ba002d00fb0064, 0x00f200f100a900d9, 0x003e000f002500ad}, - {0x00e6003b00fd006a, 0x00be0003002c001c, 0x00240037004d001a, 0x002e00df00050074}, - {0x00c600c500d300d4, 0x00ca009d00cf00a7, 0x008b00c80072003e, 0x009a001a005f00c9}, - {0x00fc0066006b00b5, 0x00e7003500ad0059, 0x003600a6009100c5, 0x00bf003b00780025}, - {0x007b001700b10077, 0x00e1009f000800ef, 0x0040002b00ff00b8, 0x00ab00a9005b008c}, - {0x00e300b800fe00ee, 0x00af0028003a00ac, 0x002d007a00370015, 0x00320055003400de}, - {0x009600a900df00c1, 0x001a00b900260024, 0x0060002c00640055, 0x00590091003b000f}, - {0x00950021005b009f, 0x001f00c2007500f4, 0x00b500d800a70073, 0x0048009600da00fe}, - {0x00a5001500710023, 0x00760089000c00eb, 0x0050008000ef00fc, 0x00b0006400520022}, - {0x008200a800d90046, 0x001700e70027002c, 0x0061002d002400db, 0x0008005900bf003e}, - {0x00c800290043008c, 0x009e00fe003500e9, 0x0078003000eb006e, 0x005a002400e300cc}, - {0x001c005500110005, 0x004d00e200c1006c, 0x00df006a00e90064, 0x009c002c00ae0084}, - {0x00dd00920044000a, 0x00920044000a0001, 0x0044000a000100dd, 0x000a000100dd0092}, - {0x005100e4000d0014, 0x00d100bd00ba0020, 0x003e00de007400f2, 0x00c20026002b003f}, - {0x0079007300340028, 0x00e500f800a10074, 0x006600ca00b4008a, 0x00bb006000f7004b}, - {0x00c300bf00d00050, 0x00db00c5002f0026, 0x0021006b006000f5, 0x008600c100cf0082}, - {0x00ac0091006700a0, 0x0037002e000f00b4, 0x005500e2006a002c, 0x007c00b9002000a7} -}; -static const __m256i alpha_ij256_2[55] = { - {0x00b4005a002d0098, 0x008f00c900ea0075, 0x0018000c00060003, 0x009d00c000600030}, - {0x006a00940025004e, 0x0046009f00ee00b5, 0x005d005000140005, 0x005f00de00b90069}, - {0x00b900ba0050000a, 0x0065002f006100a1, 0x006b00e70078000f, 0x00d900b600df007f}, - {0x00fd001e00650099, 0x00d9005b00fe006b, 0x008100d0000d0011, 0x00850097003b00f8}, - {0x001100e200df00d6, 0x003b007c0067001a, 0x008400a9002e0033, 0x00e600720055004d}, - {0x003b003e00d00044, 0x00a8002100b80066, 0x00fc00bf00e40055, 0x0082006e009600f1}, - {0x0084006d00660093, 0x00fc00d100390029, 0x00c80057006200ff, 0x0012009b005900e0}, - {0x00e6004900a8004f, 0x0082009500e300fc, 0x001200c30051001c, 0x0002001b002c00f7}, - {0x009600b300bf0092, 0x00c300a600070057, 0x00ad007d00fb0024, 0x0027008f00260040}, - {0x001c00ae009600d7, 0x002c00f400ac0059, 0x000300260020006c, 0x00be00a000c1009c}, - {0x00ac00a2000700dc, 0x003a004700b000f5, 0x002800b500c000b4, 0x00af00b1000f005f}, - {0x002c003d00c300dd, 0x00270075003a00ad, 0x00e7002f00ba00c1, 0x001700ed001a00b6}, - {0x0020008300fb0045, 0x00ba00ee00c0002d, 0x00bd00d900bb005e, 0x00d1005200a900ec}, - {0x000300e800ad000b, 0x00e700c200280035, 0x009e00c500bd00e2, 0x0019004b009100aa}, - {0x00c1006000260001, 0x001a00df000f00b9, 0x0091005500a9003b, 0x0024005900640096}, - {0x00be008c00270098, 0x0017001f00af00e7, 0x001900db00d1004d, 0x00040058002400a2}, - {0x00d60099000a004e, 0x0092004f00930044, 0x004500dd00dc00d7, 0x004e00980001000b}, - {0x001a007f002f000a, 0x00db0073001500c5, 0x003600f500f20064, 0x00610046006000cd}, - {0x00330034007f0099, 0x00380062006300a8, 0x00ea0008001600ac, 0x004300f000b900d4}, - {0x004d0033001a00d6, 0x002400a700370091, 0x00050060007400e9, 0x002e006700df005e}, - {0x009100a800c50044, 0x0036003d00a6006e, 0x007800ba00250026, 0x00bf0015003b0086}, - {0x0037006300150093, 0x002d00d8007a00a6, 0x0034006b00de006a, 0x0032007b00550085}, - {0x00a700620073004f, 0x00b5005a00d8003d, 0x00da00ce00fe00be, 0x004800e0009600d5}, - {0x0024003800db0092, 0x006100b5002d0036, 0x00bf0021003e00df, 0x000800fb0059006e}, - {0x00e900ac006400d7, 0x00df00be006a0026, 0x00ae00910084007c, 0x009c0074002c00ef}, - {0x0074001600f200dc, 0x003e00fe00de0025, 0x002b0082003f0084, 0x00c200d4002600fa}, - {0x0060000800f500dd, 0x002100ce006b00ba, 0x00cf005600820091, 0x0086006500c1002d}, - {0x000500ea00360045, 0x00bf00da00340078, 0x005a00cf002b00ae, 0x005c0088000f0023}, - {0x005e00d400cd000b, 0x006e00d500850086, 0x0023002d00fa00ef, 0x006300da001a001e}, - {0x00df00b900600001, 0x005900960055003b, 0x000f00c10026002c, 0x0064009100a9001a}, - {0x006700f000460098, 0x00fb00e0007b0015, 0x0088006500d40074, 0x009000c8009100da}, - {0x002e00430061004e, 0x00080048003200bf, 0x005c008600c2009c, 0x0010009000640063}, - {0x005500ed006b000a, 0x000c003600c300c4, 0x0073006600b600b9, 0x0025000800240082}, - {0x00d7004f00440099, 0x000a0098000b00dd, 0x00dc0092009300d6, 0x0099004e00010045}, - {0x00ae0072003b00d6, 0x000f006a00200024, 0x00ef0096004d0067, 0x001100be0060006c}, - {0x005900f100210044, 0x008600a1000c00cf, 0x007d00a600b300a9, 0x00b800d900b9008f}, - {0x00f4001900e40093, 0x00c500b1008c00cd, 0x004c00fb008d00e6, 0x00c600cc00df0028}, - {0x006c007900f1004f, 0x002900bd00bc0027, 0x00ee004000090037, 0x00c800b7003b00d3}, - {0x002600f500820092, 0x00b300b800b60050, 0x0065002700360059, 0x003d0057005500ce}, - {0x009c006c005900d7, 0x00640072007c000f, 0x001100b900b400eb, 0x002000ac00960084}, - {0x00a00013003d00dc, 0x005600ab009e00d9, 0x0085007f009f0020, 0x004a00d8005900e5}, - {0x000f002700cf00dd, 0x007d0038007300ed, 0x00e4003e00650060, 0x002f000c002c0007}, - {0x00e20014003a0045, 0x00cd001200310021, 0x00950015004300a0, 0x0022006900260090}, - {0x007c00bc000c000b, 0x0025008300e00073, 0x007900fc009700fd, 0x006d00e100c10002}, - {0x00a900df00c10001, 0x00b9002600240096, 0x002c00640055001a, 0x0091003b000f0060}, - {0x007200bd00a10098, 0x006b009400830038, 0x0087008a00e3002e, 0x008d00aa001a00d2}, - {0x00ff008500e7004e, 0x00d0006f0013008a, 0x00d4003600700072, 0x007a006200a900fe}, - {0x006400290086000a, 0x00b8006b0025007d, 0x002f0075003d0096, 0x004000f2009100ed}, - {0x00ef003f00ed0099, 0x00e400680069003a, 0x00af0046008e00a7, 0x009400fa0064009a}, - {0x00eb003700a900d6, 0x0096002e00fd0060, 0x0033000f000300f4, 0x005e00b4002400ff}, - {0x000100dd00920044, 0x00dd00920044000a, 0x00920044000a0001, 0x0044000a000100dd}, - {0x00b4000900b30093, 0x003d00e300970065, 0x00310017003c0003, 0x00da00d3006000f3}, - {0x006a00b00057004f, 0x00ad000e009a00b6, 0x00a200e400880005, 0x003f001f00b90080}, - {0x00b9004000a60092, 0x0075008a00fc003e, 0x008b00c40017000f, 0x000700a800df0025}, - {0x00fd0003002400d7, 0x00c100e900ae00a9, 0x0074005900720011, 0x00f400ff003b00be} -}; - -/** - * @brief Encodes a message message of PARAM_K bits to a Reed-Solomon codeword codeword of PARAM_N1 bytes - * - * Following @cite lin1983error (Chapter 4 - Cyclic Codes), - * We perform a systematic encoding using a linear (PARAM_N1 - PARAM_K)-stage shift register - * with feedback connections based on the generator polynomial PARAM_RS_POLY of the Reed-Solomon code. - * - * @param[out] cdw Array of size VEC_N1_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_K_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS192_AVX2_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg) { - size_t i, k; - uint8_t gate_value = 0; - uint8_t prev, x; - - union { - uint16_t arr16[16 * CEIL_DIVIDE(PARAM_G, 16)]; - __m256i dummy; - } tmp = {0}; - - union { - uint16_t arr16[16 * CEIL_DIVIDE(PARAM_G, 16)]; - __m256i dummy; - } PARAM_RS_POLY = {{ RS_POLY_COEFS }}; - - __m256i *tmp256 = (__m256i *)tmp.arr16; - __m256i *param256 = (__m256i *)PARAM_RS_POLY.arr16; - - for (i = 0; i < PARAM_K; ++i) { - gate_value = (uint8_t) (msg[PARAM_K - 1 - i] ^ cdw[PARAM_N1 - PARAM_K - 1]); - tmp256[0] = PQCLEAN_HQCRMRS192_AVX2_gf_mul_vect(_mm256_set1_epi16(gate_value), param256[0]); - tmp256[1] = PQCLEAN_HQCRMRS192_AVX2_gf_mul_vect(_mm256_set1_epi16(gate_value), param256[1]); - - for (size_t j = 32; j < PARAM_G; ++j) { - tmp.arr16[j] = PQCLEAN_HQCRMRS192_AVX2_gf_mul(gate_value, PARAM_RS_POLY.arr16[j]); - } - - prev = 0; - for (k = 0; k < PARAM_N1 - PARAM_K; k++) { - x = cdw[k]; - cdw[k] = (uint8_t) (prev ^ tmp.arr16[k]); - prev = x; - } - } - - memcpy(cdw + PARAM_N1 - PARAM_K, msg, PARAM_K); -} - - - -/** - * @brief Computes 2 * PARAM_DELTA syndromes - * - * @param[out] syndromes Array of size 2 * PARAM_DELTA receiving the computed syndromes - * @param[in] cdw Array of size PARAM_N1 storing the received vector - */ -void compute_syndromes(uint16_t *syndromes, uint8_t *cdw) { - __m256i *syndromes256 = (__m256i *) syndromes; - syndromes256[0] = _mm256_set1_epi16(cdw[0]); - - for (size_t i = 0; i < PARAM_N1 - 1; ++i) { - syndromes256[0] ^= PQCLEAN_HQCRMRS192_AVX2_gf_mul_vect(_mm256_set1_epi16(cdw[i + 1]), alpha_ij256_1[i]); - } - - for (size_t i = 0; i < PARAM_N1 - 1; ++i) { - syndromes256[1] ^= PQCLEAN_HQCRMRS192_AVX2_gf_mul_vect(_mm256_set1_epi16(cdw[i + 1]), alpha_ij256_2[i]); - } -} - - - -/** - * @brief Computes the error locator polynomial (ELP) sigma - * - * This is a constant time implementation of Berlekamp's simplified algorithm (see @cite lin1983error (Chapter 6 - BCH Codes).
- * We use the letter p for rho which is initialized at -1.
- * The array X_sigma_p represents the polynomial X^(mu-rho)*sigma_p(X).
- * Instead of maintaining a list of sigmas, we update in place both sigma and X_sigma_p.
- * sigma_copy serves as a temporary save of sigma in case X_sigma_p needs to be updated.
- * We can properly correct only if the degree of sigma does not exceed PARAM_DELTA. - * This means only the first PARAM_DELTA + 1 coefficients of sigma are of value - * and we only need to save its first PARAM_DELTA - 1 coefficients. - * - * @returns the degree of the ELP sigma - * @param[out] sigma Array of size (at least) PARAM_DELTA receiving the ELP - * @param[in] syndromes Array of size (at least) 2*PARAM_DELTA storing the syndromes - */ -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes) { - uint16_t deg_sigma = 0; - uint16_t deg_sigma_p = 0; - uint16_t deg_sigma_copy = 0; - uint16_t sigma_copy[PARAM_DELTA + 1] = {0}; - uint16_t X_sigma_p[PARAM_DELTA + 1] = {0, 1}; - uint16_t pp = (uint16_t) -1; // 2*rho - uint16_t d_p = 1; - uint16_t d = syndromes[0]; - - uint16_t mask1, mask2, mask12; - uint16_t deg_X, deg_X_sigma_p; - uint16_t dd; - uint16_t mu; - - uint16_t i; - - sigma[0] = 1; - for (mu = 0; (mu < (2 * PARAM_DELTA)); ++mu) { - // Save sigma in case we need it to update X_sigma_p - memcpy(sigma_copy, sigma, 2 * (PARAM_DELTA)); - deg_sigma_copy = deg_sigma; - - dd = PQCLEAN_HQCRMRS192_AVX2_gf_mul(d, PQCLEAN_HQCRMRS192_AVX2_gf_inverse(d_p)); - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - sigma[i] ^= PQCLEAN_HQCRMRS192_AVX2_gf_mul(dd, X_sigma_p[i]); - } - - deg_X = mu - pp; - deg_X_sigma_p = deg_X + deg_sigma_p; - - // mask1 = 0xffff if(d != 0) and 0 otherwise - mask1 = -((uint16_t) - d >> 15); - - // mask2 = 0xffff if(deg_X_sigma_p > deg_sigma) and 0 otherwise - mask2 = -((uint16_t) (deg_sigma - deg_X_sigma_p) >> 15); - - // mask12 = 0xffff if the deg_sigma increased and 0 otherwise - mask12 = mask1 & mask2; - deg_sigma ^= mask12 & (deg_X_sigma_p ^ deg_sigma); - - if (mu == (2 * PARAM_DELTA - 1)) { - break; - } - - pp ^= mask12 & (mu ^ pp); - d_p ^= mask12 & (d ^ d_p); - for (i = PARAM_DELTA; i; --i) { - X_sigma_p[i] = (mask12 & sigma_copy[i - 1]) ^ (~mask12 & X_sigma_p[i - 1]); - } - - deg_sigma_p ^= mask12 & (deg_sigma_copy ^ deg_sigma_p); - d = syndromes[mu + 1]; - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - d ^= PQCLEAN_HQCRMRS192_AVX2_gf_mul(sigma[i], syndromes[mu + 1 - i]); - } - } - - return deg_sigma; -} - - - -/** - * @brief Computes the error polynomial error from the error locator polynomial sigma - * - * See function PQCLEAN_HQCRMRS192_AVX2_fft for more details. - * - * @param[out] error Array of 2^PARAM_M elements receiving the error polynomial - * @param[out] error_compact Array of PARAM_DELTA + PARAM_N1 elements receiving a compact representation of the vector error - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - */ -static void compute_roots(uint8_t *error, uint16_t *sigma) { - uint16_t w[1 << PARAM_M] = {0}; - - PQCLEAN_HQCRMRS192_AVX2_fft(w, sigma, PARAM_DELTA + 1); - PQCLEAN_HQCRMRS192_AVX2_fft_retrieve_error_poly(error, w); -} - - - -/** - * @brief Computes the polynomial z(x) - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] z Array of PARAM_DELTA + 1 elements receiving the polynomial z(x) - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - * @param[in] degree Integer that is the degree of polynomial sigma - * @param[in] syndromes Array of 2 * PARAM_DELTA storing the syndromes - */ -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes) { - size_t i, j; - uint16_t mask; - - z[0] = 1; - - for (i = 1; i < PARAM_DELTA + 1; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] = mask & sigma[i]; - } - - z[1] ^= syndromes[0]; - - for (i = 2; i <= PARAM_DELTA; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] ^= mask & syndromes[i - 1]; - - for (j = 1; j < i; ++j) { - z[i] ^= mask & PQCLEAN_HQCRMRS192_AVX2_gf_mul(sigma[j], syndromes[i - j - 1]); - } - } -} - - - -/** - * @brief Computes the error values - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] error_values Array of PARAM_DELTA elements receiving the error values - * @param[in] z Array of PARAM_DELTA + 1 elements storing the polynomial z(x) - * @param[in] z_degree Integer that is the degree of polynomial z(x) - * @param[in] error_compact Array of PARAM_DELTA + PARAM_N1 storing compact representation of the error - */ -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error) { - uint16_t beta_j[PARAM_DELTA] = {0}; - uint16_t e_j[PARAM_DELTA] = {0}; - - uint16_t delta_counter; - uint16_t delta_real_value; - uint16_t found; - uint16_t mask1; - uint16_t mask2; - uint16_t tmp1; - uint16_t tmp2; - uint16_t inverse; - uint16_t inverse_power_j; - - // Compute the beta_{j_i} page 31 of the documentation - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; i++) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - beta_j[j] += mask1 & mask2 & gf_exp[i]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } - delta_real_value = delta_counter; - - // Compute the e_{j_i} page 31 of the documentation - for (size_t i = 0; i < PARAM_DELTA; ++i) { - tmp1 = 1; - tmp2 = 1; - inverse = PQCLEAN_HQCRMRS192_AVX2_gf_inverse(beta_j[i]); - inverse_power_j = 1; - - for (size_t j = 1; j <= PARAM_DELTA; ++j) { - inverse_power_j = PQCLEAN_HQCRMRS192_AVX2_gf_mul(inverse_power_j, inverse); - tmp1 ^= PQCLEAN_HQCRMRS192_AVX2_gf_mul(inverse_power_j, z[j]); - } - for (size_t k = 1; k < PARAM_DELTA; ++k) { - tmp2 = PQCLEAN_HQCRMRS192_AVX2_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS192_AVX2_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA]))); - } - mask1 = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value - e_j[i] = mask1 & PQCLEAN_HQCRMRS192_AVX2_gf_mul(tmp1, PQCLEAN_HQCRMRS192_AVX2_gf_inverse(tmp2)); - } - - // Place the delta e_{j_i} values at the right coordinates of the output vector - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; ++i) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - error_values[i] += mask1 & mask2 & e_j[j]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } -} - - - -/** - * @brief Correct the errors - * - * @param[out] cdw Array of PARAM_N1 elements receiving the corrected vector - * @param[in] error Array of the error vector - * @param[in] error_values Array of PARAM_DELTA elements storing the error values - */ -static void correct_errors(uint8_t *cdw, const uint16_t *error_values) { - for (size_t i = 0; i < PARAM_N1; ++i) { - cdw[i] ^= error_values[i]; - } -} - - - -/** - * @brief Decodes the received word - * - * This function relies on six steps: - *
    - *
  1. The first step, is the computation of the 2*PARAM_DELTA syndromes. - *
  2. The second step is the computation of the error-locator polynomial sigma. - *
  3. The third step, done by additive FFT, is finding the error-locator numbers by calculating the roots of the polynomial sigma and takings their inverses. - *
  4. The fourth step, is the polynomial z(x). - *
  5. The fifth step, is the computation of the error values. - *
  6. The sixth step is the correction of the errors in the received polynomial. - *
- * For a more complete picture on Reed-Solomon decoding, see Shu. Lin and Daniel J. Costello in Error Control Coding: Fundamentals and Applications @cite lin1983error - * - * @param[out] msg Array of size VEC_K_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS192_AVX2_reed_solomon_decode(uint8_t *msg, uint8_t *cdw) { - uint16_t syndromes[2 * PARAM_DELTA] = {0}; - uint16_t sigma[1 << PARAM_FFT] = {0}; - uint8_t error[1 << PARAM_M] = {0}; - uint16_t z[PARAM_N1] = {0}; - uint16_t error_values[PARAM_N1] = {0}; - uint16_t deg; - - // Calculate the 2*PARAM_DELTA syndromes - compute_syndromes(syndromes, cdw); - - // Compute the error locator polynomial sigma - // Sigma's degree is at most PARAM_DELTA but the FFT requires the extra room - deg = compute_elp(sigma, syndromes); - - // Compute the error polynomial error - compute_roots(error, sigma); - - // Compute the polynomial z(x) - compute_z_poly(z, sigma, deg, syndromes); - - // Compute the error values - compute_error_values(error_values, z, error); - - // Correct the errors - correct_errors(cdw, error_values); - - // Retrieve the message from the decoded codeword - memcpy(msg, cdw + (PARAM_G - 1), PARAM_K); - -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/reed_solomon.h b/crypto_kem/hqc-rmrs-192/avx2/reed_solomon.h deleted file mode 100644 index 841a148c..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/reed_solomon.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef REED_SOLOMON_H -#define REED_SOLOMON_H - - -/** - * @file reed_solomon.h - * Header file of reed_solomon.c - */ -#include "parameters.h" -#include -#include - -static const uint16_t alpha_ij_pow [44][75] = {{2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15}, {4, 16, 64, 29, 116, 205, 19, 76, 45, 180, 234, 143, 6, 24, 96, 157, 78, 37, 148, 106, 181, 238, 159, 70, 5, 20, 80, 93, 105, 185, 222, 95, 97, 153, 94, 101, 137, 30, 120, 253, 211, 107, 177, 254, 223, 91, 113, 217, 67, 17, 68, 13, 52, 208, 103, 129, 62, 248, 199, 59, 236, 151, 102, 133, 46, 184, 218, 79, 33, 132, 42, 168, 154, 82, 85}, {8, 64, 58, 205, 38, 45, 117, 143, 12, 96, 39, 37, 53, 181, 193, 70, 10, 80, 186, 185, 161, 97, 47, 101, 15, 120, 231, 107, 127, 223, 182, 217, 134, 68, 26, 208, 206, 62, 237, 59, 197, 102, 23, 184, 169, 33, 21, 168, 41, 85, 146, 228, 115, 191, 145, 252, 179, 241, 219, 150, 196, 110, 87, 130, 100, 7, 56, 221, 166, 89, 242, 195, 86, 138, 36}, {16, 29, 205, 76, 180, 143, 24, 157, 37, 106, 238, 70, 20, 93, 185, 95, 153, 101, 30, 253, 107, 254, 91, 217, 17, 13, 208, 129, 248, 59, 151, 133, 184, 79, 132, 168, 82, 73, 228, 230, 198, 252, 123, 227, 150, 149, 165, 130, 200, 28, 221, 81, 121, 195, 172, 18, 61, 247, 203, 44, 250, 27, 173, 2, 32, 58, 135, 152, 117, 3, 48, 39, 74, 212, 193}, {32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59, 51, 46, 169, 132, 77, 85, 114, 230, 145, 215, 255, 150, 55, 174, 100, 28, 167, 89, 239, 172, 36, 244, 235, 44, 233, 108, 1, 32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59}, {64, 205, 45, 143, 96, 37, 181, 70, 80, 185, 97, 101, 120, 107, 223, 217, 68, 208, 62, 59, 102, 184, 33, 168, 85, 228, 191, 252, 241, 150, 110, 130, 7, 221, 89, 195, 138, 61, 251, 44, 207, 173, 8, 58, 38, 117, 12, 39, 53, 193, 10, 186, 161, 47, 15, 231, 127, 182, 134, 26, 206, 237, 197, 23, 169, 21, 41, 146, 115, 145, 179, 219, 196, 87, 100}, {128, 19, 117, 24, 156, 181, 140, 93, 161, 94, 60, 107, 163, 67, 26, 129, 147, 102, 109, 132, 41, 57, 209, 252, 255, 98, 87, 200, 224, 89, 155, 18, 245, 11, 233, 173, 16, 232, 45, 3, 157, 53, 159, 40, 185, 194, 137, 231, 254, 226, 68, 189, 248, 197, 46, 158, 168, 170, 183, 145, 123, 75, 110, 25, 28, 166, 249, 69, 61, 235, 176, 54, 2, 29, 38}, {29, 76, 143, 157, 106, 70, 93, 95, 101, 253, 254, 217, 13, 129, 59, 133, 79, 168, 73, 230, 252, 227, 149, 130, 28, 81, 195, 18, 247, 44, 27, 2, 58, 152, 3, 39, 212, 140, 186, 190, 202, 231, 225, 175, 26, 31, 118, 23, 158, 77, 146, 209, 229, 219, 55, 25, 56, 162, 155, 36, 243, 88, 54, 4, 116, 45, 6, 78, 181, 5, 105, 97, 137, 211, 223}, {58, 45, 12, 37, 193, 80, 161, 101, 231, 223, 134, 208, 237, 102, 169, 168, 146, 191, 179, 150, 87, 7, 166, 195, 36, 251, 125, 173, 64, 38, 143, 39, 181, 10, 185, 47, 120, 127, 217, 26, 62, 197, 184, 21, 85, 115, 252, 219, 110, 100, 221, 242, 138, 245, 44, 54, 8, 205, 117, 96, 53, 70, 186, 97, 15, 107, 182, 68, 206, 59, 23, 33, 41, 228, 145}, {116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44, 108, 32, 38, 3, 156, 193, 160, 190, 15, 214, 226, 26, 124, 51, 169, 77, 114, 145, 255, 55, 100, 167, 239, 36, 235, 233, 1, 116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44}, {232, 234, 39, 238, 160, 97, 60, 254, 134, 103, 118, 184, 84, 57, 145, 227, 220, 7, 162, 172, 245, 176, 71, 58, 180, 192, 181, 40, 95, 15, 177, 175, 208, 147, 46, 21, 73, 99, 241, 55, 200, 166, 43, 122, 44, 216, 128, 45, 48, 106, 10, 222, 202, 107, 226, 52, 237, 133, 66, 85, 209, 123, 196, 50, 167, 195, 144, 11, 54, 32, 76, 12, 148, 140, 185}, {205, 143, 37, 70, 185, 101, 107, 217, 208, 59, 184, 168, 228, 252, 150, 130, 221, 195, 61, 44, 173, 58, 117, 39, 193, 186, 47, 231, 182, 26, 237, 23, 21, 146, 145, 219, 87, 56, 242, 36, 139, 54, 64, 45, 96, 181, 80, 97, 120, 223, 68, 62, 102, 33, 85, 191, 241, 110, 7, 89, 138, 251, 207, 8, 38, 12, 53, 10, 161, 15, 127, 134, 206, 197, 169}, {135, 6, 53, 20, 190, 120, 163, 13, 237, 46, 84, 228, 229, 98, 100, 81, 69, 251, 131, 32, 45, 192, 238, 186, 94, 187, 217, 189, 236, 169, 82, 209, 241, 220, 28, 242, 72, 22, 173, 116, 201, 37, 140, 222, 15, 254, 34, 62, 204, 132, 146, 63, 75, 130, 167, 43, 245, 250, 4, 38, 24, 212, 80, 194, 253, 182, 52, 147, 184, 77, 183, 179, 149, 141, 89}, {19, 24, 181, 93, 94, 107, 67, 129, 102, 132, 57, 252, 98, 200, 89, 18, 11, 173, 232, 3, 53, 40, 194, 231, 226, 189, 197, 158, 170, 145, 75, 25, 166, 69, 235, 54, 29, 234, 37, 5, 95, 120, 91, 52, 59, 218, 82, 191, 227, 174, 221, 43, 247, 207, 32, 90, 39, 35, 111, 15, 225, 136, 237, 92, 77, 115, 246, 220, 56, 239, 122, 125, 4, 76, 96}, {38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26}, {76, 157, 70, 95, 253, 217, 129, 133, 168, 230, 227, 130, 81, 18, 44, 2, 152, 39, 140, 190, 231, 175, 31, 23, 77, 209, 219, 25, 162, 36, 88, 4, 45, 78, 5, 97, 211, 67, 62, 46, 154, 191, 171, 50, 89, 72, 176, 8, 90, 156, 10, 194, 187, 134, 124, 92, 41, 99, 75, 100, 178, 144, 125, 16, 180, 37, 20, 153, 107, 17, 248, 184, 82, 198, 150}, {152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1}, {45, 37, 80, 101, 223, 208, 102, 168, 191, 150, 7, 195, 251, 173, 38, 39, 10, 47, 127, 26, 197, 21, 115, 219, 100, 242, 245, 54, 205, 96, 70, 97, 107, 68, 59, 33, 228, 241, 130, 89, 61, 207, 58, 12, 193, 161, 231, 134, 237, 169, 146, 179, 87, 166, 36, 125, 64, 143, 181, 185, 120, 217, 62, 184, 85, 252, 110, 221, 138, 44, 8, 117, 53, 186, 15}, {90, 148, 186, 30, 226, 62, 109, 73, 179, 174, 162, 61, 131, 232, 96, 140, 153, 127, 52, 51, 168, 99, 98, 56, 172, 22, 8, 234, 212, 185, 240, 67, 237, 79, 114, 241, 25, 121, 245, 108, 19, 39, 20, 188, 223, 189, 133, 41, 63, 55, 221, 9, 176, 64, 3, 238, 161, 211, 34, 59, 66, 183, 219, 200, 239, 251, 71, 152, 37, 160, 137, 182, 129, 92, 85}, {180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36, 233, 116, 96, 5, 94, 223, 103, 46, 85, 215, 174, 89, 244, 108, 38, 156, 160, 15, 226, 124, 169, 114, 255, 100, 239, 235, 1, 180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36}, {117, 181, 161, 107, 26, 102, 41, 252, 87, 89, 245, 173, 45, 53, 185, 231, 68, 197, 168, 145, 110, 166, 61, 54, 38, 37, 186, 120, 134, 59, 21, 191, 196, 221, 36, 207, 205, 39, 80, 15, 217, 237, 33, 115, 150, 56, 138, 125, 58, 96, 10, 101, 182, 62, 169, 228, 219, 7, 86, 44, 64, 12, 70, 47, 223, 206, 184, 146, 241, 100, 195, 139, 8, 143, 193}, {234, 238, 97, 254, 103, 184, 57, 227, 7, 172, 176, 58, 192, 40, 15, 175, 147, 21, 99, 55, 166, 122, 216, 45, 106, 222, 107, 52, 133, 85, 123, 50, 195, 11, 32, 12, 140, 188, 182, 124, 158, 115, 49, 224, 36, 131, 19, 37, 105, 253, 68, 151, 154, 252, 174, 121, 251, 2, 201, 193, 194, 225, 206, 109, 114, 219, 14, 69, 125, 116, 157, 80, 30, 67, 59}, {201, 159, 47, 91, 124, 33, 209, 149, 166, 244, 71, 117, 238, 194, 223, 31, 79, 115, 98, 167, 61, 216, 90, 181, 190, 254, 206, 218, 213, 150, 224, 72, 54, 152, 106, 161, 177, 189, 184, 114, 171, 56, 18, 131, 38, 148, 111, 107, 104, 46, 146, 227, 14, 138, 233, 135, 37, 210, 211, 26, 133, 170, 241, 141, 172, 125, 232, 78, 186, 253, 136, 102, 164, 123, 100}, {143, 70, 101, 217, 59, 168, 252, 130, 195, 44, 58, 39, 186, 231, 26, 23, 146, 219, 56, 36, 54, 45, 181, 97, 223, 62, 33, 191, 110, 89, 251, 8, 12, 10, 15, 134, 197, 41, 179, 100, 86, 125, 205, 37, 185, 107, 208, 184, 228, 150, 221, 61, 173, 117, 193, 47, 182, 237, 21, 145, 87, 242, 139, 64, 96, 80, 120, 68, 102, 85, 241, 7, 138, 207, 38}, {3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223, 124, 132, 145, 174, 239, 44, 116, 156, 185, 214, 103, 169, 230, 55, 89, 235, 32, 96, 160, 253, 26, 46, 114, 150, 167, 244, 1, 3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223}, {6, 20, 120, 13, 46, 228, 98, 81, 251, 32, 192, 186, 187, 189, 169, 209, 220, 242, 22, 116, 37, 222, 254, 62, 132, 63, 130, 43, 250, 38, 212, 194, 182, 147, 77, 179, 141, 9, 54, 180, 159, 101, 67, 151, 85, 227, 112, 61, 142, 3, 10, 60, 136, 23, 114, 49, 166, 243, 16, 96, 93, 211, 208, 218, 230, 110, 121, 11, 58, 156, 111, 127, 31, 66, 145}, {12, 80, 231, 208, 169, 191, 87, 195, 125, 38, 181, 47, 217, 197, 85, 219, 221, 245, 8, 96, 186, 107, 206, 33, 145, 130, 86, 207, 45, 193, 101, 134, 102, 146, 150, 166, 251, 64, 39, 185, 127, 62, 21, 252, 100, 138, 54, 117, 70, 15, 68, 23, 228, 196, 89, 139, 58, 37, 161, 223, 237, 168, 179, 7, 36, 173, 143, 10, 120, 26, 184, 115, 110, 242, 44}, {24, 93, 107, 129, 132, 252, 200, 18, 173, 3, 40, 231, 189, 158, 145, 25, 69, 54, 234, 5, 120, 52, 218, 191, 174, 43, 207, 90, 35, 15, 136, 92, 115, 220, 239, 125, 76, 238, 101, 17, 133, 228, 149, 121, 44, 135, 212, 47, 175, 51, 146, 49, 162, 139, 116, 148, 97, 113, 236, 85, 171, 83, 251, 128, 156, 161, 163, 147, 41, 255, 224, 245, 16, 157, 185}, {48, 105, 127, 248, 77, 241, 224, 247, 64, 156, 95, 182, 236, 170, 150, 162, 11, 205, 212, 94, 134, 133, 213, 110, 239, 250, 45, 35, 30, 26, 218, 99, 130, 69, 108, 143, 40, 211, 206, 132, 229, 7, 144, 2, 96, 210, 254, 237, 154, 255, 221, 243, 128, 37, 190, 113, 197, 73, 49, 89, 22, 135, 181, 188, 17, 23, 183, 220, 195, 233, 90, 70, 60, 52, 169}, {96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89}, {192, 222, 182, 151, 114, 110, 155, 27, 143, 160, 177, 237, 82, 75, 89, 88, 152, 70, 240, 103, 21, 123, 224, 251, 116, 212, 101, 136, 218, 145, 200, 144, 8, 78, 190, 217, 204, 183, 87, 172, 216, 12, 105, 225, 59, 170, 98, 242, 250, 180, 10, 211, 31, 168, 255, 83, 139, 135, 238, 15, 52, 158, 252, 14, 244, 64, 74, 153, 134, 46, 209, 130, 9, 142, 96}, {157, 95, 217, 133, 230, 130, 18, 2, 39, 190, 175, 23, 209, 25, 36, 4, 78, 97, 67, 46, 191, 50, 72, 8, 156, 194, 134, 92, 99, 100, 144, 16, 37, 153, 17, 184, 198, 200, 61, 32, 74, 47, 34, 109, 145, 141, 122, 64, 148, 94, 68, 218, 63, 7, 244, 128, 53, 188, 136, 169, 126, 14, 245, 29, 106, 101, 13, 79, 252, 28, 247, 58, 212, 202, 26}, {39, 97, 134, 184, 145, 7, 245, 58, 181, 15, 208, 21, 241, 166, 44, 45, 10, 107, 237, 85, 196, 195, 54, 12, 185, 182, 102, 115, 130, 36, 8, 37, 47, 68, 169, 252, 56, 251, 205, 193, 120, 206, 168, 219, 89, 125, 117, 80, 127, 59, 146, 110, 86, 173, 96, 161, 217, 23, 191, 100, 61, 64, 53, 101, 26, 33, 179, 221, 139, 38, 70, 231, 62, 41, 150}, {78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1}, {156, 94, 26, 132, 255, 89, 233, 3, 185, 226, 46, 145, 28, 235, 38, 5, 214, 59, 114, 174, 36, 32, 106, 15, 103, 77, 150, 239, 108, 96, 190, 17, 169, 215, 167, 44, 180, 160, 223, 51, 230, 100, 244, 116, 193, 253, 124, 85, 55, 172, 1, 156, 94, 26, 132, 255, 89, 233, 3, 185, 226, 46, 145, 28, 235, 38, 5, 214, 59, 114, 174, 36, 32, 106, 15}, {37, 101, 208, 168, 150, 195, 173, 39, 47, 26, 21, 219, 242, 54, 96, 97, 68, 33, 241, 89, 207, 12, 161, 134, 169, 179, 166, 125, 143, 185, 217, 184, 252, 221, 44, 117, 186, 182, 23, 145, 56, 139, 45, 80, 223, 102, 191, 7, 251, 38, 10, 127, 197, 115, 100, 245, 205, 70, 107, 59, 228, 130, 61, 58, 193, 231, 237, 146, 87, 36, 64, 181, 120, 62, 85}, {74, 137, 206, 82, 55, 138, 16, 212, 120, 124, 73, 87, 72, 29, 193, 211, 147, 228, 25, 244, 205, 140, 177, 197, 230, 141, 251, 76, 40, 223, 204, 198, 56, 11, 180, 186, 113, 92, 252, 167, 176, 143, 111, 67, 169, 123, 162, 207, 24, 190, 68, 66, 227, 242, 108, 157, 47, 52, 84, 150, 155, 142, 37, 202, 103, 41, 149, 69, 8, 106, 60, 62, 170, 165, 36}, {148, 30, 62, 73, 174, 61, 232, 140, 127, 51, 99, 56, 22, 234, 185, 67, 79, 241, 121, 108, 39, 188, 189, 41, 55, 9, 64, 238, 211, 59, 183, 200, 251, 152, 160, 182, 92, 229, 166, 233, 24, 97, 13, 42, 150, 43, 2, 53, 60, 124, 146, 65, 122, 205, 5, 254, 102, 198, 112, 44, 201, 111, 134, 158, 255, 242, 216, 78, 101, 103, 82, 110, 18, 128, 193}, {53, 120, 237, 228, 100, 251, 45, 186, 217, 169, 241, 242, 173, 37, 15, 62, 146, 130, 245, 38, 80, 182, 184, 179, 89, 54, 39, 101, 206, 85, 87, 61, 205, 10, 223, 23, 252, 166, 207, 96, 47, 208, 41, 110, 36, 58, 70, 127, 102, 145, 221, 125, 12, 97, 26, 168, 196, 138, 64, 193, 107, 197, 191, 56, 44, 143, 161, 68, 21, 150, 86, 8, 181, 231, 59}, {106, 253, 59, 230, 28, 44, 3, 190, 26, 77, 55, 36, 116, 5, 223, 46, 215, 89, 108, 156, 15, 124, 114, 100, 235, 180, 185, 17, 132, 150, 172, 32, 193, 214, 51, 145, 167, 233, 96, 94, 103, 85, 174, 244, 38, 160, 226, 169, 255, 239, 1, 106, 253, 59, 230, 28, 44, 3, 190, 26, 77, 55, 36, 116, 5, 223, 46, 215, 89, 108, 156, 15, 124, 114, 100}, {212, 211, 197, 198, 167, 207, 157, 202, 62, 114, 200, 139, 201, 95, 26, 154, 220, 61, 19, 160, 217, 158, 171, 86, 32, 159, 127, 133, 229, 89, 216, 74, 120, 147, 230, 56, 176, 24, 47, 103, 170, 130, 243, 90, 185, 34, 42, 196, 18, 116, 10, 91, 109, 241, 239, 2, 181, 187, 151, 145, 83, 131, 39, 137, 124, 228, 141, 11, 143, 190, 52, 41, 165, 122, 38}, {181, 107, 102, 252, 89, 173, 53, 231, 197, 145, 166, 54, 37, 120, 59, 191, 221, 207, 39, 15, 237, 115, 56, 125, 96, 101, 62, 228, 7, 44, 12, 47, 206, 146, 100, 139, 143, 97, 208, 85, 130, 251, 117, 161, 26, 41, 87, 245, 45, 185, 68, 168, 110, 61, 38, 186, 134, 21, 196, 36, 205, 80, 217, 33, 150, 138, 58, 10, 182, 169, 219, 86, 64, 70, 223}, {119, 177, 23, 123, 239, 8, 159, 225, 184, 255, 43, 64, 140, 91, 169, 171, 69, 58, 20, 226, 33, 49, 18, 205, 160, 67, 21, 149, 144, 38, 105, 34, 168, 220, 244, 45, 111, 13, 41, 174, 243, 117, 95, 104, 85, 25, 203, 143, 194, 103, 146, 200, 22, 12, 94, 31, 228, 14, 176, 96, 202, 248, 115, 112, 233, 39, 30, 147, 191, 167, 27, 37, 240, 236, 145}, {238, 254, 184, 227, 172, 58, 40, 175, 21, 55, 122, 45, 222, 52, 85, 50, 11, 12, 188, 124, 115, 224, 131, 37, 253, 151, 252, 121, 2, 193, 225, 109, 219, 69, 116, 80, 67, 42, 110, 244, 90, 161, 104, 170, 100, 22, 24, 101, 248, 230, 221, 27, 74, 231, 51, 229, 242, 4, 159, 223, 218, 171, 138, 232, 160, 134, 84, 220, 245, 180, 95, 208, 73, 200, 44}}; - -void PQCLEAN_HQCRMRS192_AVX2_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS192_AVX2_reed_solomon_decode(uint8_t *msg, uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/avx2/vector.c b/crypto_kem/hqc-rmrs-192/avx2/vector.c deleted file mode 100644 index 3f58b19c..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/vector.c +++ /dev/null @@ -1,178 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -#include -/** - * @file vector.c - * @brief Implementation of vectors sampling and some utilities for the HQC scheme - */ - - - -/** - * @brief Generates a vector of a given Hamming weight - * - * This function generates uniformly at random a binary vector of a Hamming weight equal to the parameter weight. - * To generate the vector we have to sample uniformly at random values in the interval [0, PARAM_N -1]. Suppose the PARAM_N is equal to \f$ 70853 \f$, to select a position \f$ r\f$ the function works as follow: - * 1. It makes a call to the seedexpander function to obtain a random number \f$ x\f$ in \f$ [0, 2^{24}[ \f$. - * 2. Let \f$ t = \lfloor {2^{24} \over 70853} \rfloor \times 70853\f$ - * 3. If \f$ x \geq t\f$, go to 1 - * 4. It return \f$ r = x \mod 70853\f$ - * - * The parameter \f$ t \f$ is precomputed and it's denoted by UTILS_REJECTION_THRESHOLD (see the file parameters.h). - * - * @param[in] v Pointer to an array - * @param[in] weight Integer that is the Hamming weight - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS192_AVX2_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight) { - size_t random_bytes_size = 3 * weight; - uint8_t rand_bytes[3 * PARAM_OMEGA_R] = {0}; - uint32_t tmp[PARAM_OMEGA_R] = {0}; - __m256i bit256[PARAM_OMEGA_R]; - __m256i bloc256[PARAM_OMEGA_R]; - __m256i posCmp256 = _mm256_set_epi64x(3, 2, 1, 0); - __m256i pos256; - __m256i mask256; - __m256i aux; - __m256i i256; - uint64_t bloc, pos, bit64; - uint8_t inc; - size_t i, j, k; - - i = 0; - j = random_bytes_size; - while (i < weight) { - do { - if (j == random_bytes_size) { - seedexpander(ctx, rand_bytes, random_bytes_size); - j = 0; - } - - tmp[i] = ((uint32_t) rand_bytes[j++]) << 16; - tmp[i] |= ((uint32_t) rand_bytes[j++]) << 8; - tmp[i] |= rand_bytes[j++]; - - } while (tmp[i] >= UTILS_REJECTION_THRESHOLD); - - tmp[i] = tmp[i] % PARAM_N; - - inc = 1; - for (k = 0; k < i; k++) { - if (tmp[k] == tmp[i]) { - inc = 0; - } - } - i += inc; - } - - for (i = 0; i < weight; i++) { - // we store the bloc number and bit position of each vb[i] - bloc = tmp[i] >> 6; - bloc256[i] = _mm256_set1_epi64x(bloc >> 2); - pos = (bloc & 0x3UL); - pos256 = _mm256_set1_epi64x(pos); - mask256 = _mm256_cmpeq_epi64(pos256, posCmp256); - bit64 = 1ULL << (tmp[i] & 0x3f); - bit256[i] = _mm256_set1_epi64x(bit64)&mask256; - } - - for (i = 0; i < CEIL_DIVIDE(PARAM_N, 256); i++) { - aux = _mm256_loadu_si256(((__m256i *)v) + i); - i256 = _mm256_set1_epi64x(i); - - for (j = 0; j < weight; j++) { - mask256 = _mm256_cmpeq_epi64(bloc256[j], i256); - aux ^= bit256[j] & mask256; - } - _mm256_storeu_si256(((__m256i *)v) + i, aux); - } - -} - - - -/** - * @brief Generates a random vector of dimension PARAM_N - * - * This function generates a random binary vector of dimension PARAM_N. It generates a random - * array of bytes using the seedexpander function, and drop the extra bits using a mask. - * - * @param[in] v Pointer to an array - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS192_AVX2_vect_set_random(AES_XOF_struct *ctx, uint64_t *v) { - uint8_t rand_bytes[VEC_N_SIZE_BYTES] = {0}; - - seedexpander(ctx, rand_bytes, VEC_N_SIZE_BYTES); - - PQCLEAN_HQCRMRS192_AVX2_load8_arr(v, VEC_N_SIZE_64, rand_bytes, VEC_N_SIZE_BYTES); - v[VEC_N_SIZE_64 - 1] &= RED_MASK; -} - - - -/** - * @brief Adds two vectors - * - * @param[out] o Pointer to an array that is the result - * @param[in] v1 Pointer to an array that is the first vector - * @param[in] v2 Pointer to an array that is the second vector - * @param[in] size Integer that is the size of the vectors - */ -void PQCLEAN_HQCRMRS192_AVX2_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size) { - for (uint32_t i = 0; i < size; ++i) { - o[i] = v1[i] ^ v2[i]; - } -} - - - -/** - * @brief Compares two vectors - * - * @param[in] v1 Pointer to an array that is first vector - * @param[in] v2 Pointer to an array that is second vector - * @param[in] size Integer that is the size of the vectors - * @returns 0 if the vectors are equals and a negative/psotive value otherwise - */ -uint8_t PQCLEAN_HQCRMRS192_AVX2_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size) { - uint64_t r = 0; - for (size_t i = 0; i < size; i++) { - r |= v1[i] ^ v2[i]; - } - r = (~r + 1) >> 63; - return (uint8_t) r; -} - - - -/** - * @brief Resize a vector so that it contains size_o bits - * - * @param[out] o Pointer to the output vector - * @param[in] size_o Integer that is the size of the output vector in bits - * @param[in] v Pointer to the input vector - * @param[in] size_v Integer that is the size of the input vector in bits - */ -void PQCLEAN_HQCRMRS192_AVX2_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v) { - uint64_t mask = 0x7FFFFFFFFFFFFFFF; - int8_t val = 0; - if (size_o < size_v) { - if (size_o % 64) { - val = 64 - (size_o % 64); - } - - memcpy(o, v, VEC_N1N2_SIZE_BYTES); - - for (int8_t i = 0; i < val; ++i) { - o[VEC_N1N2_SIZE_64 - 1] &= (mask >> i); - } - } else { - memcpy(o, v, CEIL_DIVIDE(size_v, 8)); - } -} diff --git a/crypto_kem/hqc-rmrs-192/avx2/vector.h b/crypto_kem/hqc-rmrs-192/avx2/vector.h deleted file mode 100644 index 5ec58393..00000000 --- a/crypto_kem/hqc-rmrs-192/avx2/vector.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef VECTOR_H -#define VECTOR_H - - -/** - * @file vector.h - * @brief Header file for vector.c - */ -#include "nistseedexpander.h" -#include "randombytes.h" -#include - -void PQCLEAN_HQCRMRS192_AVX2_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight); - -void PQCLEAN_HQCRMRS192_AVX2_vect_set_random(AES_XOF_struct *ctx, uint64_t *v); - -void PQCLEAN_HQCRMRS192_AVX2_vect_set_random_from_randombytes(uint64_t *v); - - -void PQCLEAN_HQCRMRS192_AVX2_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size); - -uint8_t PQCLEAN_HQCRMRS192_AVX2_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size); - -void PQCLEAN_HQCRMRS192_AVX2_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/LICENSE b/crypto_kem/hqc-rmrs-192/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/hqc-rmrs-192/clean/Makefile.Microsoft_nmake b/crypto_kem/hqc-rmrs-192/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 61cd6ffe..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libhqc-rmrs-192_clean.lib -OBJECTS=code.obj fft.obj gf2x.obj gf.obj hqc.obj kem.obj parsing.obj reed_muller.obj reed_solomon.obj vector.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/hqc-rmrs-192/clean/api.h b/crypto_kem/hqc-rmrs-192/clean/api.h deleted file mode 100644 index f70271b2..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/api.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_HQCRMRS192_CLEAN_API_H -#define PQCLEAN_HQCRMRS192_CLEAN_API_H -/** - * @file api.h - * @brief NIST KEM API used by the HQC_KEM IND-CCA2 scheme - */ - -#define PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_ALGNAME "HQC-RMRS-192" - -#define PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_SECRETKEYBYTES 4562 -#define PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_PUBLICKEYBYTES 4522 -#define PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_BYTES 64 -#define PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_CIPHERTEXTBYTES 9026 - -// As a technicality, the public key is appended to the secret key in order to respect the NIST API. -// Without this constraint, PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_SECRETKEYBYTES would be defined as 32 - -int PQCLEAN_HQCRMRS192_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_HQCRMRS192_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - -int PQCLEAN_HQCRMRS192_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/code.c b/crypto_kem/hqc-rmrs-192/clean/code.c deleted file mode 100644 index 31ec8047..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/code.c +++ /dev/null @@ -1,46 +0,0 @@ -#include "code.h" -#include "parameters.h" -#include "reed_muller.h" -#include "reed_solomon.h" -#include -#include -/** - * @file code.c - * @brief Implementation of concatenated code - */ - - - -/** - * - * @brief Encoding the message m to a code word em using the concatenated code - * - * First we encode the message using the Reed-Solomon code, then with the duplicated Reed-Muller code we obtain - * a concatenated code word. - * - * @param[out] em Pointer to an array that is the tensor code word - * @param[in] m Pointer to an array that is the message - */ -void PQCLEAN_HQCRMRS192_CLEAN_code_encode(uint8_t *em, const uint8_t *m) { - uint8_t tmp[VEC_N1_SIZE_BYTES] = {0}; - - PQCLEAN_HQCRMRS192_CLEAN_reed_solomon_encode(tmp, m); - PQCLEAN_HQCRMRS192_CLEAN_reed_muller_encode(em, tmp); - -} - - - -/** - * @brief Decoding the code word em to a message m using the concatenated code - * - * @param[out] m Pointer to an array that is the message - * @param[in] em Pointer to an array that is the code word - */ -void PQCLEAN_HQCRMRS192_CLEAN_code_decode(uint8_t *m, const uint8_t *em) { - uint8_t tmp[VEC_N1_SIZE_BYTES] = {0}; - - PQCLEAN_HQCRMRS192_CLEAN_reed_muller_decode(tmp, em); - PQCLEAN_HQCRMRS192_CLEAN_reed_solomon_decode(m, tmp); - -} diff --git a/crypto_kem/hqc-rmrs-192/clean/code.h b/crypto_kem/hqc-rmrs-192/clean/code.h deleted file mode 100644 index 53bad7bd..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/code.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef CODE_H -#define CODE_H - - -/** - * @file code.h - * Header file of code.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS192_CLEAN_code_encode(uint8_t *em, const uint8_t *message); - -void PQCLEAN_HQCRMRS192_CLEAN_code_decode(uint8_t *m, const uint8_t *em); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/fft.c b/crypto_kem/hqc-rmrs-192/clean/fft.c deleted file mode 100644 index 62b1c8ba..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/fft.c +++ /dev/null @@ -1,351 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include -#include -/** - * @file fft.c - * Implementation of the additive FFT and its transpose. - * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf - */ - - -static void compute_fft_betas(uint16_t *betas); -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size); -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas); - - -/** - * @brief Computes the basis of betas (omitting 1) used in the additive FFT and its transpose - * - * @param[out] betas Array of size PARAM_M-1 - */ -static void compute_fft_betas(uint16_t *betas) { - size_t i; - for (i = 0; i < PARAM_M - 1; ++i) { - betas[i] = 1 << (PARAM_M - 1 - i); - } -} - - - -/** - * @brief Computes the subset sums of the given set - * - * The array subset_sums is such that its ith element is - * the subset sum of the set elements given by the binary form of i. - * - * @param[out] subset_sums Array of size 2^set_size receiving the subset sums - * @param[in] set Array of set_size elements - * @param[in] set_size Size of the array set - */ -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size) { - uint16_t i, j; - subset_sums[0] = 0; - - for (i = 0; i < set_size; ++i) { - for (j = 0; j < (1 << i); ++j) { - subset_sums[(1 << i) + j] = set[i] ^ subset_sums[j]; - } - } -} - - - -/** - * @brief Computes the radix conversion of a polynomial f in GF(2^m)[x] - * - * Computes f0 and f1 such that f(x) = f0(x^2-x) + x.f1(x^2-x) - * as proposed by Bernstein, Chou and Schwabe: - * https://binary.cr.yp.to/mcbits-20130616.pdf - * - * @param[out] f0 Array half the size of f - * @param[out] f1 Array half the size of f - * @param[in] f Array of size a power of 2 - * @param[in] m_f 2^{m_f} is the smallest power of 2 greater or equal to the number of coefficients of f - */ -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - switch (m_f) { - case 4: - f0[4] = f[8] ^ f[12]; - f0[6] = f[12] ^ f[14]; - f0[7] = f[14] ^ f[15]; - f1[5] = f[11] ^ f[13]; - f1[6] = f[13] ^ f[14]; - f1[7] = f[15]; - f0[5] = f[10] ^ f[12] ^ f1[5]; - f1[4] = f[9] ^ f[13] ^ f0[5]; - - f0[0] = f[0]; - f1[3] = f[7] ^ f[11] ^ f[15]; - f0[3] = f[6] ^ f[10] ^ f[14] ^ f1[3]; - f0[2] = f[4] ^ f0[4] ^ f0[3] ^ f1[3]; - f1[1] = f[3] ^ f[5] ^ f[9] ^ f[13] ^ f1[3]; - f1[2] = f[3] ^ f1[1] ^ f0[3]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 3: - f0[0] = f[0]; - f0[2] = f[4] ^ f[6]; - f0[3] = f[6] ^ f[7]; - f1[1] = f[3] ^ f[5] ^ f[7]; - f1[2] = f[5] ^ f[6]; - f1[3] = f[7]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 2: - f0[0] = f[0]; - f0[1] = f[2] ^ f[3]; - f1[0] = f[1] ^ f0[1]; - f1[1] = f[3]; - break; - - case 1: - f0[0] = f[0]; - f1[0] = f[1]; - break; - - default: - radix_big(f0, f1, f, m_f); - break; - } -} - -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - uint16_t Q[2 * (1 << (PARAM_FFT - 2))] = {0}; - uint16_t R[2 * (1 << (PARAM_FFT - 2))] = {0}; - - uint16_t Q0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t Q1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R1[1 << (PARAM_FFT - 2)] = {0}; - - size_t i, n; - - n = 1; - n <<= (m_f - 2); - memcpy(Q, f + 3 * n, 2 * n); - memcpy(Q + n, f + 3 * n, 2 * n); - memcpy(R, f, 4 * n); - - for (i = 0; i < n; ++i) { - Q[i] ^= f[2 * n + i]; - R[n + i] ^= Q[i]; - } - - radix(Q0, Q1, Q, m_f - 1); - radix(R0, R1, R, m_f - 1); - - memcpy(f0, R0, 2 * n); - memcpy(f0 + n, Q0, 2 * n); - memcpy(f1, R1, 2 * n); - memcpy(f1 + n, Q1, 2 * n); -} - - - -/** - * @brief Evaluates f at all subset sums of a given set - * - * This function is a subroutine of the function PQCLEAN_HQCRMRS192_CLEAN_fft. - * - * @param[out] w Array - * @param[in] f Array - * @param[in] f_coeffs Number of coefficients of f - * @param[in] m Number of betas - * @param[in] m_f Number of coefficients of f (one more than its degree) - * @param[in] betas FFT constants - */ -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas) { - uint16_t f0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t gammas[PARAM_M - 2] = {0}; - uint16_t deltas[PARAM_M - 2] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 2)] = {0}; - uint16_t u[1 << (PARAM_M - 2)] = {0}; - uint16_t v[1 << (PARAM_M - 2)] = {0}; - uint16_t tmp[PARAM_M - (PARAM_FFT - 1)] = {0}; - - uint16_t beta_m_pow; - size_t i, j, k; - size_t x; - - // Step 1 - if (m_f == 1) { - for (i = 0; i < m; ++i) { - tmp[i] = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(betas[i], f[1]); - } - - w[0] = f[0]; - x = 1; - for (j = 0; j < m; ++j) { - for (k = 0; k < x; ++k) { - w[x + k] = w[k] ^ tmp[j]; - } - x <<= 1; - } - - return; - } - - // Step 2: compute g - if (betas[m - 1] != 1) { - beta_m_pow = 1; - x = 1; - x <<= m_f; - for (i = 1; i < x; ++i) { - beta_m_pow = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(beta_m_pow, betas[m - 1]); - f[i] = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(beta_m_pow, f[i]); - } - } - - // Step 3 - radix(f0, f1, f, m_f); - - // Step 4: compute gammas and deltas - for (i = 0; i + 1 < m; ++i) { - gammas[i] = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(betas[i], PQCLEAN_HQCRMRS192_CLEAN_gf_inverse(betas[m - 1])); - deltas[i] = PQCLEAN_HQCRMRS192_CLEAN_gf_square(gammas[i]) ^ gammas[i]; - } - - // Compute gammas sums - compute_subset_sums(gammas_sums, gammas, m - 1); - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, m - 1, m_f - 1, deltas); - - k = 1; - k <<= ((m - 1) & 0xf); // &0xf is to let the compiler know that m-1 is small. - if (f_coeffs <= 3) { // 3-coefficient polynomial f case: f1 is constant - w[0] = u[0]; - w[k] = u[0] ^ f1[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS192_CLEAN_gf_mul(gammas_sums[i], f1[0]); - w[k + i] = w[i] ^ f1[0]; - } - } else { - fft_rec(v, f1, f_coeffs / 2, m - 1, m_f - 1, deltas); - - // Step 6 - memcpy(w + k, v, 2 * k); - w[0] = u[0]; - w[k] ^= u[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS192_CLEAN_gf_mul(gammas_sums[i], v[i]); - w[k + i] ^= w[i]; - } - } -} - - - -/** - * @brief Evaluates f on all fields elements using an additive FFT algorithm - * - * f_coeffs is the number of coefficients of f (one less than its degree).
- * The FFT proceeds recursively to evaluate f at all subset sums of a basis B.
- * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf
- * Note that on this first call (as opposed to the recursive calls to fft_rec), gammas are equal to betas, - * meaning the first gammas subset sums are actually the subset sums of betas (except 1).
- * Also note that f is altered during computation (twisted at each level). - * - * @param[out] w Array - * @param[in] f Array of 2^PARAM_FFT elements - * @param[in] f_coeffs Number coefficients of f (i.e. deg(f)+1) - */ -void PQCLEAN_HQCRMRS192_CLEAN_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs) { - uint16_t betas[PARAM_M - 1] = {0}; - uint16_t betas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t f0[1 << (PARAM_FFT - 1)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 1)] = {0}; - uint16_t deltas[PARAM_M - 1] = {0}; - uint16_t u[1 << (PARAM_M - 1)] = {0}; - uint16_t v[1 << (PARAM_M - 1)] = {0}; - - size_t i, k; - - // Follows Gao and Mateer algorithm - compute_fft_betas(betas); - - // Step 1: PARAM_FFT > 1, nothing to do - - // Compute gammas sums - compute_subset_sums(betas_sums, betas, PARAM_M - 1); - - // Step 2: beta_m = 1, nothing to do - - // Step 3 - radix(f0, f1, f, PARAM_FFT); - - // Step 4: Compute deltas - for (i = 0; i < PARAM_M - 1; ++i) { - deltas[i] = PQCLEAN_HQCRMRS192_CLEAN_gf_square(betas[i]) ^ betas[i]; - } - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - fft_rec(v, f1, f_coeffs / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - - k = 1 << (PARAM_M - 1); - // Step 6, 7 and error polynomial computation - memcpy(w + k, v, 2 * k); - - // Check if 0 is root - w[0] = u[0]; - - // Check if 1 is root - w[k] ^= u[0]; - - // Find other roots - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS192_CLEAN_gf_mul(betas_sums[i], v[i]); - w[k + i] ^= w[i]; - } -} - - - -/** - * @brief Retrieves the error polynomial error from the evaluations w of the ELP (Error Locator Polynomial) on all field elements. - * - * @param[out] error Array with the error - * @param[out] error_compact Array with the error in a compact form - * @param[in] w Array of size 2^PARAM_M - */ -void PQCLEAN_HQCRMRS192_CLEAN_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w) { - uint16_t gammas[PARAM_M - 1] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t k; - size_t i, index; - - compute_fft_betas(gammas); - compute_subset_sums(gammas_sums, gammas, PARAM_M - 1); - - k = 1 << (PARAM_M - 1); - error[0] ^= 1 ^ ((uint16_t) - w[0] >> 15); - error[0] ^= 1 ^ ((uint16_t) - w[k] >> 15); - - for (i = 1; i < k; ++i) { - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i]]; - error[index] ^= 1 ^ ((uint16_t) - w[i] >> 15); - - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i] ^ 1]; - error[index] ^= 1 ^ ((uint16_t) - w[k + i] >> 15); - } -} diff --git a/crypto_kem/hqc-rmrs-192/clean/fft.h b/crypto_kem/hqc-rmrs-192/clean/fft.h deleted file mode 100644 index 7e8f8bc1..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/fft.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef FFT_H -#define FFT_H - - -/** - * @file fft.h - * Header file of fft.c - */ - -#include -#include - -void PQCLEAN_HQCRMRS192_CLEAN_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs); - -void PQCLEAN_HQCRMRS192_CLEAN_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/gf.c b/crypto_kem/hqc-rmrs-192/clean/gf.c deleted file mode 100644 index b209032e..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/gf.c +++ /dev/null @@ -1,63 +0,0 @@ -#include "gf.h" -#include "parameters.h" -#include -/** - * @file gf.c - * Galois field implementation with multiplication using lookup tables - */ - - -/** - * @brief Multiplies nonzero element a by element b - * @returns the product a*b - * @param[in] a First element of GF(2^PARAM_M) to multiply (cannot be zero) - * @param[in] b Second element of GF(2^PARAM_M) to multiply (cannot be zero) - */ -uint16_t PQCLEAN_HQCRMRS192_CLEAN_gf_mul(uint16_t a, uint16_t b) { - uint16_t mask; - mask = (uint16_t) (-((int32_t) a) >> 31); // a != 0 - mask &= (uint16_t) (-((int32_t) b) >> 31); // b != 0 - return mask & gf_exp[PQCLEAN_HQCRMRS192_CLEAN_gf_mod(gf_log[a] + gf_log[b])]; -} - - - -/** - * @brief Squares an element of GF(2^PARAM_M) - * @returns a^2 - * @param[in] a Element of GF(2^PARAM_M) - */ -uint16_t PQCLEAN_HQCRMRS192_CLEAN_gf_square(uint16_t a) { - int16_t mask = (uint16_t) (-((int32_t) a) >> 31); // a != 0 - return mask & gf_exp[PQCLEAN_HQCRMRS192_CLEAN_gf_mod(2 * gf_log[a])]; -} - - - -/** - * @brief Computes the inverse of an element of GF(2^PARAM_M) - * @returns the inverse of a - * @param[in] a Element of GF(2^PARAM_M) - */ -uint16_t PQCLEAN_HQCRMRS192_CLEAN_gf_inverse(uint16_t a) { - int16_t mask = (uint16_t) (-((int32_t) a) >> 31); // a != 0 - return mask & gf_exp[PARAM_GF_MUL_ORDER - gf_log[a]]; -} - - - -/** - * @brief Returns i modulo 2^PARAM_M-1 - * i must be less than 2*(2^PARAM_M-1). - * Therefore, the return value is either i or i-2^PARAM_M+1. - * @returns i mod (2^PARAM_M-1) - * @param[in] i The integer whose modulo is taken - */ -uint16_t PQCLEAN_HQCRMRS192_CLEAN_gf_mod(uint16_t i) { - uint16_t tmp = (uint16_t) (i - PARAM_GF_MUL_ORDER); - - // mask = 0xffff if(i < PARAM_GF_MUL_ORDER) - uint16_t mask = -(tmp >> 15); - - return tmp + (mask & PARAM_GF_MUL_ORDER); -} diff --git a/crypto_kem/hqc-rmrs-192/clean/gf.h b/crypto_kem/hqc-rmrs-192/clean/gf.h deleted file mode 100644 index 427198db..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/gf.h +++ /dev/null @@ -1,39 +0,0 @@ -#ifndef GF_H -#define GF_H - - -/** - * @file gf.h - * Header file of gf.c - */ - -#include -#include - - -/** - * Powers of the root alpha of 1 + x^2 + x^3 + x^4 + x^8. - * The last two elements are needed by the PQCLEAN_HQCRMRS192_CLEAN_gf_mul function - * (for example if both elements to multiply are zero). - */ -static const uint16_t gf_exp[258] = { 1, 2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60, 120, 240, 253, 231, 211, 187, 107, 214, 177, 127, 254, 225, 223, 163, 91, 182, 113, 226, 217, 175, 67, 134, 17, 34, 68, 136, 13, 26, 52, 104, 208, 189, 103, 206, 129, 31, 62, 124, 248, 237, 199, 147, 59, 118, 236, 197, 151, 51, 102, 204, 133, 23, 46, 92, 184, 109, 218, 169, 79, 158, 33, 66, 132, 21, 42, 84, 168, 77, 154, 41, 82, 164, 85, 170, 73, 146, 57, 114, 228, 213, 183, 115, 230, 209, 191, 99, 198, 145, 63, 126, 252, 229, 215, 179, 123, 246, 241, 255, 227, 219, 171, 75, 150, 49, 98, 196, 149, 55, 110, 220, 165, 87, 174, 65, 130, 25, 50, 100, 200, 141, 7, 14, 28, 56, 112, 224, 221, 167, 83, 166, 81, 162, 89, 178, 121, 242, 249, 239, 195, 155, 43, 86, 172, 69, 138, 9, 18, 36, 72, 144, 61, 122, 244, 245, 247, 243, 251, 235, 203, 139, 11, 22, 44, 88, 176, 125, 250, 233, 207, 131, 27, 54, 108, 216, 173, 71, 142, 1, 2, 4 }; - - - -/** - * Logarithm of elements of GF(2^8) to the base alpha (root of 1 + x^2 + x^3 + x^4 + x^8). - * The logarithm of 0 is set to 0 by convention. - */ -static const uint16_t gf_log[256] = { 0, 0, 1, 25, 2, 50, 26, 198, 3, 223, 51, 238, 27, 104, 199, 75, 4, 100, 224, 14, 52, 141, 239, 129, 28, 193, 105, 248, 200, 8, 76, 113, 5, 138, 101, 47, 225, 36, 15, 33, 53, 147, 142, 218, 240, 18, 130, 69, 29, 181, 194, 125, 106, 39, 249, 185, 201, 154, 9, 120, 77, 228, 114, 166, 6, 191, 139, 98, 102, 221, 48, 253, 226, 152, 37, 179, 16, 145, 34, 136, 54, 208, 148, 206, 143, 150, 219, 189, 241, 210, 19, 92, 131, 56, 70, 64, 30, 66, 182, 163, 195, 72, 126, 110, 107, 58, 40, 84, 250, 133, 186, 61, 202, 94, 155, 159, 10, 21, 121, 43, 78, 212, 229, 172, 115, 243, 167, 87, 7, 112, 192, 247, 140, 128, 99, 13, 103, 74, 222, 237, 49, 197, 254, 24, 227, 165, 153, 119, 38, 184, 180, 124, 17, 68, 146, 217, 35, 32, 137, 46, 55, 63, 209, 91, 149, 188, 207, 205, 144, 135, 151, 178, 220, 252, 190, 97, 242, 86, 211, 171, 20, 42, 93, 158, 132, 60, 57, 83, 71, 109, 65, 162, 31, 45, 67, 216, 183, 123, 164, 118, 196, 23, 73, 236, 127, 12, 111, 246, 108, 161, 59, 82, 41, 157, 85, 170, 251, 96, 134, 177, 187, 204, 62, 90, 203, 89, 95, 176, 156, 169, 160, 81, 11, 245, 22, 235, 122, 117, 44, 215, 79, 174, 213, 233, 230, 231, 173, 232, 116, 214, 244, 234, 168, 80, 88, 175 }; - - -uint16_t PQCLEAN_HQCRMRS192_CLEAN_gf_mul(uint16_t a, uint16_t b); - -uint16_t PQCLEAN_HQCRMRS192_CLEAN_gf_square(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS192_CLEAN_gf_inverse(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS192_CLEAN_gf_mod(uint16_t i); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/gf2x.c b/crypto_kem/hqc-rmrs-192/clean/gf2x.c deleted file mode 100644 index 89374761..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/gf2x.c +++ /dev/null @@ -1,154 +0,0 @@ -#include "gf2x.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include -/** - * \file gf2x.c - * \brief Implementation of multiplication of two polynomials - */ - - -static inline void swap(uint16_t *tab, uint16_t elt1, uint16_t elt2); -static void reduce(uint64_t *o, const uint64_t *a); -static void fast_convolution_mult(uint8_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx); - -/** - * @brief swap two elements in a table - * - * This function exchanges tab[elt1] with tab[elt2] - * - * @param[in] tab Pointer to the table - * @param[in] elt1 Index of the first element - * @param[in] elt2 Index of the second element - */ -static inline void swap(uint16_t *tab, uint16_t elt1, uint16_t elt2) { - uint16_t tmp = tab[elt1]; - - tab[elt1] = tab[elt2]; - tab[elt2] = tmp; -} - - - -/** - * @brief Compute o(x) = a(x) mod \f$ X^n - 1\f$ - * - * This function computes the modular reduction of the polynomial a(x) - * - * @param[in] a Pointer to the polynomial a(x) - * @param[out] o Pointer to the result - */ -static void reduce(uint64_t *o, const uint64_t *a) { - size_t i; - uint64_t r; - uint64_t carry; - - for (i = 0; i < VEC_N_SIZE_64; i++) { - r = a[i + VEC_N_SIZE_64 - 1] >> (PARAM_N & 63); - carry = (uint64_t) (a[i + VEC_N_SIZE_64] << (64 - (PARAM_N & 63))); - o[i] = a[i] ^ r ^ carry; - } - - o[VEC_N_SIZE_64 - 1] &= RED_MASK; -} - - - -/** - * @brief computes product of the polynomial a1(x) with the sparse polynomial a2 - * - * o(x) = a1(x)a2(x) - * - * @param[out] o Pointer to the result - * @param[in] a1 Pointer to the sparse polynomial a2 (list of degrees of the monomials which appear in a2) - * @param[in] a2 Pointer to the polynomial a1(x) - * @param[in] weight Hamming wifht of the sparse polynomial a2 - * @param[in] ctx Pointer to a seed expander used to randomize the multiplication process - */ -static void fast_convolution_mult(uint8_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx) { -//static uint32_t fast_convolution_mult(const uint64_t *A, const uint32_t *vB, uint64_t *C, const uint16_t w, AES_XOF_struct *ctx) - uint64_t carry; - uint32_t dec, s; - uint64_t table[16 * (VEC_N_SIZE_64 + 1)]; - uint16_t permuted_table[16]; - uint16_t permutation_table[16]; - uint16_t permuted_sparse_vect[PARAM_OMEGA_E]; - uint16_t permutation_sparse_vect[PARAM_OMEGA_E]; - uint64_t tmp; - uint64_t *pt; - uint8_t *res; - size_t i, j; - - for (i = 0; i < 16; i++) { - permuted_table[i] = (uint16_t) i; - } - - seedexpander(ctx, (uint8_t *) permutation_table, 16 * sizeof(uint16_t)); - - for (i = 0; i < 15; i++) { - swap(permuted_table + i, 0, permutation_table[i] % (16 - i)); - } - - pt = table + (permuted_table[0] * (VEC_N_SIZE_64 + 1)); - for (j = 0; j < VEC_N_SIZE_64; j++) { - pt[j] = a2[j]; - } - pt[VEC_N_SIZE_64] = 0x0; - - for (i = 1; i < 16; i++) { - carry = 0; - pt = table + (permuted_table[i] * (VEC_N_SIZE_64 + 1)); - for (j = 0; j < VEC_N_SIZE_64; j++) { - pt[j] = (a2[j] << i) ^ carry; - carry = (a2[j] >> ((64 - i))); - } - pt[VEC_N_SIZE_64] = carry; - } - - for (i = 0; i < weight; i++) { - permuted_sparse_vect[i] = (uint16_t) i; - } - - seedexpander(ctx, (uint8_t *) permutation_sparse_vect, weight * sizeof(uint16_t)); - - for (i = 0; i + 1 < weight; i++) { - swap(permuted_sparse_vect + i, 0, (uint16_t) (permutation_sparse_vect[i] % (weight - i))); - } - - for (i = 0; i < weight; i++) { - dec = a1[permuted_sparse_vect[i]] & 0xf; - s = a1[permuted_sparse_vect[i]] >> 4; - res = o + 2 * s; - pt = table + (permuted_table[dec] * (VEC_N_SIZE_64 + 1)); - - for (j = 0; j < VEC_N_SIZE_64 + 1; j++) { - tmp = PQCLEAN_HQCRMRS192_CLEAN_load8(res); - PQCLEAN_HQCRMRS192_CLEAN_store8(res, tmp ^ pt[j]); - res += 8; - } - } -} - - - -/** - * @brief Multiply two polynomials modulo \f$ X^n - 1\f$. - * - * This functions multiplies a sparse polynomial a1 (of Hamming weight equal to weight) - * and a dense polynomial a2. The multiplication is done modulo \f$ X^n - 1\f$. - * - * @param[out] o Pointer to the result - * @param[in] a1 Pointer to the sparse polynomial - * @param[in] a2 Pointer to the dense polynomial - * @param[in] weight Integer that is the weigt of the sparse polynomial - * @param[in] ctx Pointer to the randomness context - */ -void PQCLEAN_HQCRMRS192_CLEAN_vect_mul(uint64_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx) { - uint64_t tmp[2 * VEC_N_SIZE_64 + 1] = {0}; - - fast_convolution_mult((uint8_t *) tmp, a1, a2, weight, ctx); - PQCLEAN_HQCRMRS192_CLEAN_load8_arr(tmp, 2 * VEC_N_SIZE_64 + 1, (uint8_t *) tmp, sizeof(tmp)); - reduce(o, tmp); -} diff --git a/crypto_kem/hqc-rmrs-192/clean/gf2x.h b/crypto_kem/hqc-rmrs-192/clean/gf2x.h deleted file mode 100644 index fc4fdd4b..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/gf2x.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef GF2X_H -#define GF2X_H - - -/** - * @file gf2x.h - * @brief Header file for gf2x.c - */ -#include "nistseedexpander.h" -#include "randombytes.h" -#include - -void PQCLEAN_HQCRMRS192_CLEAN_vect_mul(uint64_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/hqc.c b/crypto_kem/hqc-rmrs-192/clean/hqc.c deleted file mode 100644 index 183cd378..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/hqc.c +++ /dev/null @@ -1,144 +0,0 @@ -#include "code.h" -#include "gf2x.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -/** - * @file hqc.c - * @brief Implementation of hqc.h - */ - - - -/** - * @brief Keygen of the HQC_PKE IND_CPA scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_keygen(unsigned char *pk, unsigned char *sk) { - AES_XOF_struct sk_seedexpander; - AES_XOF_struct pk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - uint8_t pk_seed[SEED_BYTES] = {0}; - uint64_t x[VEC_N_SIZE_64] = {0}; - uint32_t y[PARAM_OMEGA] = {0}; - uint64_t h[VEC_N_SIZE_64] = {0}; - uint64_t s[VEC_N_SIZE_64] = {0}; - - // Create seed_expanders for public key and secret key - randombytes(sk_seed, SEED_BYTES); - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - randombytes(pk_seed, SEED_BYTES); - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - // Compute secret key - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight_by_coordinates(&sk_seedexpander, y, PARAM_OMEGA); - - // Compute public key - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random(&pk_seedexpander, h); - PQCLEAN_HQCRMRS192_CLEAN_vect_mul(s, y, h, PARAM_OMEGA, &sk_seedexpander); - PQCLEAN_HQCRMRS192_CLEAN_vect_add(s, x, s, VEC_N_SIZE_64); - - // Parse keys to string - PQCLEAN_HQCRMRS192_CLEAN_hqc_public_key_to_string(pk, pk_seed, s); - PQCLEAN_HQCRMRS192_CLEAN_hqc_secret_key_to_string(sk, sk_seed, pk); - -} - - - -/** - * @brief Encryption of the HQC_PKE IND_CPA scheme - * - * The cihertext is composed of vectors u and v. - * - * @param[out] u Vector u (first part of the ciphertext) - * @param[out] v Vector v (second part of the ciphertext) - * @param[in] m Vector representing the message to encrypt - * @param[in] theta Seed used to derive randomness required for encryption - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk) { - AES_XOF_struct seedexpander; - uint64_t h[VEC_N_SIZE_64] = {0}; - uint64_t s[VEC_N_SIZE_64] = {0}; - uint64_t r1[VEC_N_SIZE_64] = {0}; - uint32_t r2[PARAM_OMEGA_R] = {0}; - uint64_t e[VEC_N_SIZE_64] = {0}; - uint64_t tmp1[VEC_N_SIZE_64] = {0}; - uint64_t tmp2[VEC_N_SIZE_64] = {0}; - - // Create seed_expander from theta - seedexpander_init(&seedexpander, theta, theta + 32, SEEDEXPANDER_MAX_LENGTH); - - // Retrieve h and s from public key - PQCLEAN_HQCRMRS192_CLEAN_hqc_public_key_from_string(h, s, pk); - - // Generate r1, r2 and e - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight(&seedexpander, r1, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight_by_coordinates(&seedexpander, r2, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight(&seedexpander, e, PARAM_OMEGA_E); - - // Compute u = r1 + r2.h - PQCLEAN_HQCRMRS192_CLEAN_vect_mul(u, r2, h, PARAM_OMEGA_R, &seedexpander); - PQCLEAN_HQCRMRS192_CLEAN_vect_add(u, r1, u, VEC_N_SIZE_64); - - // Compute v = m.G by encoding the message - PQCLEAN_HQCRMRS192_CLEAN_code_encode((uint8_t *)v, m); - PQCLEAN_HQCRMRS192_CLEAN_load8_arr(v, VEC_N1N2_SIZE_64, (uint8_t *)v, VEC_N1N2_SIZE_BYTES); - PQCLEAN_HQCRMRS192_CLEAN_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - - // Compute v = m.G + s.r2 + e - PQCLEAN_HQCRMRS192_CLEAN_vect_mul(tmp2, r2, s, PARAM_OMEGA_R, &seedexpander); - PQCLEAN_HQCRMRS192_CLEAN_vect_add(tmp2, e, tmp2, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS192_CLEAN_vect_add(tmp2, tmp1, tmp2, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS192_CLEAN_vect_resize(v, PARAM_N1N2, tmp2, PARAM_N); - -} - - - -/** - * @brief Decryption of the HQC_PKE IND_CPA scheme - * - * @param[out] m Vector representing the decrypted message - * @param[in] u Vector u (first part of the ciphertext) - * @param[in] v Vector v (second part of the ciphertext) - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk) { - uint8_t pk[PUBLIC_KEY_BYTES] = {0}; - uint64_t tmp1[VEC_N_SIZE_64] = {0}; - uint64_t tmp2[VEC_N_SIZE_64] = {0}; - uint32_t y[PARAM_OMEGA] = {0}; - AES_XOF_struct perm_seedexpander; - uint8_t perm_seed[SEED_BYTES] = {0}; - - // Retrieve x, y, pk from secret key - PQCLEAN_HQCRMRS192_CLEAN_hqc_secret_key_from_string(tmp1, y, pk, sk); - - randombytes(perm_seed, SEED_BYTES); - seedexpander_init(&perm_seedexpander, perm_seed, perm_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - // Compute v - u.y - PQCLEAN_HQCRMRS192_CLEAN_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - PQCLEAN_HQCRMRS192_CLEAN_vect_mul(tmp2, y, u, PARAM_OMEGA, &perm_seedexpander); - PQCLEAN_HQCRMRS192_CLEAN_vect_add(tmp2, tmp1, tmp2, VEC_N_SIZE_64); - - - // Compute m by decoding v - u.y - PQCLEAN_HQCRMRS192_CLEAN_store8_arr((uint8_t *)tmp1, VEC_N_SIZE_BYTES, tmp2, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS192_CLEAN_code_decode(m, (uint8_t *)tmp1); -} diff --git a/crypto_kem/hqc-rmrs-192/clean/hqc.h b/crypto_kem/hqc-rmrs-192/clean/hqc.h deleted file mode 100644 index 4aa01aae..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/hqc.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef HQC_H -#define HQC_H - - -/** - * @file hqc.h - * @brief Functions of the HQC_PKE IND_CPA scheme - */ - -#include - -void PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_keygen(unsigned char *pk, unsigned char *sk); - -void PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk); - -void PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/kem.c b/crypto_kem/hqc-rmrs-192/clean/kem.c deleted file mode 100644 index 10f2f9a0..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/kem.c +++ /dev/null @@ -1,140 +0,0 @@ -#include "api.h" -#include "fips202.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "sha2.h" -#include "vector.h" -#include -#include -/** - * @file kem.c - * @brief Implementation of api.h - */ - - - -/** - * @brief Keygen of the HQC_KEM IND_CAA2 scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - * @returns 0 if keygen is successful - */ -int PQCLEAN_HQCRMRS192_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - - PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_keygen(pk, sk); - return 0; -} - - - -/** - * @brief Encapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ct String containing the ciphertext - * @param[out] ss String containing the shared secret - * @param[in] pk String containing the public key - * @returns 0 if encapsulation is successful - */ -int PQCLEAN_HQCRMRS192_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - uint8_t theta[SHA512_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - uint64_t u[VEC_N_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Computing m - randombytes(m, VEC_K_SIZE_BYTES); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m - PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_encrypt(u, v, m, theta, pk); - - // Computing d - sha512(d, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS192_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS192_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Computing ciphertext - PQCLEAN_HQCRMRS192_CLEAN_hqc_ciphertext_to_string(ct, u, v, d); - - - return 0; -} - - - -/** - * @brief Decapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ss String containing the shared secret - * @param[in] ct String containing the cipĥertext - * @param[in] sk String containing the secret key - * @returns 0 if decapsulation is successful, -1 otherwise - */ -int PQCLEAN_HQCRMRS192_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - - uint8_t result; - uint64_t u[VEC_N_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char pk[PUBLIC_KEY_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - uint8_t theta[SHA512_BYTES] = {0}; - uint64_t u2[VEC_N_SIZE_64] = {0}; - uint64_t v2[VEC_N1N2_SIZE_64] = {0}; - unsigned char d2[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Retrieving u, v and d from ciphertext - PQCLEAN_HQCRMRS192_CLEAN_hqc_ciphertext_from_string(u, v, d, ct); - - // Retrieving pk from sk - memcpy(pk, sk + SEED_BYTES, PUBLIC_KEY_BYTES); - - // Decryting - PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_decrypt(m, u, v, sk); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m' - PQCLEAN_HQCRMRS192_CLEAN_hqc_pke_encrypt(u2, v2, m, theta, pk); - - // Computing d' - sha512(d2, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS192_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS192_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Abort if c != c' or d != d' - result = PQCLEAN_HQCRMRS192_CLEAN_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS192_CLEAN_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS192_CLEAN_vect_compare(d, d2, SHA512_BYTES); - result = (uint8_t) (-((int16_t) result) >> 15); - for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] &= ~result; - } - - - return -(result & 1); -} diff --git a/crypto_kem/hqc-rmrs-192/clean/parameters.h b/crypto_kem/hqc-rmrs-192/clean/parameters.h deleted file mode 100644 index e47f86eb..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/parameters.h +++ /dev/null @@ -1,98 +0,0 @@ -#ifndef HQC_PARAMETERS_H -#define HQC_PARAMETERS_H - - -/** - * @file parameters.h - * @brief Parameters of the HQC_KEM IND-CCA2 scheme - */ -#include "api.h" - - -#define CEIL_DIVIDE(a, b) (((a)+(b)-1)/(b)) /*!< Divide a by b and ceil the result*/ - -/* - #define PARAM_N Define the parameter n of the scheme - #define PARAM_N1 Define the parameter n1 of the scheme (length of Reed-Solomon code) - #define PARAM_N2 Define the parameter n2 of the scheme (length of Duplicated Reed-Muller code) - #define PARAM_N1N2 Define the length in bits of the Concatenated code - #define PARAM_OMEGA Define the parameter omega of the scheme - #define PARAM_OMEGA_E Define the parameter omega_e of the scheme - #define PARAM_OMEGA_R Define the parameter omega_r of the scheme - #define PARAM_SECURITY Define the security level corresponding to the chosen parameters - #define PARAM_DFR_EXP Define the decryption failure rate corresponding to the chosen parameters - - #define SECRET_KEY_BYTES Define the size of the secret key in bytes - #define PUBLIC_KEY_BYTES Define the size of the public key in bytes - #define SHARED_SECRET_BYTES Define the size of the shared secret in bytes - #define CIPHERTEXT_BYTES Define the size of the ciphertext in bytes - - #define UTILS_REJECTION_THRESHOLD Define the rejection threshold used to generate given weight vectors (see vector_set_random_fixed_weight function) - #define VEC_N_SIZE_BYTES Define the size of the array used to store a PARAM_N sized vector in bytes - #define VEC_K_SIZE_BYTES Define the size of the array used to store a PARAM_K sized vector in bytes - #define VEC_N1Y_SIZE_BYTES Define the size of the array used to store a PARAM_N1 sized vector in bytes - #define VEC_N1N2_SIZE_BYTES Define the size of the array used to store a PARAM_N1N2 sized vector in bytes - - #define VEC_N_SIZE_64 Define the size of the array used to store a PARAM_N sized vector in 64 bits - #define VEC_K_SIZE_64 Define the size of the array used to store a PARAM_K sized vector in 64 bits - #define VEC_N1_SIZE_64 Define the size of the array used to store a PARAM_N1 sized vector in 64 bits - #define VEC_N1N2_SIZE_64 Define the size of the array used to store a PARAM_N1N2 sized vector in 64 bits - - #define PARAM_DELTA Define the parameter delta of the scheme (correcting capacity of the Reed-Solomon code) - #define PARAM_M Define a positive integer - #define PARAM_GF_POLY Generator polynomial of galois field GF(2^PARAM_M), represented in hexadecimial form - #define PARAM_GF_MUL_ORDER Define the size of the multiplicative group of GF(2^PARAM_M), i.e 2^PARAM_M -1 - #define PARAM_K Define the size of the information bits of the Reed-Solomon code - #define PARAM_G Define the size of the generator polynomial of Reed-Solomon code - #define PARAM_FFT The additive FFT takes a 2^PARAM_FFT polynomial as input - We use the FFT to compute the roots of sigma, whose degree if PARAM_DELTA=24 - The smallest power of 2 greater than 24+1 is 32=2^5 - #define RS_POLY_COEFS Coefficients of the generator polynomial of the Reed-Solomon code - - #define RED_MASK A mask fot the higher bits of a vector - #define SHA512_BYTES Define the size of SHA512 output in bytes - #define SEED_BYTES Define the size of the seed in bytes - #define SEEDEXPANDER_MAX_LENGTH Define the seed expander max length -*/ - -#define PARAM_N 35851 -#define PARAM_N1 56 -#define PARAM_N2 640 -#define PARAM_N1N2 35840 -#define PARAM_OMEGA 100 -#define PARAM_OMEGA_E 114 -#define PARAM_OMEGA_R 114 -#define PARAM_SECURITY 192 -#define PARAM_DFR_EXP 192 - -#define SECRET_KEY_BYTES PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_SECRETKEYBYTES -#define PUBLIC_KEY_BYTES PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_PUBLICKEYBYTES -#define SHARED_SECRET_BYTES PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_BYTES -#define CIPHERTEXT_BYTES PQCLEAN_HQCRMRS192_CLEAN_CRYPTO_CIPHERTEXTBYTES - -#define UTILS_REJECTION_THRESHOLD 16742417 -#define VEC_N_SIZE_BYTES CEIL_DIVIDE(PARAM_N, 8) -#define VEC_K_SIZE_BYTES PARAM_K -#define VEC_N1_SIZE_BYTES PARAM_N1 -#define VEC_N1N2_SIZE_BYTES CEIL_DIVIDE(PARAM_N1N2, 8) - -#define VEC_N_SIZE_64 CEIL_DIVIDE(PARAM_N, 64) -#define VEC_K_SIZE_64 CEIL_DIVIDE(PARAM_K, 8) -#define VEC_N1_SIZE_64 CEIL_DIVIDE(PARAM_N1, 8) -#define VEC_N1N2_SIZE_64 CEIL_DIVIDE(PARAM_N1N2, 64) - -#define PARAM_DELTA 16 -#define PARAM_M 8 -#define PARAM_GF_POLY 0x11D -#define PARAM_GF_MUL_ORDER 255 -#define PARAM_K 24 -#define PARAM_G 33 -#define PARAM_FFT 5 -#define RS_POLY_COEFS 45,216,239,24,253,104,27,40,107,50,163,210,227,134,224,158,119,13,158,1,238,164,82,43,15,232,246,142,50,189,29,232,1 - -#define RED_MASK 0x7ff -#define SHA512_BYTES 64 -#define SEED_BYTES 40 -#define SEEDEXPANDER_MAX_LENGTH 4294967295 - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/parsing.c b/crypto_kem/hqc-rmrs-192/clean/parsing.c deleted file mode 100644 index 4677511c..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/parsing.c +++ /dev/null @@ -1,186 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -/** - * @file parsing.c - * @brief Functions to parse secret key, public key and ciphertext of the HQC scheme - */ - - -void PQCLEAN_HQCRMRS192_CLEAN_store8(unsigned char *out, uint64_t in) { - out[0] = (in >> 0x00) & 0xFF; - out[1] = (in >> 0x08) & 0xFF; - out[2] = (in >> 0x10) & 0xFF; - out[3] = (in >> 0x18) & 0xFF; - out[4] = (in >> 0x20) & 0xFF; - out[5] = (in >> 0x28) & 0xFF; - out[6] = (in >> 0x30) & 0xFF; - out[7] = (in >> 0x38) & 0xFF; -} - - -uint64_t PQCLEAN_HQCRMRS192_CLEAN_load8(const unsigned char *in) { - uint64_t ret = in[7]; - - for (int8_t i = 6; i >= 0; i--) { - ret <<= 8; - ret |= in[i]; - } - - return ret; -} - -void PQCLEAN_HQCRMRS192_CLEAN_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen) { - size_t index_in = 0; - size_t index_out = 0; - - // first copy by 8 bytes - if (inlen >= 8 && outlen >= 1) { - while (index_out < outlen && index_in + 8 <= inlen) { - out64[index_out] = PQCLEAN_HQCRMRS192_CLEAN_load8(in8 + index_in); - - index_in += 8; - index_out += 1; - } - } - - // we now need to do the last 7 bytes if necessary - if (index_in >= inlen || index_out >= outlen) { - return; - } - out64[index_out] = in8[inlen - 1]; - for (int8_t i = (int8_t)(inlen - index_in) - 2; i >= 0; i--) { - out64[index_out] <<= 8; - out64[index_out] |= in8[index_in + i]; - } -} - -void PQCLEAN_HQCRMRS192_CLEAN_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen) { - for (size_t index_out = 0, index_in = 0; index_out < outlen && index_in < inlen;) { - out8[index_out] = (in64[index_in] >> ((index_out % 8) * 8)) & 0xFF; - index_out++; - if (index_out % 8 == 0) { - index_in++; - } - } -} - - -/** - * @brief Parse a secret key into a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] sk String containing the secret key - * @param[in] sk_seed Seed used to generate the secret key - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS192_CLEAN_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk) { - memcpy(sk, sk_seed, SEED_BYTES); - sk += SEED_BYTES; - memcpy(sk, pk, PUBLIC_KEY_BYTES); -} - -/** - * @brief Parse a secret key from a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] x uint64_t representation of vector x - * @param[out] y uint32_t representation of vector y - * @param[out] pk String containing the public key - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS192_CLEAN_hqc_secret_key_from_string(uint64_t *x, uint32_t *y, uint8_t *pk, const uint8_t *sk) { - AES_XOF_struct sk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - - memcpy(sk_seed, sk, SEED_BYTES); - sk += SEED_BYTES; - memcpy(pk, sk, PUBLIC_KEY_BYTES); - - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight_by_coordinates(&sk_seedexpander, y, PARAM_OMEGA); -} - -/** - * @brief Parse a public key into a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] pk String containing the public key - * @param[in] pk_seed Seed used to generate the public key - * @param[in] s uint8_t representation of vector s - */ -void PQCLEAN_HQCRMRS192_CLEAN_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s) { - memcpy(pk, pk_seed, SEED_BYTES); - PQCLEAN_HQCRMRS192_CLEAN_store8_arr(pk + SEED_BYTES, VEC_N_SIZE_BYTES, s, VEC_N_SIZE_64); -} - - - -/** - * @brief Parse a public key from a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] h uint8_t representation of vector h - * @param[out] s uint8_t representation of vector s - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS192_CLEAN_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk) { - AES_XOF_struct pk_seedexpander; - uint8_t pk_seed[SEED_BYTES] = {0}; - - memcpy(pk_seed, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_HQCRMRS192_CLEAN_load8_arr(s, VEC_N_SIZE_64, pk, VEC_N_SIZE_BYTES); - - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random(&pk_seedexpander, h); -} - - -/** - * @brief Parse a ciphertext into a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] ct String containing the ciphertext - * @param[in] u uint8_t representation of vector u - * @param[in] v uint8_t representation of vector v - * @param[in] d String containing the hash d - */ -void PQCLEAN_HQCRMRS192_CLEAN_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d) { - PQCLEAN_HQCRMRS192_CLEAN_store8_arr(ct, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS192_CLEAN_store8_arr(ct, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(ct, d, SHA512_BYTES); -} - - -/** - * @brief Parse a ciphertext from a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] u uint8_t representation of vector u - * @param[out] v uint8_t representation of vector v - * @param[out] d String containing the hash d - * @param[in] ct String containing the ciphertext - */ -void PQCLEAN_HQCRMRS192_CLEAN_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct) { - PQCLEAN_HQCRMRS192_CLEAN_load8_arr(u, VEC_N_SIZE_64, ct, VEC_N_SIZE_BYTES); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS192_CLEAN_load8_arr(v, VEC_N1N2_SIZE_64, ct, VEC_N1N2_SIZE_BYTES); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(d, ct, SHA512_BYTES); -} diff --git a/crypto_kem/hqc-rmrs-192/clean/parsing.h b/crypto_kem/hqc-rmrs-192/clean/parsing.h deleted file mode 100644 index c8044ab8..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/parsing.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PARSING_H -#define PARSING_H - - -/** - * @file parsing.h - * @brief Header file for parsing.c - */ - -#include - -void PQCLEAN_HQCRMRS192_CLEAN_store8(unsigned char *out, uint64_t in); - -uint64_t PQCLEAN_HQCRMRS192_CLEAN_load8(const unsigned char *in); - -void PQCLEAN_HQCRMRS192_CLEAN_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen); - -void PQCLEAN_HQCRMRS192_CLEAN_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen); - - -void PQCLEAN_HQCRMRS192_CLEAN_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk); - -void PQCLEAN_HQCRMRS192_CLEAN_hqc_secret_key_from_string(uint64_t *x, uint32_t *y, uint8_t *pk, const uint8_t *sk); - - -void PQCLEAN_HQCRMRS192_CLEAN_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s); - -void PQCLEAN_HQCRMRS192_CLEAN_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk); - - -void PQCLEAN_HQCRMRS192_CLEAN_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d); - -void PQCLEAN_HQCRMRS192_CLEAN_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/reed_muller.c b/crypto_kem/hqc-rmrs-192/clean/reed_muller.c deleted file mode 100644 index 05762a0b..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/reed_muller.c +++ /dev/null @@ -1,237 +0,0 @@ -#include "parameters.h" -#include "reed_muller.h" -#include -#include -/** - * @file reed_muller.c - * Constant time implementation of Reed-Muller code RM(1,7) - */ - - - -// number of repeated code words -#define MULTIPLICITY CEIL_DIVIDE(PARAM_N2, 128) - -// copy bit 0 into all bits of a 32 bit value -#define BIT0MASK(x) (-((x) & 1)) - - -static void encode(uint8_t *word, uint8_t message); -static void hadamard(uint16_t src[128], uint16_t dst[128]); -static void expand_and_sum(uint16_t dest[128], const uint8_t src[16 * MULTIPLICITY]); -static uint8_t find_peaks(const uint16_t transform[128]); - - - -/** - * @brief Encode a single byte into a single codeword using RM(1,7) - * - * Encoding matrix of this code: - * bit pattern (note that bits are numbered big endian) - * 0 aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa - * 1 cccccccc cccccccc cccccccc cccccccc - * 2 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 - * 3 ff00ff00 ff00ff00 ff00ff00 ff00ff00 - * 4 ffff0000 ffff0000 ffff0000 ffff0000 - * 5 ffffffff 00000000 ffffffff 00000000 - * 6 ffffffff ffffffff 00000000 00000000 - * 7 ffffffff ffffffff ffffffff ffffffff - * - * @param[out] word An RM(1,7) codeword - * @param[in] message A message - */ -static void encode(uint8_t *word, uint8_t message) { - uint32_t e; - // bit 7 flips all the bits, do that first to save work - e = BIT0MASK(message >> 7); - // bits 0, 1, 2, 3, 4 are the same for all four longs - // (Warning: in the bit matrix above, low bits are at the left!) - e ^= BIT0MASK(message >> 0) & 0xaaaaaaaa; - e ^= BIT0MASK(message >> 1) & 0xcccccccc; - e ^= BIT0MASK(message >> 2) & 0xf0f0f0f0; - e ^= BIT0MASK(message >> 3) & 0xff00ff00; - e ^= BIT0MASK(message >> 4) & 0xffff0000; - // we can store this in the first quarter - word[0 + 0] = (e >> 0x00) & 0xff; - word[0 + 1] = (e >> 0x08) & 0xff; - word[0 + 2] = (e >> 0x10) & 0xff; - word[0 + 3] = (e >> 0x18) & 0xff; - // bit 5 flips entries 1 and 3; bit 6 flips 2 and 3 - e ^= BIT0MASK(message >> 5); - word[4 + 0] = (e >> 0x00) & 0xff; - word[4 + 1] = (e >> 0x08) & 0xff; - word[4 + 2] = (e >> 0x10) & 0xff; - word[4 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 6); - word[12 + 0] = (e >> 0x00) & 0xff; - word[12 + 1] = (e >> 0x08) & 0xff; - word[12 + 2] = (e >> 0x10) & 0xff; - word[12 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 5); - word[8 + 0] = (e >> 0x00) & 0xff; - word[8 + 1] = (e >> 0x08) & 0xff; - word[8 + 2] = (e >> 0x10) & 0xff; - word[8 + 3] = (e >> 0x18) & 0xff; -} - - - -/** - * @brief Hadamard transform - * - * Perform hadamard transform of src and store result in dst - * src is overwritten: it is also used as intermediate buffer - * Method is best explained if we use H(3) instead of H(7): - * - * The routine multiplies by the matrix H(3): - * [1 1 1 1 1 1 1 1] - * [1 -1 1 -1 1 -1 1 -1] - * [1 1 -1 -1 1 1 -1 -1] - * [a b c d e f g h] * [1 -1 -1 1 1 -1 -1 1] = result of routine - * [1 1 1 1 -1 -1 -1 -1] - * [1 -1 1 -1 -1 1 -1 1] - * [1 1 -1 -1 -1 -1 1 1] - * [1 -1 -1 1 -1 1 1 -1] - * You can do this in three passes, where each pass does this: - * set lower half of buffer to pairwise sums, - * and upper half to differences - * index 0 1 2 3 4 5 6 7 - * input: a, b, c, d, e, f, g, h - * pass 1: a+b, c+d, e+f, g+h, a-b, c-d, e-f, g-h - * pass 2: a+b+c+d, e+f+g+h, a-b+c-d, e-f+g-h, a+b-c-d, e+f-g-h, a-b-c+d, e-f-g+h - * pass 3: a+b+c+d+e+f+g+h a+b-c-d+e+f-g-h a+b+c+d-e-f-g-h a+b-c-d-e+-f+g+h - * a-b+c-d+e-f+g-h a-b-c+d+e-f-g+h a-b+c-d-e+f-g+h a-b-c+d-e+f+g-h - * This order of computation is chosen because it vectorises well. - * Likewise, this routine multiplies by H(7) in seven passes. - * - * @param[out] src Structure that contain the expanded codeword - * @param[out] dst Structure that contain the expanded codeword - */ -static void hadamard(uint16_t src[128], uint16_t dst[128]) { - // the passes move data: - // src -> dst -> src -> dst -> src -> dst -> src -> dst - // using p1 and p2 alternately - uint16_t *p1 = src; - uint16_t *p2 = dst; - uint16_t *p3; - for (uint32_t pass = 0; pass < 7; pass++) { - for (uint32_t i = 0; i < 64; i++) { - p2[i] = p1[2 * i] + p1[2 * i + 1]; - p2[i + 64] = p1[2 * i] - p1[2 * i + 1]; - } - // swap p1, p2 for next round - p3 = p1; - p1 = p2; - p2 = p3; - } -} - - - -/** - * @brief Add multiple codewords into expanded codeword - * - * Accesses memory in order - * Note: this does not write the codewords as -1 or +1 as the green machine does - * instead, just 0 and 1 is used. - * The resulting hadamard transform has: - * all values are halved - * the first entry is 64 too high - * - * @param[out] dest Structure that contain the expanded codeword - * @param[in] src Structure that contain the codeword - */ -static void expand_and_sum(uint16_t dest[128], const uint8_t src[16 * MULTIPLICITY]) { - size_t part, bit, copy; - // start with the first copy - for (part = 0; part < 16; part++) { - for (bit = 0; bit < 8; bit++) { - dest[part * 8 + bit] = (uint16_t) ((src[part] >> bit) & 1); - } - } - // sum the rest of the copies - for (copy = 1; copy < MULTIPLICITY; copy++) { - for (part = 0; part < 16; part++) { - for (bit = 0; bit < 8; bit++) { - dest[part * 8 + bit] += (uint16_t) ((src[16 * copy + part] >> bit) & 1); - } - } - } -} - - - -/** - * @brief Finding the location of the highest value - * - * This is the final step of the green machine: find the location of the highest value, - * and add 128 if the peak is positive - * if there are two identical peaks, the peak with smallest value - * in the lowest 7 bits it taken - * @param[in] transform Structure that contain the expanded codeword - */ -static uint8_t find_peaks(const uint16_t transform[128]) { - uint16_t peak_abs = 0; - uint16_t peak = 0; - uint16_t pos = 0; - uint16_t t, abs, mask; - for (uint16_t i = 0; i < 128; i++) { - t = transform[i]; - abs = t ^ ((-(t >> 15)) & (t ^ -t)); // t = abs(t) - mask = -(((uint16_t)(peak_abs - abs)) >> 15); - peak ^= mask & (peak ^ t); - pos ^= mask & (pos ^ i); - peak_abs ^= mask & (peak_abs ^ abs); - } - pos |= 128 & ((peak >> 15) - 1); - return (uint8_t) pos; -} - - - - -/** - * @brief Encodes the received word - * - * The message consists of N1 bytes each byte is encoded into PARAM_N2 bits, - * or MULTIPLICITY repeats of 128 bits - * - * @param[out] cdw Array of size VEC_N1N2_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_N1_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS192_CLEAN_reed_muller_encode(uint8_t *cdw, const uint8_t *msg) { - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // encode first word - encode(&cdw[16 * i * MULTIPLICITY], msg[i]); - // copy to other identical codewords - for (size_t copy = 1; copy < MULTIPLICITY; copy++) { - memcpy(&cdw[16 * i * MULTIPLICITY + 16 * copy], &cdw[16 * i * MULTIPLICITY], 16); - } - } -} - - - -/** - * @brief Decodes the received word - * - * Decoding uses fast hadamard transform, for a more complete picture on Reed-Muller decoding, see MacWilliams, Florence Jessie, and Neil James Alexander Sloane. - * The theory of error-correcting codes codes @cite macwilliams1977theory - * - * @param[out] msg Array of size VEC_N1_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1N2_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS192_CLEAN_reed_muller_decode(uint8_t *msg, const uint8_t *cdw) { - uint16_t expanded[128]; - uint16_t transform[128]; - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // collect the codewords - expand_and_sum(expanded, &cdw[16 * i * MULTIPLICITY]); - // apply hadamard transform - hadamard(expanded, transform); - // fix the first entry to get the half Hadamard transform - transform[0] -= 64 * MULTIPLICITY; - // finish the decoding - msg[i] = find_peaks(transform); - } -} diff --git a/crypto_kem/hqc-rmrs-192/clean/reed_muller.h b/crypto_kem/hqc-rmrs-192/clean/reed_muller.h deleted file mode 100644 index 46d2fb53..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/reed_muller.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef REED_MULLER_H -#define REED_MULLER_H - - -/** - * @file reed_muller.h - * Header file of reed_muller.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS192_CLEAN_reed_muller_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS192_CLEAN_reed_muller_decode(uint8_t *msg, const uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/reed_solomon.c b/crypto_kem/hqc-rmrs-192/clean/reed_solomon.c deleted file mode 100644 index 6f30c1de..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/reed_solomon.c +++ /dev/null @@ -1,349 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include "parsing.h" -#include "reed_solomon.h" -#include -#include -#include -/** - * @file reed_solomon.c - * Constant time implementation of Reed-Solomon codes - */ - - -static void compute_syndromes(uint16_t *syndromes, uint8_t *cdw); -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes); -static void compute_roots(uint8_t *error, uint16_t *sigma); -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes); -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error); -static void correct_errors(uint8_t *cdw, const uint16_t *error_values); - -/** - * @brief Encodes a message message of PARAM_K bits to a Reed-Solomon codeword codeword of PARAM_N1 bytes - * - * Following @cite lin1983error (Chapter 4 - Cyclic Codes), - * We perform a systematic encoding using a linear (PARAM_N1 - PARAM_K)-stage shift register - * with feedback connections based on the generator polynomial PARAM_RS_POLY of the Reed-Solomon code. - * - * @param[out] cdw Array of size VEC_N1_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_K_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS192_CLEAN_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg) { - size_t i, j, k; - uint8_t gate_value = 0; - - uint16_t tmp[PARAM_G] = {0}; - uint16_t PARAM_RS_POLY [] = {RS_POLY_COEFS}; - uint8_t prev, x; - - for (i = 0; i < PARAM_N1; ++i) { - cdw[i] = 0; - } - - for (i = 0; i < PARAM_K; ++i) { - gate_value = (uint8_t) (msg[PARAM_K - 1 - i] ^ cdw[PARAM_N1 - PARAM_K - 1]); - - for (j = 0; j < PARAM_G; ++j) { - tmp[j] = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(gate_value, PARAM_RS_POLY[j]); - } - - prev = 0; - for (k = 0; k < PARAM_N1 - PARAM_K; k++) { - x = cdw[k]; - cdw[k] = (uint8_t) (prev ^ tmp[k]); - prev = x; - } - } - - memcpy(cdw + PARAM_N1 - PARAM_K, msg, PARAM_K); -} - - - -/** - * @brief Computes 2 * PARAM_DELTA syndromes - * - * @param[out] syndromes Array of size 2 * PARAM_DELTA receiving the computed syndromes - * @param[in] cdw Array of size PARAM_N1 storing the received vector - */ -void compute_syndromes(uint16_t *syndromes, uint8_t *cdw) { - for (size_t i = 0; i < 2 * PARAM_DELTA; ++i) { - for (size_t j = 1; j < PARAM_N1; ++j) { - syndromes[i] ^= PQCLEAN_HQCRMRS192_CLEAN_gf_mul(cdw[j], alpha_ij_pow[i][j - 1]); - } - syndromes[i] ^= cdw[0]; - } -} - - - -/** - * @brief Computes the error locator polynomial (ELP) sigma - * - * This is a constant time implementation of Berlekamp's simplified algorithm (see @cite lin1983error (Chapter 6 - BCH Codes).
- * We use the letter p for rho which is initialized at -1.
- * The array X_sigma_p represents the polynomial X^(mu-rho)*sigma_p(X).
- * Instead of maintaining a list of sigmas, we update in place both sigma and X_sigma_p.
- * sigma_copy serves as a temporary save of sigma in case X_sigma_p needs to be updated.
- * We can properly correct only if the degree of sigma does not exceed PARAM_DELTA. - * This means only the first PARAM_DELTA + 1 coefficients of sigma are of value - * and we only need to save its first PARAM_DELTA - 1 coefficients. - * - * @returns the degree of the ELP sigma - * @param[out] sigma Array of size (at least) PARAM_DELTA receiving the ELP - * @param[in] syndromes Array of size (at least) 2*PARAM_DELTA storing the syndromes - */ -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes) { - uint16_t deg_sigma = 0; - uint16_t deg_sigma_p = 0; - uint16_t deg_sigma_copy = 0; - uint16_t sigma_copy[PARAM_DELTA + 1] = {0}; - uint16_t X_sigma_p[PARAM_DELTA + 1] = {0, 1}; - uint16_t pp = (uint16_t) -1; // 2*rho - uint16_t d_p = 1; - uint16_t d = syndromes[0]; - - uint16_t mask1, mask2, mask12; - uint16_t deg_X, deg_X_sigma_p; - uint16_t dd; - uint16_t mu; - - uint16_t i; - - sigma[0] = 1; - for (mu = 0; (mu < (2 * PARAM_DELTA)); ++mu) { - // Save sigma in case we need it to update X_sigma_p - memcpy(sigma_copy, sigma, 2 * (PARAM_DELTA)); - deg_sigma_copy = deg_sigma; - - dd = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(d, PQCLEAN_HQCRMRS192_CLEAN_gf_inverse(d_p)); - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - sigma[i] ^= PQCLEAN_HQCRMRS192_CLEAN_gf_mul(dd, X_sigma_p[i]); - } - - deg_X = mu - pp; - deg_X_sigma_p = deg_X + deg_sigma_p; - - // mask1 = 0xffff if(d != 0) and 0 otherwise - mask1 = -((uint16_t) - d >> 15); - - // mask2 = 0xffff if(deg_X_sigma_p > deg_sigma) and 0 otherwise - mask2 = -((uint16_t) (deg_sigma - deg_X_sigma_p) >> 15); - - // mask12 = 0xffff if the deg_sigma increased and 0 otherwise - mask12 = mask1 & mask2; - deg_sigma ^= mask12 & (deg_X_sigma_p ^ deg_sigma); - - if (mu == (2 * PARAM_DELTA - 1)) { - break; - } - - pp ^= mask12 & (mu ^ pp); - d_p ^= mask12 & (d ^ d_p); - for (i = PARAM_DELTA; i; --i) { - X_sigma_p[i] = (mask12 & sigma_copy[i - 1]) ^ (~mask12 & X_sigma_p[i - 1]); - } - - deg_sigma_p ^= mask12 & (deg_sigma_copy ^ deg_sigma_p); - d = syndromes[mu + 1]; - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - d ^= PQCLEAN_HQCRMRS192_CLEAN_gf_mul(sigma[i], syndromes[mu + 1 - i]); - } - } - - return deg_sigma; -} - - - -/** - * @brief Computes the error polynomial error from the error locator polynomial sigma - * - * See function PQCLEAN_HQCRMRS192_CLEAN_fft for more details. - * - * @param[out] error Array of 2^PARAM_M elements receiving the error polynomial - * @param[out] error_compact Array of PARAM_DELTA + PARAM_N1 elements receiving a compact representation of the vector error - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - */ -static void compute_roots(uint8_t *error, uint16_t *sigma) { - uint16_t w[1 << PARAM_M] = {0}; - - PQCLEAN_HQCRMRS192_CLEAN_fft(w, sigma, PARAM_DELTA + 1); - PQCLEAN_HQCRMRS192_CLEAN_fft_retrieve_error_poly(error, w); -} - - - -/** - * @brief Computes the polynomial z(x) - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] z Array of PARAM_DELTA + 1 elements receiving the polynomial z(x) - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - * @param[in] degree Integer that is the degree of polynomial sigma - * @param[in] syndromes Array of 2 * PARAM_DELTA storing the syndromes - */ -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes) { - size_t i, j; - uint16_t mask; - - z[0] = 1; - - for (i = 1; i < PARAM_DELTA + 1; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] = mask & sigma[i]; - } - - z[1] ^= syndromes[0]; - - for (i = 2; i <= PARAM_DELTA; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] ^= mask & syndromes[i - 1]; - - for (j = 1; j < i; ++j) { - z[i] ^= mask & PQCLEAN_HQCRMRS192_CLEAN_gf_mul(sigma[j], syndromes[i - j - 1]); - } - } -} - - - -/** - * @brief Computes the error values - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] error_values Array of PARAM_DELTA elements receiving the error values - * @param[in] z Array of PARAM_DELTA + 1 elements storing the polynomial z(x) - * @param[in] z_degree Integer that is the degree of polynomial z(x) - * @param[in] error_compact Array of PARAM_DELTA + PARAM_N1 storing compact representation of the error - */ -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error) { - uint16_t beta_j[PARAM_DELTA] = {0}; - uint16_t e_j[PARAM_DELTA] = {0}; - - uint16_t delta_counter; - uint16_t delta_real_value; - uint16_t found; - uint16_t mask1; - uint16_t mask2; - uint16_t tmp1; - uint16_t tmp2; - uint16_t inverse; - uint16_t inverse_power_j; - - // Compute the beta_{j_i} page 31 of the documentation - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; i++) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - beta_j[j] += mask1 & mask2 & gf_exp[i]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } - delta_real_value = delta_counter; - - // Compute the e_{j_i} page 31 of the documentation - for (size_t i = 0; i < PARAM_DELTA; ++i) { - tmp1 = 1; - tmp2 = 1; - inverse = PQCLEAN_HQCRMRS192_CLEAN_gf_inverse(beta_j[i]); - inverse_power_j = 1; - - for (size_t j = 1; j <= PARAM_DELTA; ++j) { - inverse_power_j = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(inverse_power_j, inverse); - tmp1 ^= PQCLEAN_HQCRMRS192_CLEAN_gf_mul(inverse_power_j, z[j]); - } - for (size_t k = 1; k < PARAM_DELTA; ++k) { - tmp2 = PQCLEAN_HQCRMRS192_CLEAN_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS192_CLEAN_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA]))); - } - mask1 = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value - e_j[i] = mask1 & PQCLEAN_HQCRMRS192_CLEAN_gf_mul(tmp1, PQCLEAN_HQCRMRS192_CLEAN_gf_inverse(tmp2)); - } - - // Place the delta e_{j_i} values at the right coordinates of the output vector - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; ++i) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - error_values[i] += mask1 & mask2 & e_j[j]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } -} - - - -/** - * @brief Correct the errors - * - * @param[out] cdw Array of PARAM_N1 elements receiving the corrected vector - * @param[in] error Array of the error vector - * @param[in] error_values Array of PARAM_DELTA elements storing the error values - */ -static void correct_errors(uint8_t *cdw, const uint16_t *error_values) { - for (size_t i = 0; i < PARAM_N1; ++i) { - cdw[i] ^= error_values[i]; - } -} - - - -/** - * @brief Decodes the received word - * - * This function relies on six steps: - *
    - *
  1. The first step, is the computation of the 2*PARAM_DELTA syndromes. - *
  2. The second step is the computation of the error-locator polynomial sigma. - *
  3. The third step, done by additive FFT, is finding the error-locator numbers by calculating the roots of the polynomial sigma and takings their inverses. - *
  4. The fourth step, is the polynomial z(x). - *
  5. The fifth step, is the computation of the error values. - *
  6. The sixth step is the correction of the errors in the received polynomial. - *
- * For a more complete picture on Reed-Solomon decoding, see Shu. Lin and Daniel J. Costello in Error Control Coding: Fundamentals and Applications @cite lin1983error - * - * @param[out] msg Array of size VEC_K_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS192_CLEAN_reed_solomon_decode(uint8_t *msg, uint8_t *cdw) { - uint16_t syndromes[2 * PARAM_DELTA] = {0}; - uint16_t sigma[1 << PARAM_FFT] = {0}; - uint8_t error[1 << PARAM_M] = {0}; - uint16_t z[PARAM_N1] = {0}; - uint16_t error_values[PARAM_N1] = {0}; - uint16_t deg; - - // Calculate the 2*PARAM_DELTA syndromes - compute_syndromes(syndromes, cdw); - - // Compute the error locator polynomial sigma - // Sigma's degree is at most PARAM_DELTA but the FFT requires the extra room - deg = compute_elp(sigma, syndromes); - - // Compute the error polynomial error - compute_roots(error, sigma); - - // Compute the polynomial z(x) - compute_z_poly(z, sigma, deg, syndromes); - - // Compute the error values - compute_error_values(error_values, z, error); - - // Correct the errors - correct_errors(cdw, error_values); - - // Retrieve the message from the decoded codeword - memcpy(msg, cdw + (PARAM_G - 1), PARAM_K); - -} diff --git a/crypto_kem/hqc-rmrs-192/clean/reed_solomon.h b/crypto_kem/hqc-rmrs-192/clean/reed_solomon.h deleted file mode 100644 index 069c599f..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/reed_solomon.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef REED_SOLOMON_H -#define REED_SOLOMON_H - - -/** - * @file reed_solomon.h - * Header file of reed_solomon.c - */ -#include "parameters.h" -#include -#include - -static const uint16_t alpha_ij_pow [32][55] = {{2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160}, {4, 16, 64, 29, 116, 205, 19, 76, 45, 180, 234, 143, 6, 24, 96, 157, 78, 37, 148, 106, 181, 238, 159, 70, 5, 20, 80, 93, 105, 185, 222, 95, 97, 153, 94, 101, 137, 30, 120, 253, 211, 107, 177, 254, 223, 91, 113, 217, 67, 17, 68, 13, 52, 208, 103}, {8, 64, 58, 205, 38, 45, 117, 143, 12, 96, 39, 37, 53, 181, 193, 70, 10, 80, 186, 185, 161, 97, 47, 101, 15, 120, 231, 107, 127, 223, 182, 217, 134, 68, 26, 208, 206, 62, 237, 59, 197, 102, 23, 184, 169, 33, 21, 168, 41, 85, 146, 228, 115, 191, 145}, {16, 29, 205, 76, 180, 143, 24, 157, 37, 106, 238, 70, 20, 93, 185, 95, 153, 101, 30, 253, 107, 254, 91, 217, 17, 13, 208, 129, 248, 59, 151, 133, 184, 79, 132, 168, 82, 73, 228, 230, 198, 252, 123, 227, 150, 149, 165, 130, 200, 28, 221, 81, 121, 195, 172}, {32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59, 51, 46, 169, 132, 77, 85, 114, 230, 145, 215, 255, 150, 55, 174, 100, 28, 167, 89, 239, 172, 36, 244, 235, 44, 233, 108, 1, 32, 116, 38, 180}, {64, 205, 45, 143, 96, 37, 181, 70, 80, 185, 97, 101, 120, 107, 223, 217, 68, 208, 62, 59, 102, 184, 33, 168, 85, 228, 191, 252, 241, 150, 110, 130, 7, 221, 89, 195, 138, 61, 251, 44, 207, 173, 8, 58, 38, 117, 12, 39, 53, 193, 10, 186, 161, 47, 15}, {128, 19, 117, 24, 156, 181, 140, 93, 161, 94, 60, 107, 163, 67, 26, 129, 147, 102, 109, 132, 41, 57, 209, 252, 255, 98, 87, 200, 224, 89, 155, 18, 245, 11, 233, 173, 16, 232, 45, 3, 157, 53, 159, 40, 185, 194, 137, 231, 254, 226, 68, 189, 248, 197, 46}, {29, 76, 143, 157, 106, 70, 93, 95, 101, 253, 254, 217, 13, 129, 59, 133, 79, 168, 73, 230, 252, 227, 149, 130, 28, 81, 195, 18, 247, 44, 27, 2, 58, 152, 3, 39, 212, 140, 186, 190, 202, 231, 225, 175, 26, 31, 118, 23, 158, 77, 146, 209, 229, 219, 55}, {58, 45, 12, 37, 193, 80, 161, 101, 231, 223, 134, 208, 237, 102, 169, 168, 146, 191, 179, 150, 87, 7, 166, 195, 36, 251, 125, 173, 64, 38, 143, 39, 181, 10, 185, 47, 120, 127, 217, 26, 62, 197, 184, 21, 85, 115, 252, 219, 110, 100, 221, 242, 138, 245, 44}, {116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44, 108, 32, 38, 3, 156, 193, 160, 190, 15, 214, 226, 26, 124, 51, 169, 77, 114, 145, 255, 55, 100, 167, 239, 36, 235, 233, 1, 116, 180, 96, 106}, {232, 234, 39, 238, 160, 97, 60, 254, 134, 103, 118, 184, 84, 57, 145, 227, 220, 7, 162, 172, 245, 176, 71, 58, 180, 192, 181, 40, 95, 15, 177, 175, 208, 147, 46, 21, 73, 99, 241, 55, 200, 166, 43, 122, 44, 216, 128, 45, 48, 106, 10, 222, 202, 107, 226}, {205, 143, 37, 70, 185, 101, 107, 217, 208, 59, 184, 168, 228, 252, 150, 130, 221, 195, 61, 44, 173, 58, 117, 39, 193, 186, 47, 231, 182, 26, 237, 23, 21, 146, 145, 219, 87, 56, 242, 36, 139, 54, 64, 45, 96, 181, 80, 97, 120, 223, 68, 62, 102, 33, 85}, {135, 6, 53, 20, 190, 120, 163, 13, 237, 46, 84, 228, 229, 98, 100, 81, 69, 251, 131, 32, 45, 192, 238, 186, 94, 187, 217, 189, 236, 169, 82, 209, 241, 220, 28, 242, 72, 22, 173, 116, 201, 37, 140, 222, 15, 254, 34, 62, 204, 132, 146, 63, 75, 130, 167}, {19, 24, 181, 93, 94, 107, 67, 129, 102, 132, 57, 252, 98, 200, 89, 18, 11, 173, 232, 3, 53, 40, 194, 231, 226, 189, 197, 158, 170, 145, 75, 25, 166, 69, 235, 54, 29, 234, 37, 5, 95, 120, 91, 52, 59, 218, 82, 191, 227, 174, 221, 43, 247, 207, 32}, {38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185}, {76, 157, 70, 95, 253, 217, 129, 133, 168, 230, 227, 130, 81, 18, 44, 2, 152, 39, 140, 190, 231, 175, 31, 23, 77, 209, 219, 25, 162, 36, 88, 4, 45, 78, 5, 97, 211, 67, 62, 46, 154, 191, 171, 50, 89, 72, 176, 8, 90, 156, 10, 194, 187, 134, 124}, {152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215}, {45, 37, 80, 101, 223, 208, 102, 168, 191, 150, 7, 195, 251, 173, 38, 39, 10, 47, 127, 26, 197, 21, 115, 219, 100, 242, 245, 54, 205, 96, 70, 97, 107, 68, 59, 33, 228, 241, 130, 89, 61, 207, 58, 12, 193, 161, 231, 134, 237, 169, 146, 179, 87, 166, 36}, {90, 148, 186, 30, 226, 62, 109, 73, 179, 174, 162, 61, 131, 232, 96, 140, 153, 127, 52, 51, 168, 99, 98, 56, 172, 22, 8, 234, 212, 185, 240, 67, 237, 79, 114, 241, 25, 121, 245, 108, 19, 39, 20, 188, 223, 189, 133, 41, 63, 55, 221, 9, 176, 64, 3}, {180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36, 233, 116, 96, 5, 94, 223, 103, 46, 85, 215, 174, 89, 244, 108, 38, 156, 160, 15, 226, 124, 169, 114, 255, 100, 239, 235, 1, 180, 106, 185, 253}, {117, 181, 161, 107, 26, 102, 41, 252, 87, 89, 245, 173, 45, 53, 185, 231, 68, 197, 168, 145, 110, 166, 61, 54, 38, 37, 186, 120, 134, 59, 21, 191, 196, 221, 36, 207, 205, 39, 80, 15, 217, 237, 33, 115, 150, 56, 138, 125, 58, 96, 10, 101, 182, 62, 169}, {234, 238, 97, 254, 103, 184, 57, 227, 7, 172, 176, 58, 192, 40, 15, 175, 147, 21, 99, 55, 166, 122, 216, 45, 106, 222, 107, 52, 133, 85, 123, 50, 195, 11, 32, 12, 140, 188, 182, 124, 158, 115, 49, 224, 36, 131, 19, 37, 105, 253, 68, 151, 154, 252, 174}, {201, 159, 47, 91, 124, 33, 209, 149, 166, 244, 71, 117, 238, 194, 223, 31, 79, 115, 98, 167, 61, 216, 90, 181, 190, 254, 206, 218, 213, 150, 224, 72, 54, 152, 106, 161, 177, 189, 184, 114, 171, 56, 18, 131, 38, 148, 111, 107, 104, 46, 146, 227, 14, 138, 233}, {143, 70, 101, 217, 59, 168, 252, 130, 195, 44, 58, 39, 186, 231, 26, 23, 146, 219, 56, 36, 54, 45, 181, 97, 223, 62, 33, 191, 110, 89, 251, 8, 12, 10, 15, 134, 197, 41, 179, 100, 86, 125, 205, 37, 185, 107, 208, 184, 228, 150, 221, 61, 173, 117, 193}, {3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223, 124, 132, 145, 174, 239, 44, 116, 156, 185, 214, 103, 169, 230, 55, 89, 235, 32, 96, 160, 253, 26, 46, 114, 150, 167, 244, 1, 3, 5, 15, 17}, {6, 20, 120, 13, 46, 228, 98, 81, 251, 32, 192, 186, 187, 189, 169, 209, 220, 242, 22, 116, 37, 222, 254, 62, 132, 63, 130, 43, 250, 38, 212, 194, 182, 147, 77, 179, 141, 9, 54, 180, 159, 101, 67, 151, 85, 227, 112, 61, 142, 3, 10, 60, 136, 23, 114}, {12, 80, 231, 208, 169, 191, 87, 195, 125, 38, 181, 47, 217, 197, 85, 219, 221, 245, 8, 96, 186, 107, 206, 33, 145, 130, 86, 207, 45, 193, 101, 134, 102, 146, 150, 166, 251, 64, 39, 185, 127, 62, 21, 252, 100, 138, 54, 117, 70, 15, 68, 23, 228, 196, 89}, {24, 93, 107, 129, 132, 252, 200, 18, 173, 3, 40, 231, 189, 158, 145, 25, 69, 54, 234, 5, 120, 52, 218, 191, 174, 43, 207, 90, 35, 15, 136, 92, 115, 220, 239, 125, 76, 238, 101, 17, 133, 228, 149, 121, 44, 135, 212, 47, 175, 51, 146, 49, 162, 139, 116}, {48, 105, 127, 248, 77, 241, 224, 247, 64, 156, 95, 182, 236, 170, 150, 162, 11, 205, 212, 94, 134, 133, 213, 110, 239, 250, 45, 35, 30, 26, 218, 99, 130, 69, 108, 143, 40, 211, 206, 132, 229, 7, 144, 2, 96, 210, 254, 237, 154, 255, 221, 243, 128, 37, 190}, {96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59}, {192, 222, 182, 151, 114, 110, 155, 27, 143, 160, 177, 237, 82, 75, 89, 88, 152, 70, 240, 103, 21, 123, 224, 251, 116, 212, 101, 136, 218, 145, 200, 144, 8, 78, 190, 217, 204, 183, 87, 172, 216, 12, 105, 225, 59, 170, 98, 242, 250, 180, 10, 211, 31, 168, 255}, {157, 95, 217, 133, 230, 130, 18, 2, 39, 190, 175, 23, 209, 25, 36, 4, 78, 97, 67, 46, 191, 50, 72, 8, 156, 194, 134, 92, 99, 100, 144, 16, 37, 153, 17, 184, 198, 200, 61, 32, 74, 47, 34, 109, 145, 141, 122, 64, 148, 94, 68, 218, 63, 7, 244}}; - -void PQCLEAN_HQCRMRS192_CLEAN_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS192_CLEAN_reed_solomon_decode(uint8_t *msg, uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-192/clean/vector.c b/crypto_kem/hqc-rmrs-192/clean/vector.c deleted file mode 100644 index 6f9949c7..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/vector.c +++ /dev/null @@ -1,176 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -/** - * @file vector.c - * @brief Implementation of vectors sampling and some utilities for the HQC scheme - */ - - -/** - * @brief Generates a vector of a given Hamming weight - * - * This function generates uniformly at random a binary vector of a Hamming weight equal to the parameter weight. The vector - * is stored by position. - * To generate the vector we have to sample uniformly at random values in the interval [0, PARAM_N -1]. Suppose the PARAM_N is equal to \f$ 70853 \f$, to select a position \f$ r\f$ the function works as follow: - * 1. It makes a call to the seedexpander function to obtain a random number \f$ x\f$ in \f$ [0, 2^{24}[ \f$. - * 2. Let \f$ t = \lfloor {2^{24} \over 70853} \rfloor \times 70853\f$ - * 3. If \f$ x \geq t\f$, go to 1 - * 4. It return \f$ r = x \mod 70853\f$ - * - * The parameter \f$ t \f$ is precomputed and it's denoted by UTILS_REJECTION_THRESHOLD (see the file parameters.h). - * - * @param[in] v Pointer to an array - * @param[in] weight Integer that is the Hamming weight - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight_by_coordinates(AES_XOF_struct *ctx, uint32_t *v, uint16_t weight) { - size_t random_bytes_size = 3 * weight; - uint8_t rand_bytes[3 * PARAM_OMEGA_R] = {0}; // weight is expected to be <= PARAM_OMEGA_R - uint8_t inc; - size_t i, j; - - i = 0; - j = random_bytes_size; - while (i < weight) { - do { - if (j == random_bytes_size) { - seedexpander(ctx, rand_bytes, random_bytes_size); - j = 0; - } - - v[i] = ((uint32_t) rand_bytes[j++]) << 16; - v[i] |= ((uint32_t) rand_bytes[j++]) << 8; - v[i] |= rand_bytes[j++]; - - } while (v[i] >= UTILS_REJECTION_THRESHOLD); - - v[i] = v[i] % PARAM_N; - - inc = 1; - for (size_t k = 0; k < i; k++) { - if (v[k] == v[i]) { - inc = 0; - } - } - i += inc; - } -} - - - -/** - * @brief Generates a vector of a given Hamming weight - * - * This function generates uniformly at random a binary vector of a Hamming weight equal to the parameter weight. - * To generate the vector we have to sample uniformly at random values in the interval [0, PARAM_N -1]. Suppose the PARAM_N is equal to \f$ 70853 \f$, to select a position \f$ r\f$ the function works as follow: - * 1. It makes a call to the seedexpander function to obtain a random number \f$ x\f$ in \f$ [0, 2^{24}[ \f$. - * 2. Let \f$ t = \lfloor {2^{24} \over 70853} \rfloor \times 70853\f$ - * 3. If \f$ x \geq t\f$, go to 1 - * 4. It return \f$ r = x \mod 70853\f$ - * - * The parameter \f$ t \f$ is precomputed and it's denoted by UTILS_REJECTION_THRESHOLD (see the file parameters.h). - * - * @param[in] v Pointer to an array - * @param[in] weight Integer that is the Hamming weight - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight) { - uint32_t tmp[PARAM_OMEGA_R] = {0}; - - PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight_by_coordinates(ctx, tmp, weight); - - for (size_t i = 0; i < weight; ++i) { - int32_t index = tmp[i] / 64; - int32_t pos = tmp[i] % 64; - v[index] |= ((uint64_t) 1) << pos; - } -} - - - -/** - * @brief Generates a random vector of dimension PARAM_N - * - * This function generates a random binary vector of dimension PARAM_N. It generates a random - * array of bytes using the seedexpander function, and drop the extra bits using a mask. - * - * @param[in] v Pointer to an array - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS192_CLEAN_vect_set_random(AES_XOF_struct *ctx, uint64_t *v) { - uint8_t rand_bytes[VEC_N_SIZE_BYTES] = {0}; - - seedexpander(ctx, rand_bytes, VEC_N_SIZE_BYTES); - - PQCLEAN_HQCRMRS192_CLEAN_load8_arr(v, VEC_N_SIZE_64, rand_bytes, VEC_N_SIZE_BYTES); - v[VEC_N_SIZE_64 - 1] &= RED_MASK; -} - - - -/** - * @brief Adds two vectors - * - * @param[out] o Pointer to an array that is the result - * @param[in] v1 Pointer to an array that is the first vector - * @param[in] v2 Pointer to an array that is the second vector - * @param[in] size Integer that is the size of the vectors - */ -void PQCLEAN_HQCRMRS192_CLEAN_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size) { - for (uint32_t i = 0; i < size; ++i) { - o[i] = v1[i] ^ v2[i]; - } -} - - - -/** - * @brief Compares two vectors - * - * @param[in] v1 Pointer to an array that is first vector - * @param[in] v2 Pointer to an array that is second vector - * @param[in] size Integer that is the size of the vectors - * @returns 0 if the vectors are equals and a negative/psotive value otherwise - */ -uint8_t PQCLEAN_HQCRMRS192_CLEAN_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size) { - uint64_t r = 0; - for (size_t i = 0; i < size; i++) { - r |= v1[i] ^ v2[i]; - } - r = (~r + 1) >> 63; - return (uint8_t) r; -} - - - -/** - * @brief Resize a vector so that it contains size_o bits - * - * @param[out] o Pointer to the output vector - * @param[in] size_o Integer that is the size of the output vector in bits - * @param[in] v Pointer to the input vector - * @param[in] size_v Integer that is the size of the input vector in bits - */ -void PQCLEAN_HQCRMRS192_CLEAN_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v) { - if (size_o < size_v) { - uint64_t mask = 0x7FFFFFFFFFFFFFFF; - int8_t val = 0; - - if (size_o % 64) { - val = 64 - (size_o % 64); - } - - memcpy(o, v, 8 * VEC_N1N2_SIZE_64); - - for (int8_t i = 0; i < val; ++i) { - o[VEC_N1N2_SIZE_64 - 1] &= (mask >> i); - } - } else { - memcpy(o, v, 8 * CEIL_DIVIDE(size_v, 64)); - } -} diff --git a/crypto_kem/hqc-rmrs-192/clean/vector.h b/crypto_kem/hqc-rmrs-192/clean/vector.h deleted file mode 100644 index 1b06a68b..00000000 --- a/crypto_kem/hqc-rmrs-192/clean/vector.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef VECTOR_H -#define VECTOR_H - - -/** - * @file vector.h - * @brief Header file for vector.c - */ -#include "nistseedexpander.h" -#include "randombytes.h" -#include - -void PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight_by_coordinates(AES_XOF_struct *ctx, uint32_t *v, uint16_t weight); - -void PQCLEAN_HQCRMRS192_CLEAN_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight); - -void PQCLEAN_HQCRMRS192_CLEAN_vect_set_random(AES_XOF_struct *ctx, uint64_t *v); - - -void PQCLEAN_HQCRMRS192_CLEAN_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size); - -uint8_t PQCLEAN_HQCRMRS192_CLEAN_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size); - -void PQCLEAN_HQCRMRS192_CLEAN_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/META.yml b/crypto_kem/hqc-rmrs-256/META.yml deleted file mode 100644 index ec41d040..00000000 --- a/crypto_kem/hqc-rmrs-256/META.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: HQC-RMRS-256 -type: kem -claimed-nist-level: 5 -claimed-security: IND-CCA2 -length-ciphertext: 14469 -length-public-key: 7245 -length-secret-key: 7285 -length-shared-secret: 64 -nistkat-sha256: 4a5bc02661794464576dc2742636bd6123a3c0fde9dd0b52d9703866beae2f32 -principal-submitters: - - Carlos Aguilar Melchor - - Nicolas Aragon - - Slim Bettaieb - - Olivier Blazy - - Jurjen Bos - - Jean-Christophe Deneuville - - Philippe Gaborit - - Edoardo Persichetti - - Jean-Marc Robert - - Pascal Véron - - Gilles Zémor - - Loïc Bidoux -implementations: - - name: clean - version: hqc-submission_2020-10-01 via https://github.com/jschanck/package-pqclean/tree/c9181076/hqc - - name: avx2 - version: hqc-submission_2020-10-01 via https://github.com/jschanck/package-pqclean/tree/c9181076/hqc - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - avx2 - - bmi1 - - pclmulqdq diff --git a/crypto_kem/hqc-rmrs-256/avx2/LICENSE b/crypto_kem/hqc-rmrs-256/avx2/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/hqc-rmrs-256/avx2/api.h b/crypto_kem/hqc-rmrs-256/avx2/api.h deleted file mode 100644 index 6b5c9188..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/api.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_HQCRMRS256_AVX2_API_H -#define PQCLEAN_HQCRMRS256_AVX2_API_H -/** - * @file api.h - * @brief NIST KEM API used by the HQC_KEM IND-CCA2 scheme - */ - -#define PQCLEAN_HQCRMRS256_AVX2_CRYPTO_ALGNAME "HQC-RMRS-256" - -#define PQCLEAN_HQCRMRS256_AVX2_CRYPTO_SECRETKEYBYTES 7285 -#define PQCLEAN_HQCRMRS256_AVX2_CRYPTO_PUBLICKEYBYTES 7245 -#define PQCLEAN_HQCRMRS256_AVX2_CRYPTO_BYTES 64 -#define PQCLEAN_HQCRMRS256_AVX2_CRYPTO_CIPHERTEXTBYTES 14469 - -// As a technicality, the public key is appended to the secret key in order to respect the NIST API. -// Without this constraint, PQCLEAN_HQCRMRS256_AVX2_CRYPTO_SECRETKEYBYTES would be defined as 32 - -int PQCLEAN_HQCRMRS256_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_HQCRMRS256_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - -int PQCLEAN_HQCRMRS256_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/code.c b/crypto_kem/hqc-rmrs-256/avx2/code.c deleted file mode 100644 index c1af29d2..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/code.c +++ /dev/null @@ -1,47 +0,0 @@ -#include "code.h" -#include "parameters.h" -#include "reed_muller.h" -#include "reed_solomon.h" -#include -#include -/** - * @file code.c - * @brief Implementation of concatenated code - */ - - - -/** - * - * @brief Encoding the message m to a code word em using the concatenated code - * - * First we encode the message using the Reed-Solomon code, then with the duplicated Reed-Muller code we obtain - * a concatenated code word. - * - * @param[out] em Pointer to an array that is the tensor code word - * @param[in] m Pointer to an array that is the message - */ -void PQCLEAN_HQCRMRS256_AVX2_code_encode(uint8_t *em, const uint8_t *m) { - uint8_t tmp[8 * VEC_N1_SIZE_64] = {0}; - - PQCLEAN_HQCRMRS256_AVX2_reed_solomon_encode(tmp, m); - PQCLEAN_HQCRMRS256_AVX2_reed_muller_encode(em, tmp); - -} - - - -/** - * @brief Decoding the code word em to a message m using the concatenated code - * - * @param[out] m Pointer to an array that is the message - * @param[in] em Pointer to an array that is the code word - */ -void PQCLEAN_HQCRMRS256_AVX2_code_decode(uint8_t *m, const uint8_t *em) { - uint8_t tmp[8 * VEC_N1_SIZE_64] = {0}; - - PQCLEAN_HQCRMRS256_AVX2_reed_muller_decode(tmp, em); - PQCLEAN_HQCRMRS256_AVX2_reed_solomon_decode(m, tmp); - - -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/code.h b/crypto_kem/hqc-rmrs-256/avx2/code.h deleted file mode 100644 index cacce116..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/code.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef CODE_H -#define CODE_H - - -/** - * @file code.h - * Header file of code.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS256_AVX2_code_encode(uint8_t *em, const uint8_t *message); - -void PQCLEAN_HQCRMRS256_AVX2_code_decode(uint8_t *m, const uint8_t *em); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/fft.c b/crypto_kem/hqc-rmrs-256/avx2/fft.c deleted file mode 100644 index d49a05f7..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/fft.c +++ /dev/null @@ -1,351 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include -#include -/** - * @file fft.c - * Implementation of the additive FFT and its transpose. - * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf - */ - - -static void compute_fft_betas(uint16_t *betas); -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size); -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas); - - -/** - * @brief Computes the basis of betas (omitting 1) used in the additive FFT and its transpose - * - * @param[out] betas Array of size PARAM_M-1 - */ -static void compute_fft_betas(uint16_t *betas) { - size_t i; - for (i = 0; i < PARAM_M - 1; ++i) { - betas[i] = 1 << (PARAM_M - 1 - i); - } -} - - - -/** - * @brief Computes the subset sums of the given set - * - * The array subset_sums is such that its ith element is - * the subset sum of the set elements given by the binary form of i. - * - * @param[out] subset_sums Array of size 2^set_size receiving the subset sums - * @param[in] set Array of set_size elements - * @param[in] set_size Size of the array set - */ -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size) { - uint16_t i, j; - subset_sums[0] = 0; - - for (i = 0; i < set_size; ++i) { - for (j = 0; j < (1 << i); ++j) { - subset_sums[(1 << i) + j] = set[i] ^ subset_sums[j]; - } - } -} - - - -/** - * @brief Computes the radix conversion of a polynomial f in GF(2^m)[x] - * - * Computes f0 and f1 such that f(x) = f0(x^2-x) + x.f1(x^2-x) - * as proposed by Bernstein, Chou and Schwabe: - * https://binary.cr.yp.to/mcbits-20130616.pdf - * - * @param[out] f0 Array half the size of f - * @param[out] f1 Array half the size of f - * @param[in] f Array of size a power of 2 - * @param[in] m_f 2^{m_f} is the smallest power of 2 greater or equal to the number of coefficients of f - */ -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - switch (m_f) { - case 4: - f0[4] = f[8] ^ f[12]; - f0[6] = f[12] ^ f[14]; - f0[7] = f[14] ^ f[15]; - f1[5] = f[11] ^ f[13]; - f1[6] = f[13] ^ f[14]; - f1[7] = f[15]; - f0[5] = f[10] ^ f[12] ^ f1[5]; - f1[4] = f[9] ^ f[13] ^ f0[5]; - - f0[0] = f[0]; - f1[3] = f[7] ^ f[11] ^ f[15]; - f0[3] = f[6] ^ f[10] ^ f[14] ^ f1[3]; - f0[2] = f[4] ^ f0[4] ^ f0[3] ^ f1[3]; - f1[1] = f[3] ^ f[5] ^ f[9] ^ f[13] ^ f1[3]; - f1[2] = f[3] ^ f1[1] ^ f0[3]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 3: - f0[0] = f[0]; - f0[2] = f[4] ^ f[6]; - f0[3] = f[6] ^ f[7]; - f1[1] = f[3] ^ f[5] ^ f[7]; - f1[2] = f[5] ^ f[6]; - f1[3] = f[7]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 2: - f0[0] = f[0]; - f0[1] = f[2] ^ f[3]; - f1[0] = f[1] ^ f0[1]; - f1[1] = f[3]; - break; - - case 1: - f0[0] = f[0]; - f1[0] = f[1]; - break; - - default: - radix_big(f0, f1, f, m_f); - break; - } -} - -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - uint16_t Q[2 * (1 << (PARAM_FFT - 2))] = {0}; - uint16_t R[2 * (1 << (PARAM_FFT - 2))] = {0}; - - uint16_t Q0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t Q1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R1[1 << (PARAM_FFT - 2)] = {0}; - - size_t i, n; - - n = 1; - n <<= (m_f - 2); - memcpy(Q, f + 3 * n, 2 * n); - memcpy(Q + n, f + 3 * n, 2 * n); - memcpy(R, f, 4 * n); - - for (i = 0; i < n; ++i) { - Q[i] ^= f[2 * n + i]; - R[n + i] ^= Q[i]; - } - - radix(Q0, Q1, Q, m_f - 1); - radix(R0, R1, R, m_f - 1); - - memcpy(f0, R0, 2 * n); - memcpy(f0 + n, Q0, 2 * n); - memcpy(f1, R1, 2 * n); - memcpy(f1 + n, Q1, 2 * n); -} - - - -/** - * @brief Evaluates f at all subset sums of a given set - * - * This function is a subroutine of the function PQCLEAN_HQCRMRS256_AVX2_fft. - * - * @param[out] w Array - * @param[in] f Array - * @param[in] f_coeffs Number of coefficients of f - * @param[in] m Number of betas - * @param[in] m_f Number of coefficients of f (one more than its degree) - * @param[in] betas FFT constants - */ -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas) { - uint16_t f0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t gammas[PARAM_M - 2] = {0}; - uint16_t deltas[PARAM_M - 2] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 2)] = {0}; - uint16_t u[1 << (PARAM_M - 2)] = {0}; - uint16_t v[1 << (PARAM_M - 2)] = {0}; - uint16_t tmp[PARAM_M - (PARAM_FFT - 1)] = {0}; - - uint16_t beta_m_pow; - size_t i, j, k; - size_t x; - - // Step 1 - if (m_f == 1) { - for (i = 0; i < m; ++i) { - tmp[i] = PQCLEAN_HQCRMRS256_AVX2_gf_mul(betas[i], f[1]); - } - - w[0] = f[0]; - x = 1; - for (j = 0; j < m; ++j) { - for (k = 0; k < x; ++k) { - w[x + k] = w[k] ^ tmp[j]; - } - x <<= 1; - } - - return; - } - - // Step 2: compute g - if (betas[m - 1] != 1) { - beta_m_pow = 1; - x = 1; - x <<= m_f; - for (i = 1; i < x; ++i) { - beta_m_pow = PQCLEAN_HQCRMRS256_AVX2_gf_mul(beta_m_pow, betas[m - 1]); - f[i] = PQCLEAN_HQCRMRS256_AVX2_gf_mul(beta_m_pow, f[i]); - } - } - - // Step 3 - radix(f0, f1, f, m_f); - - // Step 4: compute gammas and deltas - for (i = 0; i + 1 < m; ++i) { - gammas[i] = PQCLEAN_HQCRMRS256_AVX2_gf_mul(betas[i], PQCLEAN_HQCRMRS256_AVX2_gf_inverse(betas[m - 1])); - deltas[i] = PQCLEAN_HQCRMRS256_AVX2_gf_square(gammas[i]) ^ gammas[i]; - } - - // Compute gammas sums - compute_subset_sums(gammas_sums, gammas, m - 1); - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, m - 1, m_f - 1, deltas); - - k = 1; - k <<= ((m - 1) & 0xf); // &0xf is to let the compiler know that m-1 is small. - if (f_coeffs <= 3) { // 3-coefficient polynomial f case: f1 is constant - w[0] = u[0]; - w[k] = u[0] ^ f1[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS256_AVX2_gf_mul(gammas_sums[i], f1[0]); - w[k + i] = w[i] ^ f1[0]; - } - } else { - fft_rec(v, f1, f_coeffs / 2, m - 1, m_f - 1, deltas); - - // Step 6 - memcpy(w + k, v, 2 * k); - w[0] = u[0]; - w[k] ^= u[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS256_AVX2_gf_mul(gammas_sums[i], v[i]); - w[k + i] ^= w[i]; - } - } -} - - - -/** - * @brief Evaluates f on all fields elements using an additive FFT algorithm - * - * f_coeffs is the number of coefficients of f (one less than its degree).
- * The FFT proceeds recursively to evaluate f at all subset sums of a basis B.
- * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf
- * Note that on this first call (as opposed to the recursive calls to fft_rec), gammas are equal to betas, - * meaning the first gammas subset sums are actually the subset sums of betas (except 1).
- * Also note that f is altered during computation (twisted at each level). - * - * @param[out] w Array - * @param[in] f Array of 2^PARAM_FFT elements - * @param[in] f_coeffs Number coefficients of f (i.e. deg(f)+1) - */ -void PQCLEAN_HQCRMRS256_AVX2_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs) { - uint16_t betas[PARAM_M - 1] = {0}; - uint16_t betas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t f0[1 << (PARAM_FFT - 1)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 1)] = {0}; - uint16_t deltas[PARAM_M - 1] = {0}; - uint16_t u[1 << (PARAM_M - 1)] = {0}; - uint16_t v[1 << (PARAM_M - 1)] = {0}; - - size_t i, k; - - // Follows Gao and Mateer algorithm - compute_fft_betas(betas); - - // Step 1: PARAM_FFT > 1, nothing to do - - // Compute gammas sums - compute_subset_sums(betas_sums, betas, PARAM_M - 1); - - // Step 2: beta_m = 1, nothing to do - - // Step 3 - radix(f0, f1, f, PARAM_FFT); - - // Step 4: Compute deltas - for (i = 0; i < PARAM_M - 1; ++i) { - deltas[i] = PQCLEAN_HQCRMRS256_AVX2_gf_square(betas[i]) ^ betas[i]; - } - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - fft_rec(v, f1, f_coeffs / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - - k = 1 << (PARAM_M - 1); - // Step 6, 7 and error polynomial computation - memcpy(w + k, v, 2 * k); - - // Check if 0 is root - w[0] = u[0]; - - // Check if 1 is root - w[k] ^= u[0]; - - // Find other roots - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS256_AVX2_gf_mul(betas_sums[i], v[i]); - w[k + i] ^= w[i]; - } -} - - - -/** - * @brief Retrieves the error polynomial error from the evaluations w of the ELP (Error Locator Polynomial) on all field elements. - * - * @param[out] error Array with the error - * @param[out] error_compact Array with the error in a compact form - * @param[in] w Array of size 2^PARAM_M - */ -void PQCLEAN_HQCRMRS256_AVX2_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w) { - uint16_t gammas[PARAM_M - 1] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t k; - size_t i, index; - - compute_fft_betas(gammas); - compute_subset_sums(gammas_sums, gammas, PARAM_M - 1); - - k = 1 << (PARAM_M - 1); - error[0] ^= 1 ^ ((uint16_t) - w[0] >> 15); - error[0] ^= 1 ^ ((uint16_t) - w[k] >> 15); - - for (i = 1; i < k; ++i) { - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i]]; - error[index] ^= 1 ^ ((uint16_t) - w[i] >> 15); - - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i] ^ 1]; - error[index] ^= 1 ^ ((uint16_t) - w[k + i] >> 15); - } -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/fft.h b/crypto_kem/hqc-rmrs-256/avx2/fft.h deleted file mode 100644 index 2428b88c..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/fft.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef FFT_H -#define FFT_H - - -/** - * @file fft.h - * Header file of fft.c - */ - -#include -#include - -void PQCLEAN_HQCRMRS256_AVX2_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs); - -void PQCLEAN_HQCRMRS256_AVX2_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/gf.c b/crypto_kem/hqc-rmrs-256/avx2/gf.c deleted file mode 100644 index 3b5dcdc9..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/gf.c +++ /dev/null @@ -1,176 +0,0 @@ -#include "gf.h" -#include "parameters.h" -#include -/** - * @file gf.c - * Galois field implementation with multiplication using the pclmulqdq instruction - */ - - -static uint16_t gf_reduce(uint64_t x, size_t deg_x); - - - -/** - * Reduces polynomial x modulo primitive polynomial GF_POLY. - * @returns x mod GF_POLY - * @param[in] x Polynomial of degree less than 64 - * @param[in] deg_x The degree of polynomial x - */ -static uint16_t gf_reduce(uint64_t x, size_t deg_x) { - uint16_t z1, z2, rmdr, dist; - uint64_t mod; - size_t steps, i, j; - - // Deduce the number of steps of reduction - steps = CEIL_DIVIDE(deg_x - (PARAM_M - 1), PARAM_GF_POLY_M2); - - // Reduce - for (i = 0; i < steps; ++i) { - mod = x >> PARAM_M; - x &= (1 << PARAM_M) - 1; - x ^= mod; - - z1 = 0; - rmdr = PARAM_GF_POLY ^ 1; - for (j = PARAM_GF_POLY_WT - 2; j; --j) { - z2 = __tzcnt_u16(rmdr); - dist = (uint16_t) (z2 - z1); - mod <<= dist; - x ^= mod; - rmdr ^= 1 << z2; - z1 = z2; - } - } - - return x; -} - - - -/** - * Multiplies two elements of GF(2^GF_M). - * @returns the product a*b - * @param[in] a Element of GF(2^GF_M) - * @param[in] b Element of GF(2^GF_M) - */ -uint16_t PQCLEAN_HQCRMRS256_AVX2_gf_mul(uint16_t a, uint16_t b) { - __m128i va = _mm_cvtsi32_si128(a); - __m128i vb = _mm_cvtsi32_si128(b); - __m128i vab = _mm_clmulepi64_si128(va, vb, 0); - uint32_t ab = _mm_cvtsi128_si32(vab); - - return gf_reduce(ab, 2 * (PARAM_M - 1)); -} - - - -/** - * Compute 16 products in GF(2^GF_M). - * @returns the product (a0b0,a1b1,...,a15b15) , ai,bi in GF(2^GF_M) - * @param[in] a 256-bit register where a0,..,a15 are stored as 16 bit integers - * @param[in] b 256-bit register where b0,..,b15 are stored as 16 bit integer - * - */ -__m256i PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(__m256i a, __m256i b) { - __m128i al = _mm256_extractf128_si256(a, 0); - __m128i ah = _mm256_extractf128_si256(a, 1); - __m128i bl = _mm256_extractf128_si256(b, 0); - __m128i bh = _mm256_extractf128_si256(b, 1); - - __m128i abl0 = _mm_clmulepi64_si128(al & CONST128_MASKL, bl & CONST128_MASKL, 0x0); - abl0 &= CONST128_MIDDLEMASKL; - abl0 ^= (_mm_clmulepi64_si128(al & CONST128_MASKH, bl & CONST128_MASKH, 0x0) & CONST128_MIDDLEMASKH); - - __m128i abh0 = _mm_clmulepi64_si128(al & CONST128_MASKL, bl & CONST128_MASKL, 0x11); - abh0 &= CONST128_MIDDLEMASKL; - abh0 ^= (_mm_clmulepi64_si128(al & CONST128_MASKH, bl & CONST128_MASKH, 0x11) & CONST128_MIDDLEMASKH); - - abl0 = _mm_shuffle_epi8(abl0, CONST128_INDEXL); - abl0 ^= _mm_shuffle_epi8(abh0, CONST128_INDEXH); - - __m128i abl1 = _mm_clmulepi64_si128(ah & CONST128_MASKL, bh & CONST128_MASKL, 0x0); - abl1 &= CONST128_MIDDLEMASKL; - abl1 ^= (_mm_clmulepi64_si128(ah & CONST128_MASKH, bh & CONST128_MASKH, 0x0) & CONST128_MIDDLEMASKH); - - __m128i abh1 = _mm_clmulepi64_si128(ah & CONST128_MASKL, bh & CONST128_MASKL, 0x11); - abh1 &= CONST128_MIDDLEMASKL; - abh1 ^= (_mm_clmulepi64_si128(ah & CONST128_MASKH, bh & CONST128_MASKH, 0x11) & CONST128_MIDDLEMASKH); - - abl1 = _mm_shuffle_epi8(abl1, CONST128_INDEXL); - abl1 ^= _mm_shuffle_epi8(abh1, CONST128_INDEXH); - - __m256i ret = _mm256_set_m128i(abl1, abl0); - - __m256i aux = CONST256_MR0; - - for (int32_t i = 0; i < 7; i++) { - ret ^= red[i] & _mm256_cmpeq_epi16((ret & aux), aux); - aux = aux << 1; - } - - ret &= CONST256_LASTMASK; - return ret; -} - - - -/** - * Squares an element of GF(2^GF_M). - * @returns a^2 - * @param[in] a Element of GF(2^GF_M) - */ -uint16_t PQCLEAN_HQCRMRS256_AVX2_gf_square(uint16_t a) { - uint32_t b = a; - uint32_t s = b & 1; - for (size_t i = 1; i < PARAM_M; ++i) { - b <<= 1; - s ^= b & (1 << 2 * i); - } - - return gf_reduce(s, 2 * (PARAM_M - 1)); -} - - - -/** - * Computes the inverse of an element of GF(2^8), - * using the addition chain 1 2 3 4 7 11 15 30 60 120 127 254 - * @returns the inverse of a - * @param[in] a Element of GF(2^GF_M) - */ -uint16_t PQCLEAN_HQCRMRS256_AVX2_gf_inverse(uint16_t a) { - uint16_t inv = a; - uint16_t tmp1, tmp2; - - inv = PQCLEAN_HQCRMRS256_AVX2_gf_square(a); /* a^2 */ - tmp1 = PQCLEAN_HQCRMRS256_AVX2_gf_mul(inv, a); /* a^3 */ - inv = PQCLEAN_HQCRMRS256_AVX2_gf_square(inv); /* a^4 */ - tmp2 = PQCLEAN_HQCRMRS256_AVX2_gf_mul(inv, tmp1); /* a^7 */ - tmp1 = PQCLEAN_HQCRMRS256_AVX2_gf_mul(inv, tmp2); /* a^11 */ - inv = PQCLEAN_HQCRMRS256_AVX2_gf_mul(tmp1, inv); /* a^15 */ - inv = PQCLEAN_HQCRMRS256_AVX2_gf_square(inv); /* a^30 */ - inv = PQCLEAN_HQCRMRS256_AVX2_gf_square(inv); /* a^60 */ - inv = PQCLEAN_HQCRMRS256_AVX2_gf_square(inv); /* a^120 */ - inv = PQCLEAN_HQCRMRS256_AVX2_gf_mul(inv, tmp2); /* a^127 */ - inv = PQCLEAN_HQCRMRS256_AVX2_gf_square(inv); /* a^254 */ - return inv; -} - - - -/** - * Returns i modulo 2^GF_M-1. - * i must be less than 2*(2^GF_M-1). - * Therefore, the return value is either i or i-2^GF_M+1. - * @returns i mod (2^GF_M-1) - * @param[in] i The integer whose modulo is taken - */ -uint16_t PQCLEAN_HQCRMRS256_AVX2_gf_mod(uint16_t i) { - uint16_t tmp = (uint16_t) (i - PARAM_GF_MUL_ORDER); - - // mask = 0xffff if (i < GF_MUL_ORDER) - uint16_t mask = -(tmp >> 15); - - return tmp + (mask & PARAM_GF_MUL_ORDER); -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/gf.h b/crypto_kem/hqc-rmrs-256/avx2/gf.h deleted file mode 100644 index 5086900e..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/gf.h +++ /dev/null @@ -1,69 +0,0 @@ -#ifndef GF_H -#define GF_H - - -/** - * @file gf.h - * Header file of gf.c - */ - -#include -#include -#include - -#define _mm256_set_m128i(v0, v1) _mm256_insertf128_si256(_mm256_castsi128_si256(v1), (v0), 1) - -/** - * Powers of the root alpha of 1 + x^2 + x^3 + x^4 + x^8. - * The last two elements are needed by the PQCLEAN_HQCRMRS256_AVX2_gf_mul function - * (for example if both elements to multiply are zero). - */ -static const uint16_t gf_exp[258] = { 1, 2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60, 120, 240, 253, 231, 211, 187, 107, 214, 177, 127, 254, 225, 223, 163, 91, 182, 113, 226, 217, 175, 67, 134, 17, 34, 68, 136, 13, 26, 52, 104, 208, 189, 103, 206, 129, 31, 62, 124, 248, 237, 199, 147, 59, 118, 236, 197, 151, 51, 102, 204, 133, 23, 46, 92, 184, 109, 218, 169, 79, 158, 33, 66, 132, 21, 42, 84, 168, 77, 154, 41, 82, 164, 85, 170, 73, 146, 57, 114, 228, 213, 183, 115, 230, 209, 191, 99, 198, 145, 63, 126, 252, 229, 215, 179, 123, 246, 241, 255, 227, 219, 171, 75, 150, 49, 98, 196, 149, 55, 110, 220, 165, 87, 174, 65, 130, 25, 50, 100, 200, 141, 7, 14, 28, 56, 112, 224, 221, 167, 83, 166, 81, 162, 89, 178, 121, 242, 249, 239, 195, 155, 43, 86, 172, 69, 138, 9, 18, 36, 72, 144, 61, 122, 244, 245, 247, 243, 251, 235, 203, 139, 11, 22, 44, 88, 176, 125, 250, 233, 207, 131, 27, 54, 108, 216, 173, 71, 142, 1, 2, 4 }; - - - -/** - * Logarithm of elements of GF(2^8) to the base alpha (root of 1 + x^2 + x^3 + x^4 + x^8). - * The logarithm of 0 is set to 0 by convention. - */ -static const uint16_t gf_log[256] = { 0, 0, 1, 25, 2, 50, 26, 198, 3, 223, 51, 238, 27, 104, 199, 75, 4, 100, 224, 14, 52, 141, 239, 129, 28, 193, 105, 248, 200, 8, 76, 113, 5, 138, 101, 47, 225, 36, 15, 33, 53, 147, 142, 218, 240, 18, 130, 69, 29, 181, 194, 125, 106, 39, 249, 185, 201, 154, 9, 120, 77, 228, 114, 166, 6, 191, 139, 98, 102, 221, 48, 253, 226, 152, 37, 179, 16, 145, 34, 136, 54, 208, 148, 206, 143, 150, 219, 189, 241, 210, 19, 92, 131, 56, 70, 64, 30, 66, 182, 163, 195, 72, 126, 110, 107, 58, 40, 84, 250, 133, 186, 61, 202, 94, 155, 159, 10, 21, 121, 43, 78, 212, 229, 172, 115, 243, 167, 87, 7, 112, 192, 247, 140, 128, 99, 13, 103, 74, 222, 237, 49, 197, 254, 24, 227, 165, 153, 119, 38, 184, 180, 124, 17, 68, 146, 217, 35, 32, 137, 46, 55, 63, 209, 91, 149, 188, 207, 205, 144, 135, 151, 178, 220, 252, 190, 97, 242, 86, 211, 171, 20, 42, 93, 158, 132, 60, 57, 83, 71, 109, 65, 162, 31, 45, 67, 216, 183, 123, 164, 118, 196, 23, 73, 236, 127, 12, 111, 246, 108, 161, 59, 82, 41, 157, 85, 170, 251, 96, 134, 177, 187, 204, 62, 90, 203, 89, 95, 176, 156, 169, 160, 81, 11, 245, 22, 235, 122, 117, 44, 215, 79, 174, 213, 233, 230, 231, 173, 232, 116, 214, 244, 234, 168, 80, 88, 175 }; - -/** - * Masks needed for the computation of 16 mult in GF(2^M) - */ -#define CONST256_MR0 _mm256_set1_epi64x((long long) 0x0100010001000100) -#define CONST256_LASTMASK _mm256_set1_epi64x((long long) 0x00ff00ff00ff00ff) -#define CONST128_MASKL _mm_set1_epi64x((long long) 0x0000ffff0000ffff) -#define CONST128_MASKH _mm_set1_epi64x((long long) 0xffff0000ffff0000) -#define CONST128_MIDDLEMASKL _mm_set1_epi64x((long long) 0x000000000000ffff) -#define CONST128_MIDDLEMASKH _mm_set1_epi64x((long long) 0x0000ffff00000000) -#define CONST128_INDEXH _mm_set_epi64x((long long) 0x0d0c090805040100, (long long) 0xffffffffffffffff) -#define CONST128_INDEXL _mm_set_epi64x((long long) 0xffffffffffffffff, (long long) 0x0d0c090805040100) - -/** - * x^i modulo x^8+x^4+x^3+x^2+1 duplicate 4 times to fit a 256-bit register - */ -static const __m256i red[7] = { - {0x001d001d001d001dUL, 0x001d001d001d001dUL, 0x001d001d001d001dUL, 0x001d001d001d001dUL}, - {0x003a003a003a003aUL, 0x003a003a003a003aUL, 0x003a003a003a003aUL, 0x003a003a003a003aUL}, - {0x0074007400740074UL, 0x0074007400740074UL, 0x0074007400740074UL, 0x0074007400740074UL}, - {0x00e800e800e800e8UL, 0x00e800e800e800e8UL, 0x00e800e800e800e8UL, 0x00e800e800e800e8UL}, - {0x00cd00cd00cd00cdUL, 0x00cd00cd00cd00cdUL, 0x00cd00cd00cd00cdUL, 0x00cd00cd00cd00cdUL}, - {0x0087008700870087UL, 0x0087008700870087UL, 0x0087008700870087UL, 0x0087008700870087UL}, - {0x0013001300130013UL, 0x0013001300130013UL, 0x0013001300130013UL, 0x0013001300130013UL}, - -}; - - -uint16_t PQCLEAN_HQCRMRS256_AVX2_gf_mul(uint16_t a, uint16_t b); - -__m256i PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(__m256i a, __m256i b); - -uint16_t PQCLEAN_HQCRMRS256_AVX2_gf_square(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS256_AVX2_gf_inverse(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS256_AVX2_gf_mod(uint16_t i); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/gf2x.c b/crypto_kem/hqc-rmrs-256/avx2/gf2x.c deleted file mode 100644 index 2d3ac6d6..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/gf2x.c +++ /dev/null @@ -1,603 +0,0 @@ -#include "gf2x.h" -#include "parameters.h" -#include -#include -#include -/** - * \file gf2x.c - * \brief AVX2 implementation of multiplication of two polynomials - */ - - - -//Parameters for Toom-Cook and UB_Karatsuba -#define T_TM3R_3W (PARAM_N_MULT / 3) -#define T_TM3R (PARAM_N_MULT + 384) -#define tTM3R ((T_TM3R) / 64) -#define T_TM3R_3W_256 ((T_TM3R_3W + 128) / (256)) -#define T_TM3R_3W_64 (T_TM3R_3W_256 << 2) - -#define T_5W 4096 -#define T_5W_256 (T_5W >> 8) - -#define T2_5W_256 (2 * T_5W_256) -#define t5 (5 * T_5W / 64) - -static inline void reduce(uint64_t *o, const __m256i *a); -static inline void karat_mult_1(__m128i *C, const __m128i *A, const __m128i *B); -static inline void karat_mult_2(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult_4(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult_8(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult_16(__m256i *C, const __m256i *A, const __m256i *B); -static inline void karat_mult5(__m256i *C, const __m256i *A, const __m256i *B); -static inline void divide_by_x_plus_one_256(__m256i *in, __m256i *out, int32_t size); -static void toom_3_mult(uint64_t *Out, const aligned_vec_t *A, const aligned_vec_t *B); - - -/** - * @brief Compute o(x) = a(x) mod \f$ X^n - 1\f$ - * - * This function computes the modular reduction of the polynomial a(x) - * - * @param[out] o Pointer to the result - * @param[in] a Pointer to the polynomial a(x) - */ -static inline void reduce(uint64_t *o, const __m256i *a256) { - size_t i, i2; - __m256i r256, carry256; - __m256i *o256 = (__m256i *)o; - const uint64_t *a64 = (const uint64_t *)a256; - uint64_t r, carry; - - i2 = 0; - for (i = (PARAM_N >> 6); i < (PARAM_N >> 5) - 4; i += 4) { - r256 = _mm256_lddqu_si256((const __m256i *) (& a64[i])); - r256 = _mm256_srli_epi64(r256, PARAM_N & 63); - carry256 = _mm256_lddqu_si256((const __m256i *) (& a64[i + 1])); - carry256 = _mm256_slli_epi64(carry256, (-PARAM_N) & 63); - r256 ^= carry256; - _mm256_storeu_si256(&o256[i2], a256[i2] ^ r256); - i2 += 1; - } - - i = i - (PARAM_N >> 6); - for (; i < (PARAM_N >> 6) + 1; i++) { - r = a64[i + (PARAM_N >> 6)] >> (PARAM_N & 63); - carry = a64[i + (PARAM_N >> 6) + 1] << ((-PARAM_N) & 63); - r ^= carry; - o[i] = a64[i] ^ r; - } - - o[PARAM_N >> 6] &= RED_MASK; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * A(x) and B(x) are stored in 128-bit registers - * This function computes A(x)*B(x) using Karatsuba - * - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_1(__m128i *C, const __m128i *A, const __m128i *B) { - __m128i D1[2]; - __m128i D0[2], D2[2]; - __m128i Al = _mm_loadu_si128(A); - __m128i Ah = _mm_loadu_si128(A + 1); - __m128i Bl = _mm_loadu_si128(B); - __m128i Bh = _mm_loadu_si128(B + 1); - - // Compute Al.Bl=D0 - __m128i DD0 = _mm_clmulepi64_si128(Al, Bl, 0); - __m128i DD2 = _mm_clmulepi64_si128(Al, Bl, 0x11); - __m128i AAlpAAh = _mm_xor_si128(Al, _mm_shuffle_epi32(Al, 0x4e)); - __m128i BBlpBBh = _mm_xor_si128(Bl, _mm_shuffle_epi32(Bl, 0x4e)); - __m128i DD1 = _mm_xor_si128(_mm_xor_si128(DD0, DD2), _mm_clmulepi64_si128(AAlpAAh, BBlpBBh, 0)); - D0[0] = _mm_xor_si128(DD0, _mm_unpacklo_epi64(_mm_setzero_si128(), DD1)); - D0[1] = _mm_xor_si128(DD2, _mm_unpackhi_epi64(DD1, _mm_setzero_si128())); - - // Compute Ah.Bh=D2 - DD0 = _mm_clmulepi64_si128(Ah, Bh, 0); - DD2 = _mm_clmulepi64_si128(Ah, Bh, 0x11); - AAlpAAh = _mm_xor_si128(Ah, _mm_shuffle_epi32(Ah, 0x4e)); - BBlpBBh = _mm_xor_si128(Bh, _mm_shuffle_epi32(Bh, 0x4e)); - DD1 = _mm_xor_si128(_mm_xor_si128(DD0, DD2), _mm_clmulepi64_si128(AAlpAAh, BBlpBBh, 0)); - D2[0] = _mm_xor_si128(DD0, _mm_unpacklo_epi64(_mm_setzero_si128(), DD1)); - D2[1] = _mm_xor_si128(DD2, _mm_unpackhi_epi64(DD1, _mm_setzero_si128())); - - // Compute AlpAh.BlpBh=D1 - // Initialisation of AlpAh and BlpBh - __m128i AlpAh = _mm_xor_si128(Al, Ah); - __m128i BlpBh = _mm_xor_si128(Bl, Bh); - DD0 = _mm_clmulepi64_si128(AlpAh, BlpBh, 0); - DD2 = _mm_clmulepi64_si128(AlpAh, BlpBh, 0x11); - AAlpAAh = _mm_xor_si128(AlpAh, _mm_shuffle_epi32(AlpAh, 0x4e)); - BBlpBBh = _mm_xor_si128(BlpBh, _mm_shuffle_epi32(BlpBh, 0x4e)); - DD1 = _mm_xor_si128(_mm_xor_si128(DD0, DD2), _mm_clmulepi64_si128(AAlpAAh, BBlpBBh, 0)); - D1[0] = _mm_xor_si128(DD0, _mm_unpacklo_epi64(_mm_setzero_si128(), DD1)); - D1[1] = _mm_xor_si128(DD2, _mm_unpackhi_epi64(DD1, _mm_setzero_si128())); - - // Final comutation of C - __m128i middle = _mm_xor_si128(D0[1], D2[0]); - C[0] = D0[0]; - C[1] = middle ^ D0[0] ^ D1[0]; - C[2] = middle ^ D1[1] ^ D2[1]; - C[3] = D2[1]; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_2(__m256i *C, const __m256i *A, const __m256i *B) { - __m256i D0[2], D1[2], D2[2], SAA, SBB; - const __m128i *A128 = (const __m128i *)A; - const __m128i *B128 = (const __m128i *)B; - __m256i middle; - - karat_mult_1((__m128i *) D0, A128, B128); - karat_mult_1((__m128i *) D2, A128 + 2, B128 + 2); - - SAA = A[0] ^ A[1]; - SBB = B[0] ^ B[1]; - karat_mult_1((__m128i *) D1, (__m128i *) &SAA, (__m128i *) &SBB); - middle = _mm256_xor_si256(D0[1], D2[0]); - - C[0] = D0[0]; - C[1] = middle ^ D0[0] ^ D1[0]; - C[2] = middle ^ D1[1] ^ D2[1]; - C[3] = D2[1]; -} - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_4(__m256i *C, const __m256i *A, const __m256i *B) { - __m256i D0[4], D1[4], D2[4], SAA[2], SBB[2]; - __m256i middle0; - __m256i middle1; - - karat_mult_2(D0, A, B); - karat_mult_2(D2, A + 2, B + 2); - - SAA[0] = A[0] ^ A[2]; - SBB[0] = B[0] ^ B[2]; - SAA[1] = A[1] ^ A[3]; - SBB[1] = B[1] ^ B[3]; - - karat_mult_2(D1, SAA, SBB); - - middle0 = _mm256_xor_si256(D0[2], D2[0]); - middle1 = _mm256_xor_si256(D0[3], D2[1]); - - C[0] = D0[0]; - C[1] = D0[1]; - C[2] = middle0 ^ D0[0] ^ D1[0]; - C[3] = middle1 ^ D0[1] ^ D1[1]; - C[4] = middle0 ^ D1[2] ^ D2[2]; - C[5] = middle1 ^ D1[3] ^ D2[3]; - C[6] = D2[2]; - C[7] = D2[3]; -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult_8(__m256i *C, const __m256i *A, const __m256i *B) { - size_t i, is, is2, is3; - __m256i D0[8], D1[8], D2[8], SAA[4], SBB[4]; - __m256i middle; - - karat_mult_4(D0, A, B); - karat_mult_4(D2, A + 4, B + 4); - - for (i = 0; i < 4; i++) { - is = i + 4; - SAA[i] = A[i] ^ A[is]; - SBB[i] = B[i] ^ B[is]; - } - - karat_mult_4(D1, SAA, SBB); - - for (i = 0; i < 4; i++) { - is = i + 4; - is2 = is + 4; - is3 = is2 + 4; - - middle = _mm256_xor_si256(D0[is], D2[i]); - - C[i] = D0[i]; - C[is] = middle ^ D0[i] ^ D1[i]; - C[is2] = middle ^ D1[is] ^ D2[is]; - C[is3] = D2[is]; - } -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -inline static void karat_mult_16(__m256i *C, const __m256i *A, const __m256i *B) { - size_t i, is, is2, is3; - __m256i middle; - __m256i D0[16], D1[16], D2[16], SAA[8], SBB[8]; - - karat_mult_8(D0, A, B); - karat_mult_8(D2, A + 8, B + 8); - - for (i = 0; i < 8; i++) { - is = i + 8; - SAA[i] = A[i] ^ A[is]; - SBB[i] = B[i] ^ B[is]; - } - - karat_mult_8(D1, SAA, SBB); - - for (i = 0; i < 8; i++) { - is = i + 8; - is2 = is + 8; - is3 = is2 + 8; - - middle = D0[is] ^ D2[i]; - - C[i] = D0[i]; - C[is] = middle ^ D0[i] ^ D1[i]; - C[is2] = middle ^ D1[is] ^ D2[is]; - C[is3] = D2[is]; - } -} - - -/** - * @brief Compute C(x) = A(x)*B(x) - * - * This function computes A(x)*B(x) using Karatsuba - * A(x) and B(x) are stored in 256-bit registers - * @param[out] C Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static inline void karat_mult5(__m256i *C, const __m256i *A, const __m256i *B) { - const __m256i *a0, *b0, *a1, *b1, *a2, *b2, * a3, * b3, *a4, *b4; - - __m256i aa01[T_5W_256], bb01[T_5W_256], aa02[T_5W_256], bb02[T_5W_256], aa03[T_5W_256], bb03[T_5W_256], aa04[T_5W_256], bb04[T_5W_256], - aa12[T_5W_256], bb12[T_5W_256], aa13[T_5W_256], bb13[T_5W_256], aa14[T_5W_256], bb14[T_5W_256], - aa23[T_5W_256], bb23[T_5W_256], aa24[T_5W_256], bb24[T_5W_256], - aa34[T_5W_256], bb34[T_5W_256]; - - __m256i D0[T2_5W_256], D1[T2_5W_256], D2[T2_5W_256], D3[T2_5W_256], D4[T2_5W_256], - D01[T2_5W_256], D02[T2_5W_256], D03[T2_5W_256], D04[T2_5W_256], - D12[T2_5W_256], D13[T2_5W_256], D14[T2_5W_256], - D23[T2_5W_256], D24[T2_5W_256], - D34[T2_5W_256]; - - __m256i ro256[t5 >> 1]; - - a0 = A; - a1 = a0 + T_5W_256; - a2 = a1 + T_5W_256; - a3 = a2 + T_5W_256; - a4 = a3 + T_5W_256; - b0 = B; - b1 = b0 + T_5W_256; - b2 = b1 + T_5W_256; - b3 = b2 + T_5W_256; - b4 = b3 + T_5W_256; - - for (int32_t i = 0; i < T_5W_256; i++) { - aa01[i] = a0[i] ^ a1[i]; - bb01[i] = b0[i] ^ b1[i]; - - aa02[i] = a0[i] ^ a2[i]; - bb02[i] = b0[i] ^ b2[i]; - - aa03[i] = a0[i] ^ a3[i]; - bb03[i] = b0[i] ^ b3[i]; - - aa04[i] = a0[i] ^ a4[i]; - bb04[i] = b0[i] ^ b4[i]; - - aa12[i] = a2[i] ^ a1[i]; - bb12[i] = b2[i] ^ b1[i]; - - aa13[i] = a3[i] ^ a1[i]; - bb13[i] = b3[i] ^ b1[i]; - - aa14[i] = a4[i] ^ a1[i]; - bb14[i] = b4[i] ^ b1[i]; - - aa23[i] = a2[i] ^ a3[i]; - bb23[i] = b2[i] ^ b3[i]; - - aa24[i] = a2[i] ^ a4[i]; - bb24[i] = b2[i] ^ b4[i]; - - aa34[i] = a3[i] ^ a4[i]; - bb34[i] = b3[i] ^ b4[i]; - } - - karat_mult_16(D0, a0, b0); - karat_mult_16(D1, a1, b1); - karat_mult_16(D2, a2, b2); - karat_mult_16(D3, a3, b3); - karat_mult_16(D4, a4, b4); - - karat_mult_16(D01, aa01, bb01); - karat_mult_16(D02, aa02, bb02); - karat_mult_16(D03, aa03, bb03); - karat_mult_16(D04, aa04, bb04); - - karat_mult_16(D12, aa12, bb12); - karat_mult_16(D13, aa13, bb13); - karat_mult_16(D14, aa14, bb14); - - karat_mult_16(D23, aa23, bb23); - karat_mult_16(D24, aa24, bb24); - - karat_mult_16(D34, aa34, bb34); - - for (int32_t i = 0; i < T_5W_256; i++) { - ro256[i] = D0[i]; - ro256[i + T_5W_256] = D0[i + T_5W_256] ^ D01[i] ^ D0[i] ^ D1[i]; - ro256[i + 2 * T_5W_256] = D1[i] ^ D02[i] ^ D0[i] ^ D2[i] ^ D01[i + T_5W_256] ^ D0[i + T_5W_256] ^ D1[i + T_5W_256]; - ro256[i + 3 * T_5W_256] = D1[i + T_5W_256] ^ D03[i] ^ D0[i] ^ D3[i] ^ D12[i] ^ D1[i] ^ D2[i] ^ D02[i + T_5W_256] ^ D0[i + T_5W_256] ^ D2[i + T_5W_256]; - ro256[i + 4 * T_5W_256] = D2[i] ^ D04[i] ^ D0[i] ^ D4[i] ^ D13[i] ^ D1[i] ^ D3[i] ^ D03[i + T_5W_256] ^ D0[i + T_5W_256] ^ D3[i + T_5W_256] ^ D12[i + T_5W_256] ^ D1[i + T_5W_256] ^ D2[i + T_5W_256]; - ro256[i + 5 * T_5W_256] = D2[i + T_5W_256] ^ D14[i] ^ D1[i] ^ D4[i] ^ D23[i] ^ D2[i] ^ D3[i] ^ D04[i + T_5W_256] ^ D0[i + T_5W_256] ^ D4[i + T_5W_256] ^ D13[i + T_5W_256] ^ D1[i + T_5W_256] ^ D3[i + T_5W_256]; - ro256[i + 6 * T_5W_256] = D3[i] ^ D24[i] ^ D2[i] ^ D4[i] ^ D14[i + T_5W_256] ^ D1[i + T_5W_256] ^ D4[i + T_5W_256] ^ D23[i + T_5W_256] ^ D2[i + T_5W_256] ^ D3[i + T_5W_256]; - ro256[i + 7 * T_5W_256] = D3[i + T_5W_256] ^ D34[i] ^ D3[i] ^ D4[i] ^ D24[i + T_5W_256] ^ D2[i + T_5W_256] ^ D4[i + T_5W_256]; - ro256[i + 8 * T_5W_256] = D4[i] ^ D34[i + T_5W_256] ^ D3[i + T_5W_256] ^ D4[i + T_5W_256]; - ro256[i + 9 * T_5W_256] = D4[i + T_5W_256]; - } - - for (int32_t i = 0; i < T_5W_256 * 10; i++) { - C[i] = ro256[i]; - } -} - - - -/** - * @brief Compute B(x) = A(x)/(x+1) - * - * This function computes A(x)/(x+1) using a Quercia like algorithm - * @param[out] out Pointer to the result - * @param[in] in Pointer to the polynomial A(x) - * @param[in] size used to define the number of coeeficients of A - */ -inline static void divide_by_x_plus_one_256(__m256i *in, __m256i *out, int32_t size) { - out[0] = in[0]; - for (int32_t i = 1; i < 2 * (size + 2); i++) { - out[i] = out[i - 1] ^ in[i]; - } -} - - - -/** - * @brief Compute C(x) = A(x)*B(x) using TOOM3Mult with recursive call - * - * This function computes A(x)*B(x) using recursive TOOM-COOK3 Multiplication - * @param[out] Out Pointer to the result - * @param[in] A Pointer to the polynomial A(x) - * @param[in] B Pointer to the polynomial B(x) - */ -static void toom_3_mult(uint64_t *Out, const aligned_vec_t *A, const aligned_vec_t *B) { - __m256i U0[T_TM3R_3W_256 + 2], V0[T_TM3R_3W_256 + 2], U1[T_TM3R_3W_256 + 2], V1[T_TM3R_3W_256 + 2], U2[T_TM3R_3W_256 + 2], V2[T_TM3R_3W_256 + 2]; - __m256i W0[2 * (T_TM3R_3W_256 + 2)], W1[2 * (T_TM3R_3W_256 + 2)], W2[2 * (T_TM3R_3W_256 + 2)], W3[2 * (T_TM3R_3W_256 + 2)], W4[2 * (T_TM3R_3W_256 + 2)]; - __m256i tmp[2 * (T_TM3R_3W_256 + 2) + 3]; - __m256i ro256[tTM3R / 2]; - const __m256i zero = {0ul, 0ul, 0ul, 0ul}; - int32_t T2 = T_TM3R_3W_64 << 1; - - for (int32_t i = 0; i < T_TM3R_3W_256; i++) { - int32_t i4 = i << 2; - U0[i] = _mm256_lddqu_si256((__m256i const *)(&A->arr64[i4])); - V0[i] = _mm256_lddqu_si256((__m256i const *)(&B->arr64[i4])); - U1[i] = _mm256_lddqu_si256((__m256i const *)(&A->arr64[i4 + T_TM3R_3W_64])); - V1[i] = _mm256_lddqu_si256((__m256i const *)(&B->arr64[i4 + T_TM3R_3W_64])); - U2[i] = _mm256_lddqu_si256((__m256i const *)(&A->arr64[i4 + T2])); - V2[i] = _mm256_lddqu_si256((__m256i const *)(&B->arr64[i4 + T2])); - } - - for (int32_t i = T_TM3R_3W_256; i < T_TM3R_3W_256 + 2; i++) { - U0[i] = zero; - V0[i] = zero; - U1[i] = zero; - V1[i] = zero; - U2[i] = zero; - V2[i] = zero; - } - - // EVALUATION PHASE : x= X^256 - // P(X): P0=(0); P1=(1); P2=(x); P3=(1+x); P4=(\infty) - // Evaluation: 5*2 add, 2*2 shift; 5 mul (n) - //W3 = U2 + U1 + U0; W2 = V2 + V1 + V0 - - for (int32_t i = 0; i < T_TM3R_3W_256; i++) { - W3[i] = U0[i] ^ U1[i] ^ U2[i]; - W2[i] = V0[i] ^ V1[i] ^ V2[i]; - } - - for (int32_t i = T_TM3R_3W_256; i < T_TM3R_3W_256 + 2; i++) { - W2[i] = zero; - W3[i] = zero; - } - - //W1 = W2 * W3 - karat_mult5(W1, W2, W3); - - //W0 =(U1 + U2*x)*x; W4 =(V1 + V2*x)*x (SIZE = T_TM3_3W_256 + 2 !) - W0[0] = zero; - W4[0] = zero; - - W0[1] = U1[0]; - W4[1] = V1[0]; - - for (int32_t i = 1; i < T_TM3R_3W_256 + 1; i++) { - W0[i + 1] = U1[i] ^ U2[i - 1]; - W4[i + 1] = V1[i] ^ V2[i - 1]; - } - - W0[T_TM3R_3W_256 + 1] = U2[T_TM3R_3W_256 - 1]; - W4[T_TM3R_3W_256 + 1] = V2[T_TM3R_3W_256 - 1]; - - //W3 = W3 + W0 ; W2 = W2 + W4 - for (int32_t i = 0; i < T_TM3R_3W_256 + 2; i++) { - W3[i] ^= W0[i]; - W2[i] ^= W4[i]; - } - - //W0 = W0 + U0 ; W4 = W4 + V0 - for (int32_t i = 0; i < T_TM3R_3W_256 + 2; i++) { - W0[i] ^= U0[i]; - W4[i] ^= V0[i]; - } - - //W3 = W3 * W2 ; W2 = W0 * W4 - karat_mult5(tmp, W3, W2); - for (int32_t i = 0; i < 2 * (T_TM3R_3W_256 + 2); i++) { - W3[i] = tmp[i]; - } - - karat_mult5(W2, W0, W4); - - //W4 = U2 * V2 ; W0 = U0 * V0 - karat_mult5(W4, U2, V2); - karat_mult5(W0, U0, V0); - - //INTERPOLATION PHASE - //9 add, 1 shift, 1 Smul, 2 Sdiv (2n) - //W3 = W3 + W2 - for (int32_t i = 0; i < 2 * (T_TM3R_3W_256 + 2); i++) { - W3[i] ^= W2[i]; - } - - //W1 = W1 + W0 - for (int32_t i = 0; i < 2 * (T_TM3R_3W_256); i++) { - W1[i] ^= W0[i]; - } - - //W2 =(W2 + W0)/x - for (int32_t i = 0; i < 2 * (T_TM3R_3W_256 + 2) - 1; i++) { - int32_t i1 = i + 1; - W2[i] = W2[i1] ^ W0[i1]; - } - - W2[2 * (T_TM3R_3W_256 + 2) - 1] = zero; - - //W2 =(W2 + W3 + W4*(x^3+1))/(x+1) - for (int32_t i = 0; i < 2 * (T_TM3R_3W_256 + 2); i++) { - tmp[i] = W2[i] ^ W3[i] ^ W4[i]; - } - - tmp[2 * (T_TM3R_3W_256 + 2)] = zero; - tmp[2 * (T_TM3R_3W_256 + 2) + 1] = zero; - tmp[2 * (T_TM3R_3W_256 + 2) + 2] = zero; - - for (int32_t i = 0; i < 2 * (T_TM3R_3W_256); i++) { - tmp[i + 3] ^= W4[i]; - } - - divide_by_x_plus_one_256(tmp, W2, T_TM3R_3W_256); - - //W3 =(W3 + W1)/(x*(x+1)) - for (int32_t i = 0; i < 2 * (T_TM3R_3W_256 + 2) - 1; i++) { - int32_t i1 = i + 1; - tmp[i] = W3[i1] ^ W1[i1]; - } - - tmp[2 * (T_TM3R_3W_256 + 2) - 1] = (__m256i) { - 0ul, 0ul, 0ul, 0ul - }; - - divide_by_x_plus_one_256(tmp, W3, T_TM3R_3W_256); - - //W1 = W1 + W4 + W2 - for (int32_t i = 0; i < 2 * (T_TM3R_3W_256 + 2); i++) { - W1[i] ^= W2[i] ^ W4[i]; - } - - //W2 = W2 + W3 - for (int32_t i = 0; i < 2 * (T_TM3R_3W_256 + 2); i++) { - W2[i] ^= W3[i]; - } - - //Recomposition - //W = W0+ W1*x+ W2*x^2+ W3*x^3 + W4*x^4 - //Note that : W0, W1, W4 of size 2*T_TM3_3W_256, W2 and W3 of size 2*(T_TM3_3W_256+2) - for (int32_t i = 0; i < T_TM3R_3W_256; i++) { - ro256[i] = W0[i]; - ro256[i + T_TM3R_3W_256] = W0[i + T_TM3R_3W_256] ^ W1[i]; - ro256[i + 2 * T_TM3R_3W_256] = W1[i + T_TM3R_3W_256] ^ W2[i]; - ro256[i + 3 * T_TM3R_3W_256] = W2[i + T_TM3R_3W_256] ^ W3[i]; - ro256[i + 4 * T_TM3R_3W_256] = W3[i + T_TM3R_3W_256] ^ W4[i]; - ro256[i + 5 * T_TM3R_3W_256] = W4[i + T_TM3R_3W_256]; - } - - ro256[4 * T_TM3R_3W_256] ^= W2[2 * T_TM3R_3W_256]; - ro256[5 * T_TM3R_3W_256] ^= W3[2 * T_TM3R_3W_256]; - - ro256[1 + 4 * T_TM3R_3W_256] ^= W2[1 + 2 * T_TM3R_3W_256]; - ro256[1 + 5 * T_TM3R_3W_256] ^= W3[1 + 2 * T_TM3R_3W_256]; - - ro256[2 + 4 * T_TM3R_3W_256] ^= W2[2 + 2 * T_TM3R_3W_256]; - ro256[2 + 5 * T_TM3R_3W_256] ^= W3[2 + 2 * T_TM3R_3W_256]; - - ro256[3 + 4 * T_TM3R_3W_256] ^= W2[3 + 2 * T_TM3R_3W_256]; - ro256[3 + 5 * T_TM3R_3W_256] ^= W3[3 + 2 * T_TM3R_3W_256]; - - uint64_t *ro64 = (uint64_t *) ro256; - for (int32_t i = 0; i < VEC_N_256_SIZE_64 << 1; i++) { - Out[i] = ro64[i]; - } -} - - - -/** - * @brief Multiply two polynomials modulo \f$ X^n - 1\f$. - * - * This functions multiplies a dense polynomial a1 (of Hamming weight equal to weight) - * and a dense polynomial a2. The multiplication is done modulo \f$ X^n - 1\f$. - * - * @param[out] o Pointer to the result - * @param[in] a1 Pointer to a polynomial - * @param[in] a2 Pointer to a polynomial - */ -void PQCLEAN_HQCRMRS256_AVX2_vect_mul(uint64_t *o, const aligned_vec_t *a1, const aligned_vec_t *a2) { - __m256i a1_times_a2[VEC_N_256_SIZE_64 << 1] = {0}; - toom_3_mult((uint64_t *)a1_times_a2, a1, a2); - reduce(o, a1_times_a2); -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/gf2x.h b/crypto_kem/hqc-rmrs-256/avx2/gf2x.h deleted file mode 100644 index 646f0778..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/gf2x.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef GF2X_H -#define GF2X_H - - -/** - * @file gf2x.h - * @brief Header file for gf2x.c - */ -#include "parameters.h" -#include -#include - -typedef union { - uint64_t arr64[VEC_N_256_SIZE_64]; - __m256i dummy; -} aligned_vec_t; - -void PQCLEAN_HQCRMRS256_AVX2_vect_mul(uint64_t *o, const aligned_vec_t *a1, const aligned_vec_t *a2); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/hqc.c b/crypto_kem/hqc-rmrs-256/avx2/hqc.c deleted file mode 100644 index f096841c..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/hqc.c +++ /dev/null @@ -1,168 +0,0 @@ -#include "code.h" -#include "gf2x.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -#include -/** - * @file hqc.c - * @brief Implementation of hqc.h - */ - - - -/** - * @brief Keygen of the HQC_PKE IND_CPA scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS256_AVX2_hqc_pke_keygen(unsigned char *pk, unsigned char *sk) { - AES_XOF_struct sk_seedexpander; - AES_XOF_struct pk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - uint8_t pk_seed[SEED_BYTES] = {0}; - aligned_vec_t vx = {0}; - uint64_t *x = vx.arr64; - aligned_vec_t vy = {0}; - uint64_t *y = vy.arr64; - aligned_vec_t vh = {0}; - uint64_t *h = vh.arr64; - aligned_vec_t vs = {0}; - uint64_t *s = vs.arr64; - aligned_vec_t vtmp = {0}; - uint64_t *tmp = vtmp.arr64; - - // Create seed_expanders for public key and secret key - randombytes(sk_seed, SEED_BYTES); - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - randombytes(pk_seed, SEED_BYTES); - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - // Compute secret key - PQCLEAN_HQCRMRS256_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS256_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, y, PARAM_OMEGA); - - // Compute public key - PQCLEAN_HQCRMRS256_AVX2_vect_set_random(&pk_seedexpander, h); - PQCLEAN_HQCRMRS256_AVX2_vect_mul(tmp, &vy, &vh); - PQCLEAN_HQCRMRS256_AVX2_vect_add(s, x, tmp, VEC_N_256_SIZE_64); - - // Parse keys to string - PQCLEAN_HQCRMRS256_AVX2_hqc_public_key_to_string(pk, pk_seed, s); - PQCLEAN_HQCRMRS256_AVX2_hqc_secret_key_to_string(sk, sk_seed, pk); - -} - - - -/** - * @brief Encryption of the HQC_PKE IND_CPA scheme - * - * The cihertext is composed of vectors u and v. - * - * @param[out] u Vector u (first part of the ciphertext) - * @param[out] v Vector v (second part of the ciphertext) - * @param[in] m Vector representing the message to encrypt - * @param[in] theta Seed used to derive randomness required for encryption - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS256_AVX2_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk) { - AES_XOF_struct seedexpander; - aligned_vec_t vh = {0}; - uint64_t *h = vh.arr64; - aligned_vec_t vs = {0}; - uint64_t *s = vs.arr64; - aligned_vec_t vr1 = {0}; - uint64_t *r1 = vr1.arr64; - aligned_vec_t vr2 = {0}; - uint64_t *r2 = vr2.arr64; - aligned_vec_t ve = {0}; - uint64_t *e = ve.arr64; - aligned_vec_t vtmp1 = {0}; - uint64_t *tmp1 = vtmp1.arr64; - aligned_vec_t vtmp2 = {0}; - uint64_t *tmp2 = vtmp2.arr64; - aligned_vec_t vtmp3 = {0}; - uint64_t *tmp3 = vtmp3.arr64; - - // Create seed_expander from theta - seedexpander_init(&seedexpander, theta, theta + 32, SEEDEXPANDER_MAX_LENGTH); - - // Retrieve h and s from public key - PQCLEAN_HQCRMRS256_AVX2_hqc_public_key_from_string(h, s, pk); - - // Generate r1, r2 and e - PQCLEAN_HQCRMRS256_AVX2_vect_set_random_fixed_weight(&seedexpander, r1, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS256_AVX2_vect_set_random_fixed_weight(&seedexpander, r2, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS256_AVX2_vect_set_random_fixed_weight(&seedexpander, e, PARAM_OMEGA_E); - - - - // Compute u = r1 + r2.h - PQCLEAN_HQCRMRS256_AVX2_vect_mul(tmp1, &vr2, &vh); - PQCLEAN_HQCRMRS256_AVX2_vect_add(u, r1, tmp1, VEC_N_256_SIZE_64); - - // Compute v = m.G by encoding the message - PQCLEAN_HQCRMRS256_AVX2_code_encode((uint8_t *)v, m); - PQCLEAN_HQCRMRS256_AVX2_load8_arr(v, VEC_N1N2_256_SIZE_64, (uint8_t *)v, VEC_N1N2_SIZE_BYTES); - PQCLEAN_HQCRMRS256_AVX2_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - - // Compute v = m.G + s.r2 + e - PQCLEAN_HQCRMRS256_AVX2_vect_mul(tmp2, &vr2, &vs); - PQCLEAN_HQCRMRS256_AVX2_vect_add(tmp3, e, tmp2, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS256_AVX2_vect_add(tmp2, tmp1, tmp3, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS256_AVX2_vect_resize(v, PARAM_N1N2, tmp2, PARAM_N); - -} - - - -/** - * @brief Decryption of the HQC_PKE IND_CPA scheme - * - * @param[out] m Vector representing the decrypted message - * @param[in] u Vector u (first part of the ciphertext) - * @param[in] v Vector v (second part of the ciphertext) - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS256_AVX2_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk) { - uint8_t pk[PUBLIC_KEY_BYTES] = {0}; - aligned_vec_t vx = {0}; - uint64_t *x = vx.arr64; - aligned_vec_t vy = {0}; - uint64_t *y = vy.arr64; - aligned_vec_t vtmp1 = {0}; - uint64_t *tmp1 = vtmp1.arr64; - aligned_vec_t vtmp2 = {0}; - uint64_t *tmp2 = vtmp2.arr64; - aligned_vec_t vtmp3 = {0}; - uint64_t *tmp3 = vtmp3.arr64; - - // Retrieve x, y, pk from secret key - PQCLEAN_HQCRMRS256_AVX2_hqc_secret_key_from_string(x, y, pk, sk); - - // Compute v - u.y - PQCLEAN_HQCRMRS256_AVX2_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - for (size_t i = 0; i < VEC_N_256_SIZE_64; i++) { - tmp2[i] = u[i]; - } - PQCLEAN_HQCRMRS256_AVX2_vect_mul(tmp3, &vy, &vtmp2); - PQCLEAN_HQCRMRS256_AVX2_vect_add(tmp2, tmp1, tmp3, VEC_N_256_SIZE_64); - - - // Compute m by decoding v - u.y - PQCLEAN_HQCRMRS256_AVX2_store8_arr((uint8_t *)tmp1, VEC_N_SIZE_BYTES, tmp2, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS256_AVX2_code_decode(m, (uint8_t *)tmp1); -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/hqc.h b/crypto_kem/hqc-rmrs-256/avx2/hqc.h deleted file mode 100644 index e6466a37..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/hqc.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef HQC_H -#define HQC_H - - -/** - * @file hqc.h - * @brief Functions of the HQC_PKE IND_CPA scheme - */ - -#include - -void PQCLEAN_HQCRMRS256_AVX2_hqc_pke_keygen(unsigned char *pk, unsigned char *sk); - -void PQCLEAN_HQCRMRS256_AVX2_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk); - -void PQCLEAN_HQCRMRS256_AVX2_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/kem.c b/crypto_kem/hqc-rmrs-256/avx2/kem.c deleted file mode 100644 index 459a7374..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/kem.c +++ /dev/null @@ -1,140 +0,0 @@ -#include "api.h" -#include "fips202.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "sha2.h" -#include "vector.h" -#include -#include -/** - * @file kem.c - * @brief Implementation of api.h - */ - - - -/** - * @brief Keygen of the HQC_KEM IND_CAA2 scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - * @returns 0 if keygen is successful - */ -int PQCLEAN_HQCRMRS256_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - - PQCLEAN_HQCRMRS256_AVX2_hqc_pke_keygen(pk, sk); - return 0; -} - - - -/** - * @brief Encapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ct String containing the ciphertext - * @param[out] ss String containing the shared secret - * @param[in] pk String containing the public key - * @returns 0 if encapsulation is successful - */ -int PQCLEAN_HQCRMRS256_AVX2_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - uint8_t theta[SHA512_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - static uint64_t u[VEC_N_256_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Computing m - randombytes(m, VEC_K_SIZE_BYTES); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m - PQCLEAN_HQCRMRS256_AVX2_hqc_pke_encrypt(u, v, m, theta, pk); - - // Computing d - sha512(d, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS256_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS256_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Computing ciphertext - PQCLEAN_HQCRMRS256_AVX2_hqc_ciphertext_to_string(ct, u, v, d); - - - return 0; -} - - - -/** - * @brief Decapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ss String containing the shared secret - * @param[in] ct String containing the cipĥertext - * @param[in] sk String containing the secret key - * @returns 0 if decapsulation is successful, -1 otherwise - */ -int PQCLEAN_HQCRMRS256_AVX2_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - - uint8_t result; - uint64_t u[VEC_N_256_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_256_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char pk[PUBLIC_KEY_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - uint8_t theta[SHA512_BYTES] = {0}; - uint64_t u2[VEC_N_256_SIZE_64] = {0}; - uint64_t v2[VEC_N1N2_256_SIZE_64] = {0}; - unsigned char d2[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Retrieving u, v and d from ciphertext - PQCLEAN_HQCRMRS256_AVX2_hqc_ciphertext_from_string(u, v, d, ct); - - // Retrieving pk from sk - memcpy(pk, sk + SEED_BYTES, PUBLIC_KEY_BYTES); - - // Decryting - PQCLEAN_HQCRMRS256_AVX2_hqc_pke_decrypt(m, u, v, sk); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m' - PQCLEAN_HQCRMRS256_AVX2_hqc_pke_encrypt(u2, v2, m, theta, pk); - - // Computing d' - sha512(d2, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS256_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_256_SIZE_64); - PQCLEAN_HQCRMRS256_AVX2_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Abort if c != c' or d != d' - result = PQCLEAN_HQCRMRS256_AVX2_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS256_AVX2_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS256_AVX2_vect_compare(d, d2, SHA512_BYTES); - result = (uint8_t) (-((int16_t) result) >> 15); - for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] &= ~result; - } - - - return -(result & 1); -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/parameters.h b/crypto_kem/hqc-rmrs-256/avx2/parameters.h deleted file mode 100644 index 5c61888b..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/parameters.h +++ /dev/null @@ -1,109 +0,0 @@ -#ifndef HQC_PARAMETERS_H -#define HQC_PARAMETERS_H - - -/** - * @file parameters.h - * @brief Parameters of the HQC_KEM IND-CCA2 scheme - */ -#include "api.h" - - -#define CEIL_DIVIDE(a, b) (((a)+(b)-1)/(b)) /*!< Divide a by b and ceil the result*/ - -/* - #define PARAM_N Define the parameter n of the scheme - #define PARAM_N1 Define the parameter n1 of the scheme (length of Reed-Solomon code) - #define PARAM_N2 Define the parameter n2 of the scheme (length of Duplicated Reed-Muller code) - #define PARAM_N1N2 Define the length in bits of the Concatenated code - #define PARAM_OMEGA Define the parameter omega of the scheme - #define PARAM_OMEGA_E Define the parameter omega_e of the scheme - #define PARAM_OMEGA_R Define the parameter omega_r of the scheme - #define PARAM_SECURITY Define the security level corresponding to the chosen parameters - #define PARAM_DFR_EXP Define the decryption failure rate corresponding to the chosen parameters - - #define SECRET_KEY_BYTES Define the size of the secret key in bytes - #define PUBLIC_KEY_BYTES Define the size of the public key in bytes - #define SHARED_SECRET_BYTES Define the size of the shared secret in bytes - #define CIPHERTEXT_BYTES Define the size of the ciphertext in bytes - - #define UTILS_REJECTION_THRESHOLD Define the rejection threshold used to generate given weight vectors (see vector_set_random_fixed_weight function) - #define VEC_N_SIZE_BYTES Define the size of the array used to store a PARAM_N sized vector in bytes - #define VEC_K_SIZE_BYTES Define the size of the array used to store a PARAM_K sized vector in bytes - #define VEC_N1Y_SIZE_BYTES Define the size of the array used to store a PARAM_N1 sized vector in bytes - #define VEC_N1N2_SIZE_BYTES Define the size of the array used to store a PARAM_N1N2 sized vector in bytes - - #define VEC_N_SIZE_64 Define the size of the array used to store a PARAM_N sized vector in 64 bits - #define VEC_K_SIZE_64 Define the size of the array used to store a PARAM_K sized vector in 64 bits - #define VEC_N1_SIZE_64 Define the size of the array used to store a PARAM_N1 sized vector in 64 bits - #define VEC_N1N2_SIZE_64 Define the size of the array used to store a PARAM_N1N2 sized vector in 64 bits - - #define VEC_N_256_SIZE_64 Define the size of the array of 64 bits elements used to store an array of size PARAM_N considered as elements of 256 bits - #define VEC_N1N2_256_SIZE_64 Define the size of the array of 64 bits elements used to store an array of size PARAM_N1N2 considered as elements of 256 bits - - #define PARAM_DELTA Define the parameter delta of the scheme (correcting capacity of the Reed-Solomon code) - #define PARAM_M Define a positive integer - #define PARAM_GF_POLY Generator polynomial of galois field GF(2^PARAM_M), represented in hexadecimial form - #define PARAM_GF_POLY_WT Hamming weight of PARAM_GF_POLY - #define PARAM_GF_POLY_M2 Distance between the primitive polynomial first two set bits - #define PARAM_GF_MUL_ORDER Define the size of the multiplicative group of GF(2^PARAM_M), i.e 2^PARAM_M -1 - #define PARAM_K Define the size of the information bits of the Reed-Solomon code - #define PARAM_G Define the size of the generator polynomial of Reed-Solomon code - #define PARAM_FFT The additive FFT takes a 2^PARAM_FFT polynomial as input - We use the FFT to compute the roots of sigma, whose degree if PARAM_DELTA=24 - The smallest power of 2 greater than 24+1 is 32=2^5 - #define RS_POLY_COEFS Coefficients of the generator polynomial of the Reed-Solomon code - - #define RED_MASK A mask fot the higher bits of a vector - #define SHA512_BYTES Define the size of SHA512 output in bytes - #define SEED_BYTES Define the size of the seed in bytes - #define SEEDEXPANDER_MAX_LENGTH Define the seed expander max length -*/ - -#define PARAM_N 57637 -#define PARAM_N1 90 -#define PARAM_N2 640 -#define PARAM_N1N2 57600 -#define PARAM_OMEGA 131 -#define PARAM_OMEGA_E 149 -#define PARAM_OMEGA_R 149 -#define PARAM_SECURITY 256 -#define PARAM_DFR_EXP 256 - -#define SECRET_KEY_BYTES PQCLEAN_HQCRMRS256_AVX2_CRYPTO_SECRETKEYBYTES -#define PUBLIC_KEY_BYTES PQCLEAN_HQCRMRS256_AVX2_CRYPTO_PUBLICKEYBYTES -#define SHARED_SECRET_BYTES PQCLEAN_HQCRMRS256_AVX2_CRYPTO_BYTES -#define CIPHERTEXT_BYTES PQCLEAN_HQCRMRS256_AVX2_CRYPTO_CIPHERTEXTBYTES - -#define UTILS_REJECTION_THRESHOLD 16772367 -#define VEC_N_SIZE_BYTES CEIL_DIVIDE(PARAM_N, 8) -#define VEC_K_SIZE_BYTES PARAM_K -#define VEC_N1_SIZE_BYTES PARAM_N1 -#define VEC_N1N2_SIZE_BYTES CEIL_DIVIDE(PARAM_N1N2, 8) - -#define VEC_N_SIZE_64 CEIL_DIVIDE(PARAM_N, 64) -#define VEC_K_SIZE_64 CEIL_DIVIDE(PARAM_K, 8) -#define VEC_N1_SIZE_64 CEIL_DIVIDE(PARAM_N1, 8) -#define VEC_N1N2_SIZE_64 CEIL_DIVIDE(PARAM_N1N2, 64) - -#define PARAM_N_MULT (9*256*CEIL_DIVIDE(CEIL_DIVIDE(PARAM_N, 9), 256)) -#define VEC_N_256_SIZE_64 (PARAM_N_MULT / 64) -#define VEC_N1N2_256_SIZE_64 (CEIL_DIVIDE(PARAM_N1N2, 256) << 2) - -#define PARAM_DELTA 29 -#define PARAM_M 8 -#define PARAM_GF_POLY 0x11D -#define PARAM_GF_POLY_WT 5 -#define PARAM_GF_POLY_M2 4 -#define PARAM_GF_MUL_ORDER 255 -#define PARAM_K 32 -#define PARAM_G 59 -#define PARAM_FFT 5 -#define RS_POLY_COEFS 49,167,49,39,200,121,124,91,240,63,148,71,150,123,87,101,32,215,159,71,201,115,97,210,186,183,141,217,123,12,31,243,180,219,152,239,99,141,4,246,191,144,8,232,47,27,141,178,130,64,124,47,39,188,216,48,199,187,1 - -#define RED_MASK 0x1fffffffff -#define SHA512_BYTES 64 -#define SEED_BYTES 40 -#define SEEDEXPANDER_MAX_LENGTH 4294967295 - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/parsing.c b/crypto_kem/hqc-rmrs-256/avx2/parsing.c deleted file mode 100644 index cf786d2a..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/parsing.c +++ /dev/null @@ -1,186 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -/** - * @file parsing.c - * @brief Functions to parse secret key, public key and ciphertext of the HQC scheme - */ - - -void PQCLEAN_HQCRMRS256_AVX2_store8(unsigned char *out, uint64_t in) { - out[0] = (in >> 0x00) & 0xFF; - out[1] = (in >> 0x08) & 0xFF; - out[2] = (in >> 0x10) & 0xFF; - out[3] = (in >> 0x18) & 0xFF; - out[4] = (in >> 0x20) & 0xFF; - out[5] = (in >> 0x28) & 0xFF; - out[6] = (in >> 0x30) & 0xFF; - out[7] = (in >> 0x38) & 0xFF; -} - - -uint64_t PQCLEAN_HQCRMRS256_AVX2_load8(const unsigned char *in) { - uint64_t ret = in[7]; - - for (int8_t i = 6; i >= 0; i--) { - ret <<= 8; - ret |= in[i]; - } - - return ret; -} - -void PQCLEAN_HQCRMRS256_AVX2_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen) { - size_t index_in = 0; - size_t index_out = 0; - - // first copy by 8 bytes - if (inlen >= 8 && outlen >= 1) { - while (index_out < outlen && index_in + 8 <= inlen) { - out64[index_out] = PQCLEAN_HQCRMRS256_AVX2_load8(in8 + index_in); - - index_in += 8; - index_out += 1; - } - } - - // we now need to do the last 7 bytes if necessary - if (index_in >= inlen || index_out >= outlen) { - return; - } - out64[index_out] = in8[inlen - 1]; - for (int8_t i = (int8_t)(inlen - index_in) - 2; i >= 0; i--) { - out64[index_out] <<= 8; - out64[index_out] |= in8[index_in + i]; - } -} - -void PQCLEAN_HQCRMRS256_AVX2_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen) { - for (size_t index_out = 0, index_in = 0; index_out < outlen && index_in < inlen;) { - out8[index_out] = (in64[index_in] >> ((index_out % 8) * 8)) & 0xFF; - index_out++; - if (index_out % 8 == 0) { - index_in++; - } - } -} - - -/** - * @brief Parse a secret key into a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] sk String containing the secret key - * @param[in] sk_seed Seed used to generate the secret key - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS256_AVX2_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk) { - memcpy(sk, sk_seed, SEED_BYTES); - sk += SEED_BYTES; - memcpy(sk, pk, PUBLIC_KEY_BYTES); -} - -/** - * @brief Parse a secret key from a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] x uint64_t representation of vector x - * @param[out] y uint64_t representation of vector y - * @param[out] pk String containing the public key - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS256_AVX2_hqc_secret_key_from_string(uint64_t *x, uint64_t *y, uint8_t *pk, const uint8_t *sk) { - AES_XOF_struct sk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - - memcpy(sk_seed, sk, SEED_BYTES); - sk += SEED_BYTES; - memcpy(pk, sk, PUBLIC_KEY_BYTES); - - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS256_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS256_AVX2_vect_set_random_fixed_weight(&sk_seedexpander, y, PARAM_OMEGA); -} - -/** - * @brief Parse a public key into a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] pk String containing the public key - * @param[in] pk_seed Seed used to generate the public key - * @param[in] s uint8_t representation of vector s - */ -void PQCLEAN_HQCRMRS256_AVX2_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s) { - memcpy(pk, pk_seed, SEED_BYTES); - PQCLEAN_HQCRMRS256_AVX2_store8_arr(pk + SEED_BYTES, VEC_N_SIZE_BYTES, s, VEC_N_SIZE_64); -} - - - -/** - * @brief Parse a public key from a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] h uint8_t representation of vector h - * @param[out] s uint8_t representation of vector s - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS256_AVX2_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk) { - AES_XOF_struct pk_seedexpander; - uint8_t pk_seed[SEED_BYTES] = {0}; - - memcpy(pk_seed, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_HQCRMRS256_AVX2_load8_arr(s, VEC_N_SIZE_64, pk, VEC_N_SIZE_BYTES); - - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS256_AVX2_vect_set_random(&pk_seedexpander, h); -} - - -/** - * @brief Parse a ciphertext into a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] ct String containing the ciphertext - * @param[in] u uint8_t representation of vector u - * @param[in] v uint8_t representation of vector v - * @param[in] d String containing the hash d - */ -void PQCLEAN_HQCRMRS256_AVX2_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d) { - PQCLEAN_HQCRMRS256_AVX2_store8_arr(ct, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS256_AVX2_store8_arr(ct, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(ct, d, SHA512_BYTES); -} - - -/** - * @brief Parse a ciphertext from a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] u uint8_t representation of vector u - * @param[out] v uint8_t representation of vector v - * @param[out] d String containing the hash d - * @param[in] ct String containing the ciphertext - */ -void PQCLEAN_HQCRMRS256_AVX2_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct) { - PQCLEAN_HQCRMRS256_AVX2_load8_arr(u, VEC_N_SIZE_64, ct, VEC_N_SIZE_BYTES); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS256_AVX2_load8_arr(v, VEC_N1N2_SIZE_64, ct, VEC_N1N2_SIZE_BYTES); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(d, ct, SHA512_BYTES); -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/parsing.h b/crypto_kem/hqc-rmrs-256/avx2/parsing.h deleted file mode 100644 index b854fc80..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/parsing.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PARSING_H -#define PARSING_H - - -/** - * @file parsing.h - * @brief Header file for parsing.c - */ - -#include - -void PQCLEAN_HQCRMRS256_AVX2_store8(unsigned char *out, uint64_t in); - -uint64_t PQCLEAN_HQCRMRS256_AVX2_load8(const unsigned char *in); - -void PQCLEAN_HQCRMRS256_AVX2_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen); - -void PQCLEAN_HQCRMRS256_AVX2_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen); - - -void PQCLEAN_HQCRMRS256_AVX2_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk); - -void PQCLEAN_HQCRMRS256_AVX2_hqc_secret_key_from_string(uint64_t *x, uint64_t *y, uint8_t *pk, const uint8_t *sk); - - -void PQCLEAN_HQCRMRS256_AVX2_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s); - -void PQCLEAN_HQCRMRS256_AVX2_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk); - - -void PQCLEAN_HQCRMRS256_AVX2_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d); - -void PQCLEAN_HQCRMRS256_AVX2_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/reed_muller.c b/crypto_kem/hqc-rmrs-256/avx2/reed_muller.c deleted file mode 100644 index 22527b8a..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/reed_muller.c +++ /dev/null @@ -1,389 +0,0 @@ -#include "parameters.h" -#include "reed_muller.h" -#include -#include -#include -/** - * @file reed_muller.c - * Constant time implementation of Reed-Muller code RM(1,7) - */ - - -// number of repeated code words -#define MULTIPLICITY CEIL_DIVIDE(PARAM_N2, 128) - -// copy bit 0 into all bits of a 64 bit value -#define BIT0MASK(x) (int64_t)(-((x) & 1)) - -static void encode(uint8_t *word, uint8_t message); -static void expand_and_sum(__m256i *dst, const uint64_t *src); -static void hadamard(__m256i *src, __m256i *dst); -static uint32_t find_peaks(__m256i *transform); - - - -/** - * @brief Encode a single byte into a single codeword using RM(1,7) - * - * Encoding matrix of this code: - * bit pattern (note that bits are numbered big endian) - * 0 aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa - * 1 cccccccc cccccccc cccccccc cccccccc - * 2 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 - * 3 ff00ff00 ff00ff00 ff00ff00 ff00ff00 - * 4 ffff0000 ffff0000 ffff0000 ffff0000 - * 5 00000000 ffffffff 00000000 ffffffff - * 6 00000000 00000000 ffffffff ffffffff - * 7 ffffffff ffffffff ffffffff ffffffff - * - * @param[out] word An RM(1,7) codeword - * @param[in] message A message to encode - */ -static void encode(uint8_t *word, uint8_t message) { - uint32_t e; - // bit 7 flips all the bits, do that first to save work - e = BIT0MASK(message >> 7); - // bits 0, 1, 2, 3, 4 are the same for all four longs - // (Warning: in the bit matrix above, low bits are at the left!) - e ^= BIT0MASK(message >> 0) & 0xaaaaaaaa; - e ^= BIT0MASK(message >> 1) & 0xcccccccc; - e ^= BIT0MASK(message >> 2) & 0xf0f0f0f0; - e ^= BIT0MASK(message >> 3) & 0xff00ff00; - e ^= BIT0MASK(message >> 4) & 0xffff0000; - // we can store this in the first quarter - word[0 + 0] = (e >> 0x00) & 0xff; - word[0 + 1] = (e >> 0x08) & 0xff; - word[0 + 2] = (e >> 0x10) & 0xff; - word[0 + 3] = (e >> 0x18) & 0xff; - // bit 5 flips entries 1 and 3; bit 6 flips 2 and 3 - e ^= BIT0MASK(message >> 5); - word[4 + 0] = (e >> 0x00) & 0xff; - word[4 + 1] = (e >> 0x08) & 0xff; - word[4 + 2] = (e >> 0x10) & 0xff; - word[4 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 6); - word[12 + 0] = (e >> 0x00) & 0xff; - word[12 + 1] = (e >> 0x08) & 0xff; - word[12 + 2] = (e >> 0x10) & 0xff; - word[12 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 5); - word[8 + 0] = (e >> 0x00) & 0xff; - word[8 + 1] = (e >> 0x08) & 0xff; - word[8 + 2] = (e >> 0x10) & 0xff; - word[8 + 3] = (e >> 0x18) & 0xff; -} - - - -/** - * @brief Add multiple codewords into expanded codeword - * - * Note: this does not write the codewords as -1 or +1 as the green machine does - * instead, just 0 and 1 is used. - * The resulting hadamard transform has: - * all values are halved - * the first entry is 64 too high - * - * @param[out] dst Structure that contain the expanded codeword - * @param[in] src Structure that contain the codeword - */ -inline void expand_and_sum(__m256i *dst, const uint64_t *src) { - uint16_t v[16]; - for (size_t part = 0; part < 8; part++) { - dst[part] = _mm256_setzero_si256(); - } - for (size_t copy = 0; copy < MULTIPLICITY; copy++) { - for (size_t part = 0; part < 8; part++) { - for (size_t bit = 0; bit < 16; bit++) { - v[bit] = (((uint16_t *)(&src[2 * copy]))[part] >> bit) & 1; - } - dst[part] += _mm256_set_epi16(v[15], v[14], v[13], v[12], v[11], v[10], v[9], v[8], - v[7], v[6], v[5], v[4], v[3], v[2], v[1], v[0]); - } - } -} - - - -/** - * @brief Hadamard transform - * - * Perform hadamard transform of src and store result in dst - * src is overwritten: it is also used as intermediate buffer - * Method is best explained if we use H(3) instead of H(7): - * - * The routine multiplies by the matrix H(3): - * [1 1 1 1 1 1 1 1] - * [1 -1 1 -1 1 -1 1 -1] - * [1 1 -1 -1 1 1 -1 -1] - * [a b c d e f g h] * [1 -1 -1 1 1 -1 -1 1] = result of routine - * [1 1 1 1 -1 -1 -1 -1] - * [1 -1 1 -1 -1 1 -1 1] - * [1 1 -1 -1 -1 -1 1 1] - * [1 -1 -1 1 -1 1 1 -1] - * You can do this in three passes, where each pass does this: - * set lower half of buffer to pairwise sums, - * and upper half to differences - * index 0 1 2 3 4 5 6 7 - * input: a, b, c, d, e, f, g, h - * pass 1: a+b, c+d, e+f, g+h, a-b, c-d, e-f, g-h - * pass 2: a+b+c+d, e+f+g+h, a-b+c-d, e-f+g-h, a+b-c-d, e+f-g-h, a-b-c+d, e-f-g+h - * pass 3: a+b+c+d+e+f+g+h a+b-c-d+e+f-g-h a+b+c+d-e-f-g-h a+b-c-d-e+-f+g+h - * a-b+c-d+e-f+g-h a-b-c+d+e-f-g+h a-b+c-d-e+f-g+h a-b-c+d-e+f+g-h - * This order of computation is chosen because it vectorises well. - * Likewise, this routine multiplies by H(7) in seven passes. - * - * @param[out] src Structure that contain the expanded codeword - * @param[out] dst Structure that contain the expanded codeword - */ -inline void hadamard(__m256i *src, __m256i *dst) { - // the passes move data: - // src -> dst -> src -> dst -> src -> dst -> src -> dst - // using p1 and p2 alternately - __m256i *p1 = src; - __m256i *p2 = dst; - __m256i *p3; - for (size_t pass = 0; pass < 7; pass++) { - // warning: hadd works "within lanes" as Intel call it - // so you have to swap the middle 64 bit blocks of the result - for (size_t part = 0; part < 4; part++) { - p2[part] = _mm256_permute4x64_epi64(_mm256_hadd_epi16(p1[2 * part], p1[2 * part + 1]), 0xd8); - p2[part + 4] = _mm256_permute4x64_epi64(_mm256_hsub_epi16(p1[2 * part], p1[2 * part + 1]), 0xd8); - } - // swap p1, p2 for next round - p3 = p1; - p1 = p2; - p2 = p3; - } -} - - - -/** - * @brief Finding the location of the highest value - * - * This is the final step of the green machine: find the location of the highest value, - * and add 128 if the peak is positive - * Notes on decoding - * The standard "Green machine" decoder words as follows: - * if the received codeword is W, compute (2 * W - 1) * H7 - * The entries of the resulting vector are always even and vary from - * -128 (= the complement is a code word, add bit 7 to decode) - * via 0 (this is a different codeword) - * to 128 (this is the code word). - * - * Our decoding differs in two ways: - * - We take W instead of 2 * W - 1 (so the entries are 0,1 instead of -1,1) - * - We take the sum of the repititions (so the entries are 0..MULTIPLICITY) - * This implies that we have to subtract 64M (M=MULTIPLICITY) - * from the first entry to make sure the first codewords is handled properly - * and that the entries vary from -64M to 64M. - * -64M or 64M stands for a perfect codeword. - * If there are fewer than 32M errors, there is always a unique codeword - * which an entry with absolute value > 32M; - * this is because an error changes an entry by 1. - * The highest number that seem to be decodable is 50 errors, so that the - * highest entries in the hadamard transform can be as low as 12. - * But this is different for the repeated code. - * Because multiple codewords are added, this changes: the lowest value of the - * hadamard transform of the sum of six words is seen to be as low as 43 (!), - * which is way less than 12*6. - * - * It is possible that there are more errors, but the word is still uniquely - * decodable: we found a word with distance of 50 from the nearest codeword. - * That means that the highest entry can be as low as 14M. - * Since we have to do binary search, we search for the range 1-64M - * which can be done in 6+l2g(M) steps. - * The binary search is based on (values>32M are unique): - * M 32M min> max> firstStep #steps - * 2 64 1 64 33 +- 16 6 - * 4 128 1 128 65 +- 32 7 - * 6 192 1 192 129 +- 64 8 - * - * As a check, we run a sample for M=6 to see the peak value; it ranged - * from 43 to 147, so my analysis looks right. Also, it shows that decoding - * far beyond the bound of 32M is needed. - * - * For the vectors, it would be tempting to use 8 bit ints, - * because the values "almost" fit in there. - * We could use some trickery to fit it in 8 bits, like saturated add or - * division by 2 in a late step. - * Unfortunately, these instructions do not exist. - * the adds _mm512_adds_epi8 is available only on the latest processors, - * and division, shift, mulhi are not available at all for 8 bits. - * So, we use 16 bit ints. - * - * For the search of the optimal comparison value, - * remember the transform contains 64M-d, - * where d are the distances to the codewords. - * The highest value gives the most likely codeword. - * There is not fast vectorized way to find this value, so we search for the - * maximum value itself. - * In each pass, we collect a bit map of the transform values that are, - * say >bound. There are three cases: - * bit map = 0: all code words are further away than 64M-bound (decrease bound) - * bit map has one bit: one unique code word has distance < 64M-bound - * bit map has multiple bits: multiple words (increase bound) - * We will search for the lowest value of bound that gives a nonzero bit map. - * - * @param[in] transform Structure that contain the expanded codeword - */ -inline uint32_t find_peaks(__m256i *transform) { - // a whole lot of vector variables - __m256i bitmap, abs_rows[8], bound, active_row, max_abs_rows; - __m256i tmp = _mm256_setzero_si256(); - __m256i vect_mask; - __m256i res; - int32_t lower; - int32_t width; - uint32_t message; - uint32_t mask; - int8_t index; - int8_t abs_value; - int8_t mask1; - int8_t mask2; - uint16_t result; - - // compute absolute value of transform - for (size_t i = 0; i < 8; i++) { - abs_rows[i] = _mm256_abs_epi16(transform[i]); - } - // compute a vector of 16 elements which contains the maximum somewhere - // (later used to compute bits 0 through 3 of message) - max_abs_rows = abs_rows[0]; - for (size_t i = 1; i < 8; i++) { - max_abs_rows = _mm256_max_epi16(max_abs_rows, abs_rows[i]); - } - - // do binary search for the highest value that is lower than the maximum - // loop invariant: lower gives bit map = 0, lower + width gives bit map > 0 - lower = 1; - // this gives 64, 128 or 256 for MULTIPLICITY = 2, 4, 6 - width = 1 << (5 + MULTIPLICITY / 2); - // if you don't unroll this loop, it fits in the loop cache - // uncomment the line below to speeding up the program by a few percent - // #pragma GCC unroll 0 - while (width > 1) { - width >>= 1; - // compare with lower + width; put result in bitmap - // make vector from value of new bound - bound = _mm256_broadcastw_epi16(_mm_cvtsi32_si128(lower + width)); - bitmap = _mm256_cmpgt_epi16(max_abs_rows, bound); - // step up if there are any matches - // rely on compiler to use conditional move here - mask = (uint32_t) _mm256_testz_si256(bitmap, bitmap); - mask = ~(uint32_t) ((-(int64_t) mask) >> 63); - lower += mask & width; - } - // lower+width contains the maximum value of the vector - // or less, if the maximum is very high (which is OK) - // normally, there is one maximum, but sometimes there are more - // find where the maxima occur in the maximum vector - // (each determines lower 4 bits of peak position) - // construct vector filled with bound-1 - bound = _mm256_broadcastw_epi16(_mm_cvtsi32_si128(lower + width - 1)); - - // find in which of the 8 groups a maximum occurs to compute bits 4, 5, 6 of message - // find lowest value by searching backwards skip first check to save time - message = 0x70; - for (size_t i = 0; i < 8; i++) { - bitmap = _mm256_cmpgt_epi16(abs_rows[7 - i], bound); - mask = (uint32_t) _mm256_testz_si256(bitmap, bitmap); - mask = ~(uint32_t) ((-(int64_t) mask) >> 63); - message ^= mask & (message ^ ((7 - i) << 4)); - } - // we decided which row of the matrix contains the lowest match - // select proper row - index = message >> 4; - - tmp = _mm256_setzero_si256(); - for (size_t i = 0; i < 8; i++) { - abs_value = (int8_t)(index - i); - mask1 = abs_value >> 7; - abs_value ^= mask1; - abs_value -= mask1; - mask2 = ((uint8_t) - abs_value >> 7); - mask = (-1ULL) + mask2; - vect_mask = _mm256_set1_epi32(mask); - res = _mm256_and_si256(abs_rows[i], vect_mask); - tmp = _mm256_or_si256(tmp, res); - } - - active_row = tmp; - - // get the column number of the vector element - // by setting the bits corresponding to the columns - // and then adding elements within two groups of 8 - vect_mask = _mm256_cmpgt_epi16(active_row, bound); - vect_mask &= _mm256_set_epi16(-32768, 16384, 8192, 4096, 2048, 1024, 512, 256, 128, 64, 32, 16, 8, 4, 2, 1); - for (size_t i = 0; i < 3; i++) { - vect_mask = _mm256_hadd_epi16(vect_mask, vect_mask); - } - // add low 4 bits of message - message |= __tzcnt_u16(_mm256_extract_epi16(vect_mask, 0) + _mm256_extract_epi16(vect_mask, 8)); - - // set bit 7 if sign of biggest value is positive - // make sure a jump isn't generated by the compiler - tmp = _mm256_setzero_si256(); - for (size_t i = 0; i < 8; i++) { - mask = ~(uint32_t) ((-(int64_t)(i ^ message / 16)) >> 63); - vect_mask = _mm256_set1_epi32(mask); - tmp = _mm256_or_si256(tmp, _mm256_and_si256(vect_mask, transform[i])); - } - result = 0; - for (size_t i = 0; i < 16; i++) { - mask = ~(uint32_t) ((-(int64_t)(i ^ message % 16)) >> 63); - result |= mask & ((uint16_t *)&tmp)[i]; - } - message |= (0x8000 & ~result) >> 8; - return message; -} - - - -/** - * @brief Encodes the received word - * - * The message consists of N1 bytes each byte is encoded into PARAM_N2 bits, - * or MULTIPLICITY repeats of 128 bits - * - * @param[out] cdw Array of size VEC_N1N2_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_N1_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS256_AVX2_reed_muller_encode(uint8_t *cdw, const uint8_t *msg) { - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // encode first word - encode(&cdw[16 * i * MULTIPLICITY], msg[i]); - // copy to other identical codewords - for (size_t copy = 1; copy < MULTIPLICITY; copy++) { - memcpy(&cdw[16 * i * MULTIPLICITY + 16 * copy], &cdw[16 * i * MULTIPLICITY], 16); - } - } -} - - - -/** - * @brief Decodes the received word - * - * Decoding uses fast hadamard transform, for a more complete picture on Reed-Muller decoding, see MacWilliams, Florence Jessie, and Neil James Alexander Sloane. - * The theory of error-correcting codes codes @cite macwilliams1977theory - * - * @param[out] msg Array of size VEC_N1_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1N2_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS256_AVX2_reed_muller_decode(uint8_t *msg, const uint8_t *cdw) { - __m256i expanded[8]; - __m256i transform[8]; - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // collect the codewords - expand_and_sum(expanded, (uint64_t *)&cdw[16 * i * MULTIPLICITY]); - // apply hadamard transform - hadamard(expanded, transform); - // fix the first entry to get the half Hadamard transform - transform[0] -= _mm256_set_epi16(0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 64 * MULTIPLICITY); - // finish the decoding - msg[i] = find_peaks(transform); - } -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/reed_muller.h b/crypto_kem/hqc-rmrs-256/avx2/reed_muller.h deleted file mode 100644 index bcfbfa56..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/reed_muller.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef REED_MULLER_H -#define REED_MULLER_H - - -/** - * @file reed_muller.h - * Header file of reed_muller.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS256_AVX2_reed_muller_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS256_AVX2_reed_muller_decode(uint8_t *msg, const uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/reed_solomon.c b/crypto_kem/hqc-rmrs-256/avx2/reed_solomon.c deleted file mode 100644 index 2412c140..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/reed_solomon.c +++ /dev/null @@ -1,744 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include "parsing.h" -#include "reed_solomon.h" -#include -#include -#include -/** - * @file reed_solomon.c - * Constant time implementation of Reed-Solomon codes - */ - - -static void compute_syndromes(uint16_t *syndromes, uint8_t *cdw); -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes); -static void compute_roots(uint8_t *error, uint16_t *sigma); -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes); -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error); -static void correct_errors(uint8_t *cdw, const uint16_t *error_values); - -static const __m256i alpha_ij256_1[89] = { - {0x0010000800040002, 0x001d008000400020, 0x00cd00e80074003a, 0x004c002600130087}, - {0x001d004000100004, 0x004c001300cd0074, 0x008f00ea00b4002d, 0x009d006000180006}, - {0x00cd003a00400008, 0x008f0075002d0026, 0x002500270060000c, 0x004600c100b50035}, - {0x004c00cd001d0010, 0x009d0018008f00b4, 0x004600ee006a0025, 0x005f00b9005d0014}, - {0x00b4002600740020, 0x006a009c00600003, 0x00b900a0000500c1, 0x00fd000f005e00be}, - {0x008f002d00cd0040, 0x004600b500250060, 0x0065006100b90050, 0x00d900df006b0078}, - {0x0018007500130080, 0x005d008c00b5009c, 0x006b003c005e00a1, 0x0081001a004300a3}, - {0x009d008f004c001d, 0x005f005d0046006a, 0x00d900fe00fd0065, 0x0085003b0081000d}, - {0x0025000c002d003a, 0x006500a1005000c1, 0x00d0008600df00e7, 0x00a800a9006600ed}, - {0x006a006000b40074, 0x00fd005e00b90005, 0x003b0067001100df, 0x00e600550084002e}, - {0x00ee002700ea00e8, 0x00fe003c006100a0, 0x00b8007600670086, 0x00e3009100390054}, - {0x00460025008f00cd, 0x00d9006b006500b9, 0x00a800b8003b00d0, 0x0082009600fc00e4}, - {0x0014003500060087, 0x000d00a3007800be, 0x00e40054002e00ed, 0x00510064006200e5}, - {0x005d00b500180013, 0x00810043006b005e, 0x00fc003900840066, 0x0012005900c80062}, - {0x00b900c100600026, 0x003b001a00df000f, 0x00960091005500a9, 0x002c002400590064}, - {0x005f0046009d004c, 0x0085008100d900fd, 0x008200e300e600a8, 0x0002002c00120051}, - {0x0099000a004e0098, 0x004f0093004400d6, 0x00dd00dc00d70092, 0x00980001000b0045}, - {0x006500500025002d, 0x00a8006600d000df, 0x00c30007009600bf, 0x0027002600ad00fb}, - {0x001e00ba0094005a, 0x0049006d003e00e2, 0x003d00a200ae00b3, 0x008c006000e80083}, - {0x00fd00b9006a00b4, 0x00e60084003b0011, 0x002c00ac001c0096, 0x00be00c100030020}, - {0x006b00a100b50075, 0x00fc00290066001a, 0x00ad00f500590057, 0x00e700b90035002d}, - {0x00fe006100ee00ea, 0x00e3003900b80067, 0x003a00b000ac0007, 0x00af000f002800c0}, - {0x005b002f009f00c9, 0x009500d10021007c, 0x0075004700f400a6, 0x001f00df00c200ee}, - {0x00d900650046008f, 0x008200fc00a8003b, 0x0027003a002c00c3, 0x0017001a00e700ba}, - {0x0011000f00050003, 0x001c00ff00550033, 0x00c100b4006c0024, 0x004d003b00e2005e}, - {0x000d007800140006, 0x0051006200e4002e, 0x00ba00c0002000fb, 0x00d100a900bd00bb}, - {0x00d000e70050000c, 0x00c3005700bf00a9, 0x002f00b50026007d, 0x00db005500c500d9}, - {0x0081006b005d0018, 0x001200c800fc0084, 0x00e70028000300ad, 0x00190091009e00bd}, - {0x00f8007f00690030, 0x00f700e000f1004d, 0x00b6005f009c0040, 0x00a2009600aa00ec}, - {0x003b00df00b90060, 0x002c005900960055, 0x001a000f00c10026, 0x00240064009100a9}, - {0x009700b600de00c0, 0x001b009b006e0072, 0x00ed00b100a0008f, 0x00580059004b0052}, - {0x008500d9005f009d, 0x00020012008200e6, 0x001700af00be0027, 0x00040024001900d1}, - {0x00b8008600610027, 0x003a00f500070091, 0x001500d0000f00b5, 0x002d002c00a600f1}, - {0x004f00440099004e, 0x0098000b00dd00d7, 0x0092009300d6000a, 0x004e0001004500dc}, - {0x0084001a005e009c, 0x000300e9005900ff, 0x0091002e00e200b9, 0x0005002600eb001c}, - {0x00a800d000650025, 0x002700ad00c30096, 0x00db0015001a002f, 0x00610060003600f2}, - {0x005200ce0089004a, 0x00d40010008a0037, 0x00570049007c0078, 0x00d300c1001d0048}, - {0x0049003e001e0094, 0x008c00e8003d00ae, 0x003800630033007f, 0x004300b900ea0016}, - {0x00e400ed00780035, 0x00ba002d00fb0064, 0x00f200f100a900d9, 0x003e000f002500ad}, - {0x00e6003b00fd006a, 0x00be0003002c001c, 0x00240037004d001a, 0x002e00df00050074}, - {0x00c600c500d300d4, 0x00ca009d00cf00a7, 0x008b00c80072003e, 0x009a001a005f00c9}, - {0x00fc0066006b00b5, 0x00e7003500ad0059, 0x003600a6009100c5, 0x00bf003b00780025}, - {0x007b001700b10077, 0x00e1009f000800ef, 0x0040002b00ff00b8, 0x00ab00a9005b008c}, - {0x00e300b800fe00ee, 0x00af0028003a00ac, 0x002d007a00370015, 0x00320055003400de}, - {0x009600a900df00c1, 0x001a00b900260024, 0x0060002c00640055, 0x00590091003b000f}, - {0x00950021005b009f, 0x001f00c2007500f4, 0x00b500d800a70073, 0x0048009600da00fe}, - {0x00a5001500710023, 0x00760089000c00eb, 0x0050008000ef00fc, 0x00b0006400520022}, - {0x008200a800d90046, 0x001700e70027002c, 0x0061002d002400db, 0x0008005900bf003e}, - {0x00c800290043008c, 0x009e00fe003500e9, 0x0078003000eb006e, 0x005a002400e300cc}, - {0x001c005500110005, 0x004d00e200c1006c, 0x00df006a00e90064, 0x009c002c00ae0084}, - {0x00dd00920044000a, 0x00920044000a0001, 0x0044000a000100dd, 0x000a000100dd0092}, - {0x005100e4000d0014, 0x00d100bd00ba0020, 0x003e00de007400f2, 0x00c20026002b003f}, - {0x0079007300340028, 0x00e500f800a10074, 0x006600ca00b4008a, 0x00bb006000f7004b}, - {0x00c300bf00d00050, 0x00db00c5002f0026, 0x0021006b006000f5, 0x008600c100cf0082}, - {0x00ac0091006700a0, 0x0037002e000f00b4, 0x005500e2006a002c, 0x007c00b9002000a7}, - {0x001200fc0081005d, 0x0019009e00e70003, 0x00bf003400050036, 0x005c000f005a002b}, - {0x003d00b3003e00ba, 0x003800a8007f0060, 0x00f100ed00b90008, 0x002900df002700f5}, - {0x00f700f100f80069, 0x00a200aa00b6009c, 0x006e0085005e00cd, 0x0063001a002300fa}, - {0x00cb00db00c700d2, 0x009b00b70086006a, 0x0007004200fd0075, 0x004b003b006f0004}, - {0x002c0096003b00b9, 0x00240091001a00c1, 0x0059005500df0060, 0x006400a9000f0026}, - {0x00fa00c400ec006f, 0x00f3007b00ce0005, 0x008a00d100110035, 0x00b2005500e10018}, - {0x001b006e009700de, 0x0058004b00ed00a0, 0x00fb007b00670046, 0x00900091008800d4}, - {0x00ad0057006600a1, 0x0036006e00c500b9, 0x00cf00c4003b00ba, 0x007d009600ed0050}, - {0x000200820085005f, 0x00040019001700be, 0x00080032002e0061, 0x00100064005c00c2}, - {0x00200064002e00be, 0x0074001c00a9005e, 0x002600a70084000f, 0x00b40059004d00fd}, - {0x003a000700b80061, 0x002d00a60015000f, 0x000c00c30055006b, 0x00250024007300b6}, - {0x0087003800da00c2, 0x000600f9002900fd, 0x0035009000e600b6, 0x0014002c00f60034}, - {0x009800dd004f0099, 0x004e0045009200d6, 0x000a000b00d70044, 0x0099000100dc0093}, - {0x007500a60021002f, 0x00b5003d007300df, 0x00a10036009600ce, 0x006b0026003800b8}, - {0x000300590084005e, 0x000500eb009100e2, 0x000f002000ae003b, 0x0011006000ef004d}, - {0x003000f2002a00bc, 0x006900b000b30011, 0x007f004c001c0017, 0x00f800c1007a00b7}, - {0x002700c300a80065, 0x0061003600db001a, 0x0086000c00590021, 0x00b800b9007d00b3}, - {0x004a0056009a00ca, 0x0089000200c40067, 0x00ce009400ac0029, 0x0052000f00040095}, - {0x00d4008a00520089, 0x00d3001d0057007c, 0x00c5008c00f400e4, 0x00c600df004c008d}, - {0x00c100240055000f, 0x00df00260064003b, 0x00a900b9002c0091, 0x0096001a00600059}, - {0x008c003d0049001e, 0x004300ea00380033, 0x002900bc006c00f1, 0x00c8003b00ee0009}, - {0x002800f50039003c, 0x0034003000a6002e, 0x007300d3002000c4, 0x007900a9006900cb}, - {0x00ba00fb00e40078, 0x003e002500f200a9, 0x00b300b600260082, 0x003d005500650036}, - {0x006f008b00b700f0, 0x00ec007700560084, 0x00c4000d00030038, 0x00fa009100b10080}, - {0x00be002c00e600fd, 0x002e00050024004d, 0x0064007c009c0059, 0x00200096001100b4}, - {0x002f007d00bf00e7, 0x002100ba00f50055, 0x00a6006600c10056, 0x00750064003e0027}, - {0x00ca00cf00c600d3, 0x009a005f008b0072, 0x0056009e00a0003d, 0x004a00590085009f}, - {0x003c0036003f00bb, 0x003900bc007d00e6, 0x00f5005200be008b, 0x00280024002a00d2}, - {0x00e700ad00fc006b, 0x00bf007800360091, 0x007d0073000f00cf, 0x002f002c00e40065}, - {0x00d6000100d700d6, 0x00d700d6000100d7, 0x000100d700d60001, 0x00d6000100d700d6}, - {0x00e10008007b00b1, 0x00ab005b004000ff, 0x00cd003100e2003a, 0x0022002600950043}, - {0x00b6004000f1007f, 0x006e008600cd0096, 0x008f0082001a002d, 0x00ed0060000700ce}, - {0x00af003a00e300fe, 0x00320034002d0037, 0x002500e0007c000c, 0x006d00c100790097}, - {0x002200cd00ab00e1, 0x0070001f008f00ae, 0x004600f900330025, 0x00a400b90048009e} -}; -static const __m256i alpha_ij256_2[89] = { - {0x00b4005a002d0098, 0x008f00c900ea0075, 0x0018000c00060003, 0x009d00c000600030}, - {0x006a00940025004e, 0x0046009f00ee00b5, 0x005d005000140005, 0x005f00de00b90069}, - {0x00b900ba0050000a, 0x0065002f006100a1, 0x006b00e70078000f, 0x00d900b600df007f}, - {0x00fd001e00650099, 0x00d9005b00fe006b, 0x008100d0000d0011, 0x00850097003b00f8}, - {0x001100e200df00d6, 0x003b007c0067001a, 0x008400a9002e0033, 0x00e600720055004d}, - {0x003b003e00d00044, 0x00a8002100b80066, 0x00fc00bf00e40055, 0x0082006e009600f1}, - {0x0084006d00660093, 0x00fc00d100390029, 0x00c80057006200ff, 0x0012009b005900e0}, - {0x00e6004900a8004f, 0x0082009500e300fc, 0x001200c30051001c, 0x0002001b002c00f7}, - {0x009600b300bf0092, 0x00c300a600070057, 0x00ad007d00fb0024, 0x0027008f00260040}, - {0x001c00ae009600d7, 0x002c00f400ac0059, 0x000300260020006c, 0x00be00a000c1009c}, - {0x00ac00a2000700dc, 0x003a004700b000f5, 0x002800b500c000b4, 0x00af00b1000f005f}, - {0x002c003d00c300dd, 0x00270075003a00ad, 0x00e7002f00ba00c1, 0x001700ed001a00b6}, - {0x0020008300fb0045, 0x00ba00ee00c0002d, 0x00bd00d900bb005e, 0x00d1005200a900ec}, - {0x000300e800ad000b, 0x00e700c200280035, 0x009e00c500bd00e2, 0x0019004b009100aa}, - {0x00c1006000260001, 0x001a00df000f00b9, 0x0091005500a9003b, 0x0024005900640096}, - {0x00be008c00270098, 0x0017001f00af00e7, 0x001900db00d1004d, 0x00040058002400a2}, - {0x00d60099000a004e, 0x0092004f00930044, 0x004500dd00dc00d7, 0x004e00980001000b}, - {0x001a007f002f000a, 0x00db0073001500c5, 0x003600f500f20064, 0x00610046006000cd}, - {0x00330034007f0099, 0x00380062006300a8, 0x00ea0008001600ac, 0x004300f000b900d4}, - {0x004d0033001a00d6, 0x002400a700370091, 0x00050060007400e9, 0x002e006700df005e}, - {0x009100a800c50044, 0x0036003d00a6006e, 0x007800ba00250026, 0x00bf0015003b0086}, - {0x0037006300150093, 0x002d00d8007a00a6, 0x0034006b00de006a, 0x0032007b00550085}, - {0x00a700620073004f, 0x00b5005a00d8003d, 0x00da00ce00fe00be, 0x004800e0009600d5}, - {0x0024003800db0092, 0x006100b5002d0036, 0x00bf0021003e00df, 0x000800fb0059006e}, - {0x00e900ac006400d7, 0x00df00be006a0026, 0x00ae00910084007c, 0x009c0074002c00ef}, - {0x0074001600f200dc, 0x003e00fe00de0025, 0x002b0082003f0084, 0x00c200d4002600fa}, - {0x0060000800f500dd, 0x002100ce006b00ba, 0x00cf005600820091, 0x0086006500c1002d}, - {0x000500ea00360045, 0x00bf00da00340078, 0x005a00cf002b00ae, 0x005c0088000f0023}, - {0x005e00d400cd000b, 0x006e00d500850086, 0x0023002d00fa00ef, 0x006300da001a001e}, - {0x00df00b900600001, 0x005900960055003b, 0x000f00c10026002c, 0x0064009100a9001a}, - {0x006700f000460098, 0x00fb00e0007b0015, 0x0088006500d40074, 0x009000c8009100da}, - {0x002e00430061004e, 0x00080048003200bf, 0x005c008600c2009c, 0x0010009000640063}, - {0x005500ed006b000a, 0x000c003600c300c4, 0x0073006600b600b9, 0x0025000800240082}, - {0x00d7004f00440099, 0x000a0098000b00dd, 0x00dc0092009300d6, 0x0099004e00010045}, - {0x00ae0072003b00d6, 0x000f006a00200024, 0x00ef0096004d0067, 0x001100be0060006c}, - {0x005900f100210044, 0x008600a1000c00cf, 0x007d00a600b300a9, 0x00b800d900b9008f}, - {0x00f4001900e40093, 0x00c500b1008c00cd, 0x004c00fb008d00e6, 0x00c600cc00df0028}, - {0x006c007900f1004f, 0x002900bd00bc0027, 0x00ee004000090037, 0x00c800b7003b00d3}, - {0x002600f500820092, 0x00b300b800b60050, 0x0065002700360059, 0x003d0057005500ce}, - {0x009c006c005900d7, 0x00640072007c000f, 0x001100b900b400eb, 0x002000ac00960084}, - {0x00a00013003d00dc, 0x005600ab009e00d9, 0x0085007f009f0020, 0x004a00d8005900e5}, - {0x000f002700cf00dd, 0x007d0038007300ed, 0x00e4003e00650060, 0x002f000c002c0007}, - {0x00e20014003a0045, 0x00cd001200310021, 0x00950015004300a0, 0x0022006900260090}, - {0x007c00bc000c000b, 0x0025008300e00073, 0x007900fc009700fd, 0x006d00e100c10002}, - {0x00a900df00c10001, 0x00b9002600240096, 0x002c00640055001a, 0x0091003b000f0060}, - {0x007200bd00a10098, 0x006b009400830038, 0x0087008a00e3002e, 0x008d00aa001a00d2}, - {0x00ff008500e7004e, 0x00d0006f0013008a, 0x00d4003600700072, 0x007a006200a900fe}, - {0x006400290086000a, 0x00b8006b0025007d, 0x002f0075003d0096, 0x004000f2009100ed}, - {0x00ef003f00ed0099, 0x00e400680069003a, 0x00af0046008e00a7, 0x009400fa0064009a}, - {0x00eb003700a900d6, 0x0096002e00fd0060, 0x0033000f000300f4, 0x005e00b4002400ff}, - {0x000100dd00920044, 0x00dd00920044000a, 0x00920044000a0001, 0x0044000a000100dd}, - {0x00b4000900b30093, 0x003d00e300970065, 0x00310017003c0003, 0x00da00d3006000f3}, - {0x006a00b00057004f, 0x00ad000e009a00b6, 0x00a200e400880005, 0x003f001f00b90080}, - {0x00b9004000a60092, 0x0075008a00fc003e, 0x008b00c40017000f, 0x000700a800df0025}, - {0x00fd0003002400d7, 0x00c100e900ae00a9, 0x0074005900720011, 0x00f400ff003b00be}, - {0x001100ee007d00dc, 0x002f0087007900e4, 0x0094008b00310033, 0x0080005300550071}, - {0x003b00a1004000dd, 0x00b6002500fb00db, 0x0061003a00a60055, 0x0035008b009600c5}, - {0x008400d3008f0045, 0x00ed00d200020007, 0x0071002500f300ff, 0x00bc008700590049}, - {0x00e6002200b5000b, 0x001500d300c90056, 0x00ec00a10010001c, 0x008800ee002c0031}, - {0x0096003b00b90001, 0x0091001a00c1002c, 0x005500df00600024, 0x00a9000f00260059}, - {0x001c004200780098, 0x0057008500c20040, 0x00ab00ed005d006c, 0x007e003400c10016}, - {0x00ac00b700d9004e, 0x00f200aa00e1000c, 0x005300a800d300b4, 0x000e009e000f0087}, - {0x002c00db003e000a, 0x008b00f100ce0046, 0x00fb00b300d000c1, 0x00f500fc001a00b5}, - {0x002000c800b80099, 0x0040008d006d002f, 0x0080000700da005e, 0x001d000e00a900bc}, - {0x000300ef005500d6, 0x006000ac007200df, 0x009c002400e600e2, 0x006a00f400910011}, - {0x00c100fb00fc0044, 0x0050007d00db00ce, 0x00a100ad006e003b, 0x0065004000640017}, - {0x00be0047006e0093, 0x007800e8000e00b8, 0x00a3008f0079004d, 0x000d004a002400b7}, - {0x00d6009800dd004f, 0x0044004e00450092, 0x0093000a000b00d7, 0x004f0099000100dc}, - {0x001a0025008a0092, 0x006600ba007d00f1, 0x00290078003a0064, 0x00fc0086006000c3}, - {0x003300a0002c00d7, 0x005500fd00740064, 0x00ff001a009c00ac, 0x001c002e00b900e9}, - {0x004d0089000800dc, 0x00f10088009d00c3, 0x00e000b8006f00e9, 0x00f700d100df005a}, - {0x009100b6007500dd, 0x000700660050008b, 0x00f50073007f0026, 0x003a0082003b0046}, - {0x0037008100350045, 0x008a00a4001e0008, 0x0010006e001f006a, 0x00d400090055003c}, - {0x00a7005c00ba000b, 0x00cf007b0043008f, 0x009d00f2004200be, 0x00ca008e00960034}, - {0x00240055000f0001, 0x00260064003b00c1, 0x00b9002c009100df, 0x001a0060005900a9}, - {0x00e900e500b60098, 0x0035002b002a0061, 0x00fe00cd0041007c, 0x009e006f002c00c6}, - {0x007400a500ce004e, 0x00a1005800c6007f, 0x00f80035009b0084, 0x00e5005b00260019}, - {0x006000a60017000a, 0x007f003a006e00d0, 0x00a80061007d0091, 0x003800c500c1008a}, - {0x0005004800290099, 0x00ce009d00510017, 0x007b00b6001300ae, 0x00f30039000f00d8}, - {0x005e00e9009100d6, 0x00a900a000f40055, 0x001c003b006a00ef, 0x00740037001a0003}, - {0x00df003a00c40044, 0x0073007800ad00b3, 0x003d00290061002c, 0x00b500c300a90050}, - {0x0067001800380093, 0x00c40022005a0082, 0x000200f1005b0074, 0x00890083009100bb}, - {0x002e00230056004f, 0x00a6009700d400f2, 0x0030003800c7009c, 0x003400c900640081}, - {0x00550061008b0092, 0x00f5002900a100fb, 0x00ba003d00a800b9, 0x0021005000240015}, - {0x00d700d6000100d7, 0x000100d700d60001, 0x00d6000100d700d6, 0x00d700d6000100d7}, - {0x00ae000d002d00dc, 0x008f001900680075, 0x001f000c00c80067, 0x007000f80060000e}, - {0x005900c5002500dd, 0x004600c3001700b5, 0x00150050008a00a9, 0x00fb002900b9003d}, - {0x00f4002a00500045, 0x0065001600aa00a1, 0x00e500e7001b00e6, 0x00e800ab00df0004}, - {0x006c00d10065000b, 0x00d9008000f6006b, 0x008d00d0005a0037, 0x007700a2003b00c0} -}; -static const __m256i alpha_ij256_3[89] = { - {0x0025009c004e0027, 0x006a00350094004a, 0x00ee007700b500d4, 0x00460023009f00c1}, - {0x0065005e00990061, 0x00fd0078001e0089, 0x00fe00b1006b00d3, 0x00d90071005b00df}, - {0x00d0001a00440086, 0x003b00ed003e00ce, 0x00b80017006600c5, 0x00a80015002100a9}, - {0x00a80084004f00b8, 0x00e600e400490052, 0x00e3007b00fc00c6, 0x008200a500950096}, - {0x009600ff00d70091, 0x001c006400ae0037, 0x00ac00ef005900a7, 0x002c00eb00f40024}, - {0x00c3005900dd0007, 0x002c00fb003d008a, 0x003a000800ad00cf, 0x0027000c00750026}, - {0x00ad00e9000b00f5, 0x0003002d00e80010, 0x0028009f0035009d, 0x00e7008900c200b9}, - {0x002700030098003a, 0x00be00ba008c00d4, 0x00af00e100e700ca, 0x00170076001f001a}, - {0x002f00b9000a00b5, 0x001a00d9007f0078, 0x001500b800c5003e, 0x00db00fc00730055}, - {0x001a00e200d6000f, 0x004d00a90033007c, 0x003700ff00910072, 0x002400ef00a70064}, - {0x0015002e009300d0, 0x003700f100630049, 0x007a002b00a600c8, 0x002d008000d8002c}, - {0x00db009100920015, 0x002400f200380057, 0x002d00400036008b, 0x0061005000b50060}, - {0x00f2001c00dc00f1, 0x007400ad00160048, 0x00de008c002500c9, 0x003e002200fe000f}, - {0x003600eb004500a6, 0x0005002500ea001d, 0x0034005b0078005f, 0x00bf005200da003b}, - {0x006000260001002c, 0x00df000f00b900c1, 0x005500a9003b001a, 0x0059006400960091}, - {0x00610005004e002d, 0x002e003e004300d3, 0x003200ab00bf009a, 0x000800b000480059}, - {0x004400d60099000a, 0x00d70092004f0093, 0x000b004500dd00dc, 0x000a004e00980001}, - {0x0021003b0044006b, 0x0059008200f100e4, 0x000c003a00cf003d, 0x008600e700a100c1}, - {0x00f10072004f00ed, 0x006c00f500790019, 0x00bc001400270013, 0x0029008500bd00df}, - {0x005900ae00d70055, 0x009c0026006c00f4, 0x007c00e2000f00a0, 0x006400ff007200a9}, - {0x00cf002400dd00c4, 0x000f0050002700cd, 0x0073002100ed00d9, 0x007d008a00380096}, - {0x000c0020000b00c3, 0x007c00b600bc008c, 0x00e000310073009e, 0x0025001300830024}, - {0x00a1006a00980036, 0x007200b800bd00b1, 0x00830012003800ab, 0x006b006f00940026}, - {0x0086000f000a000c, 0x006400b3002900c5, 0x002500cd007d0056, 0x00b800d0006b00b9}, - {0x00a9006700d600b9, 0x00eb0059003700e6, 0x00fd00a000600020, 0x00960072002e001a}, - {0x00b3004d009300b6, 0x00b400360009008d, 0x009700430065009f, 0x003d007000e30055}, - {0x00a6009600920066, 0x00b90027004000fb, 0x00fc0015003e007f, 0x00750036008a0064}, - {0x007d00ef00dc0073, 0x0011006500ee004c, 0x0079009500e40085, 0x002f00d40087002c}, - {0x008f006c00450082, 0x008400ce00d30028, 0x00020090000700e5, 0x00ed00fe00d20060}, - {0x00b9006000010024, 0x00960055003b00df, 0x00c10026002c0059, 0x009100a9001a000f}, - {0x00d900be004e0008, 0x00ac005700b700cc, 0x00e10069000c00d8, 0x00f2006200aa003b}, - {0x00b8001100990025, 0x0020003d00c800c6, 0x006d0022002f004a, 0x0040007a008d0091}, - {0x00fc00a90044002f, 0x00c100cd00fb0038, 0x00db00a800ce0078, 0x00500075007d0059}, - {0x00dd00d7004f0044, 0x00d6000a0098000b, 0x004500dc00920093, 0x00440099004e0001}, - {0x002c00a700d700a9, 0x003300df00a000b4, 0x007400f4006400e6, 0x0055007c00fd00c1}, - {0x0075002c00dd00fc, 0x0091001700b600ba, 0x0050002d008b0038, 0x000700bf006600df}, - {0x00ba00b4000b0038, 0x00a700fc005c0071, 0x0043006f008f00b0, 0x00cf00a2007b00a9}, - {0x00b600a0009800fb, 0x00e900a600e5005c, 0x002a000d00610018, 0x00350002002b0096}, - {0x001700df000a00cd, 0x006000cf00a600fc, 0x006e002900d0002f, 0x007f0046003a0024}, - {0x0091003300d600c1, 0x005e006000e900a7, 0x00f400ae00550067, 0x00a900e200a00026}, - {0x003800e600930078, 0x0067002f001800b0, 0x005a00f3008200aa, 0x00c4002a002200b9}, - {0x008b0064009200ce, 0x005500d00061008f, 0x00a1007500fb0082, 0x00f500570029001a}, - {0x002d00f400dc00a8, 0x00ae0029000d006f, 0x0068005f007500f3, 0x008f00cb00190055}, - {0x00500074004500db, 0x00f4006e002a0043, 0x00aa006800a1005a, 0x0065001800160064}, - {0x00df00c100010059, 0x00260024009600a9, 0x00640055001a00b9, 0x003b000f0060002c}, - {0x006600fd004e007d, 0x00a0003a002b007b, 0x0016001900290022, 0x00fc00ec001e0060}, - {0x00bf007c00990075, 0x00e20046000200a2, 0x001800cb0057002a, 0x00c300e500ec000f}, - {0x0007005500440050, 0x00a9007f003500cf, 0x0065008f00f500c4, 0x003a00c300fc003b}, - {0x00fb0037004f007f, 0x00ff0066003c0018, 0x00f800c2002d0012, 0x00ba001d00f90091}, - {0x002600ac00d7003b, 0x00ef0091007c00be, 0x00e6006700b90074, 0x001a00a000200059}, - {0x000a000100dd0092, 0x000100dd00920044, 0x00dd00920044000a, 0x00920044000a0001}, - {0x007f009c000b006e, 0x006a007d00410042, 0x001b00c800a8005b, 0x003800a400af00c1}, - {0x00c5005e00980056, 0x00fd000c007a00e3, 0x004a0016006e006d, 0x003600c8005400df}, - {0x0073001a000a00ad, 0x003b006100cd00f2, 0x00e7000c003d00f1, 0x00b5007d005700a9}, - {0x0064008400d60060, 0x00e6001a0005006c, 0x0033005e002600ef, 0x00df009c00eb0096}, - {0x00f500ff009300a1, 0x001c00a800fe009d, 0x00e5001f00ba0002, 0x002100d300060024}, - {0x00cd0059009200d9, 0x002c00c40066002f, 0x00f200e4008600b5, 0x006e001700650026}, - {0x004600e900dc0017, 0x0003008a00c60034, 0x0004000e001500bb, 0x00fb00e300c700b9}, - {0x006b0003004500bf, 0x00be004000700054, 0x009f00b000c40097, 0x000c000900c6001a}, - {0x003b00b900010064, 0x001a00c1002c0096, 0x00df006000240091, 0x000f002600590055}, - {0x00e400e2004e003d, 0x004d006b00c9009b, 0x00da00ca00cd0053, 0x00c500de00020064}, - {0x0082002e00990040, 0x003700c5006f008e, 0x00ab00f800500083, 0x00b300bd0023002c}, - {0x003d009100440035, 0x002400bf00860025, 0x008a007300d90027, 0x005600e400b60060}, - {0x003a001c004f0065, 0x00740038009e00ca, 0x00e8007000210089, 0x00cd00e00042000f}, - {0x00c100eb00d7001a, 0x0005002c00ff0067, 0x00a000e90096007c, 0x00b9006c0037003b}, - {0x00e7002600dd0021, 0x00df008f00f20029, 0x00860027008a00e4, 0x00d000b500f50091}, - {0x00ed0005000b00b3, 0x002e00a100d80095, 0x0054001e003a008d, 0x00e400e100ea0059}, - {0x009200d6009800dd, 0x00d70044004e0045, 0x00dc0093000a000b, 0x00dd004f00990001}, - {0x0057003b000a008b, 0x0059001500650008, 0x00f500bf00b6008f, 0x00ad00c4003e00c1}, - {0x0024007200d60026, 0x006c00960067006a, 0x00b400a700a900be, 0x00c100f400e600df}, - {0x004000ae00930046, 0x009c00560052003c, 0x005f001b00db0034, 0x00b600ea005300a9}, - {0x00b50024009200e7, 0x000f0008006e003e, 0x00d0002500560029, 0x0015002f00ad0096}, - {0x0078002000dc003e, 0x007c00b5001200aa, 0x004900f0004000a5, 0x005700f800770024}, - {0x003e006a00450029, 0x007200e7008000a5, 0x00c800ec0046007a, 0x008b006300e10026}, - {0x0055000f00010096, 0x0064003b00c10024, 0x002c009100df0026, 0x0060005900a900b9}, - {0x006e0067004e00f2, 0x00eb007300bb0080, 0x0030005100b8005d, 0x007800040031001a}, - {0x008a004d009900cf, 0x00b40007007600ee, 0x00ca00d800f100af, 0x0066008c00900055}, - {0x000800960044008f, 0x00b9008b007300e7, 0x00ed003500c30021, 0x00f100d9002d0064}, - {0x003500ef004f00ba, 0x00110075008d00c7, 0x00d100d30008004b, 0x008a0054005f002c}, - {0x000f006c00d700df, 0x008400b900eb0072, 0x00a7003300c100ac, 0x002600ae00670060}, - {0x00ce006000dd00c5, 0x00960086002d0082, 0x003600fc007f0040, 0x00a1008b00e4000f}, - {0x002900be000b00e4, 0x00ac0021005d007a, 0x009400b200170023, 0x00ce00300070003b}, - {0x00c4001100980057, 0x002000db007100e8, 0x00d3008e00b300fe, 0x0073001e001b0091}, - {0x005600a9000a008a, 0x00c100c300b80046, 0x006600b500f20017, 0x00a600c500350059}, - {0x000100d700d60001, 0x00d6000100d700d6, 0x00d700d6000100d7, 0x000100d700d60001}, - {0x002500a700930027, 0x00330035005100ec, 0x00f9008500b500b2, 0x0046009b005c00c1}, - {0x0065002c00920061, 0x0091007800cf0073, 0x000800b3006b00ad, 0x00d9003a00db00df}, - {0x00d000b400dc0086, 0x00a700ed003000c8, 0x002300f900660094, 0x00a8005d000900a9}, - {0x00a800a0004500b8, 0x00e900e400c200f3, 0x00a3000400fc00f0, 0x0082008800130096} -}; -static const __m256i alpha_ij256_4[89] = { - {0x0014000a0005008c, 0x005d00a000500028, 0x00000000006900ba, 0x0000000000000000}, - {0x000d004400110043, 0x0081006700d00034, 0x0000000000f8003e, 0x0000000000000000}, - {0x00e4009200550029, 0x00fc009100bf0073, 0x0000000000f100b3, 0x0000000000000000}, - {0x005100dd001c00c8, 0x001200ac00c30079, 0x0000000000f7003d, 0x0000000000000000}, - {0x00200001006c00e9, 0x000300b400260074, 0x00000000009c0060, 0x0000000000000000}, - {0x00ba000a00c10035, 0x00e7000f002f00a1, 0x0000000000b6007f, 0x0000000000000000}, - {0x00bd004400e200fe, 0x009e002e00c500f8, 0x0000000000aa00a8, 0x0000000000000000}, - {0x00d10092004d009e, 0x0019003700db00e5, 0x0000000000a20038, 0x0000000000000000}, - {0x00f200dd0064006e, 0x0036002c00f5008a, 0x0000000000cd0008, 0x0000000000000000}, - {0x0074000100e900eb, 0x0005006a006000b4, 0x00000000005e00b9, 0x0000000000000000}, - {0x00de000a006a0030, 0x003400e2006b00ca, 0x00000000008500ed, 0x0000000000000000}, - {0x003e004400df0078, 0x00bf005500210066, 0x00000000006e00f1, 0x0000000000000000}, - {0x003f0092008400cc, 0x002b00a70082004b, 0x0000000000fa00f5, 0x0000000000000000}, - {0x002b00dd00ae00e3, 0x005a002000cf00f7, 0x0000000000230027, 0x0000000000000000}, - {0x00260001002c0024, 0x000f00b900c10060, 0x00000000001a00df, 0x0000000000000000}, - {0x00c2000a009c005a, 0x005c007c008600bb, 0x0000000000630029, 0x0000000000000000}, - {0x0093004400d60099, 0x00dc00d70092004f, 0x00000000004500dd, 0x0000000000000000}, - {0x00b3009200a900ed, 0x007d002400a60057, 0x00000000008f0040, 0x0000000000000000}, - {0x000900dd0037003f, 0x00ee0003004000b0, 0x0000000000d300a1, 0x0000000000000000}, - {0x00b4000100eb00ef, 0x001100fd00b9006a, 0x000000000084003b, 0x0000000000000000}, - {0x0065000a0060003a, 0x00e400a9003e00b6, 0x00000000000700db, 0x0000000000000000}, - {0x0097004400fd0069, 0x007900ae00fc009a, 0x00000000000200fb, 0x0000000000000000}, - {0x00e30092002e0068, 0x008700e9008a000e, 0x0000000000d20025, 0x0000000000000000}, - {0x003d00dd009600e4, 0x002f00c1007500ad, 0x0000000000ed00b6, 0x0000000000000000}, - {0x0003000100f400a7, 0x00330011000f0005, 0x0000000000ff0055, 0x0000000000000000}, - {0x003c000a0003008e, 0x0031007200170088, 0x0000000000f300a6, 0x0000000000000000}, - {0x00170044000f0046, 0x008b005900c400e4, 0x000000000025003a, 0x0000000000000000}, - {0x00310092003300af, 0x00940074008b00a2, 0x0000000000710061, 0x0000000000000000}, - {0x00f300dd00ff009a, 0x007100be00250080, 0x00000000004900c5, 0x0000000000000000}, - {0x0060000100240064, 0x0055003b00df00b9, 0x0000000000590096, 0x0000000000000000}, - {0x00d3000a00b400fa, 0x005300ff00a8001f, 0x000000000087008b, 0x0000000000000000}, - {0x00da0044005e0094, 0x008000f40007003f, 0x0000000000bc0035, 0x0000000000000000}, - {0x006e0092003b007f, 0x00a1006000ad0056, 0x00000000001700d9, 0x0000000000000000}, - {0x000b00dd00d7004f, 0x009300d6000a0098, 0x0000000000dc0092, 0x0000000000000000}, - {0x009c000100ac0037, 0x00ff0084001a005e, 0x0000000000e90059, 0x0000000000000000}, - {0x007f000a002600fb, 0x00f50064007300c5, 0x00000000004600cd, 0x0000000000000000}, - {0x0042004400be0018, 0x009d006c00f200e3, 0x000000000034002f, 0x0000000000000000}, - {0x00410092007c003c, 0x00fe000500cd007a, 0x0000000000c60066, 0x0000000000000000}, - {0x007d00dd00910066, 0x00a8001a0061000c, 0x00000000008a00c4, 0x0000000000000000}, - {0x006a000100ef00ff, 0x001c00e6003b00fd, 0x000000000003002c, 0x0000000000000000}, - {0x005b000a00740012, 0x000200ef00f1006d, 0x0000000000bb00b5, 0x0000000000000000}, - {0x00a8004400b9002d, 0x00ba0026003d006e, 0x0000000000150086, 0x0000000000000000}, - {0x00c80092006700c2, 0x001f005e000c0016, 0x00000000000e00e4, 0x0000000000000000}, - {0x001b00dd00e600f8, 0x00e5003300e7004a, 0x00000000000400f2, 0x0000000000000000}, - {0x00c1000100590091, 0x0024009600a900df, 0x0000000000b90026, 0x0000000000000000}, - {0x00af000a002000f9, 0x000600eb00570054, 0x0000000000c70065, 0x0000000000000000}, - {0x00a4004400a0001d, 0x00d3009c007d00c8, 0x0000000000e30017, 0x0000000000000000}, - {0x00380092001a00ba, 0x002100df00b50036, 0x0000000000fb006e, 0x0000000000000000}, - {0x004700dd00720034, 0x0032004d00d90023, 0x00000000004a007d, 0x0000000000000000}, - {0x0005000100a70072, 0x006c001c00550011, 0x0000000000e200c1, 0x0000000000000000}, - {0x0044000a000100dd, 0x000a000100dd0092, 0x0000000000920044, 0x0000000000000000}, - {0x0039004400050047, 0x006800a000080053, 0x0000000000b20073, 0x0000000000000000}, - {0x0053009200110023, 0x0063006700ba0010, 0x00000000001300c3, 0x0000000000000000}, - {0x000800dd005500d9, 0x0056009100ce00ba, 0x000000000065002d, 0x0000000000000000}, - {0x00a00001001c004d, 0x00b400ac00910067, 0x00000000002e000f, 0x0000000000000000}, - {0x0068000a006c0032, 0x001e00b400560063, 0x0000000000a500b8, 0x0000000000000000}, - {0x0073004400c1007d, 0x00b8000f002d00c3, 0x0000000000cf0057, 0x0000000000000000}, - {0x00b2009200e2004a, 0x00a5002e00650013, 0x00000000008c00cf, 0x0000000000000000}, - {0x001d00dd004d00b1, 0x00fa0037006600c2, 0x0000000000680046, 0x0000000000000000}, - {0x00b90001006400a9, 0x00c1002c0096003b, 0x000000000091001a, 0x0000000000000000}, - {0x0081000a00e90095, 0x0022006a00fb00f6, 0x00000000000900bf, 0x0000000000000000}, - {0x00c60044006a00f3, 0x00d500e200270048, 0x0000000000060056, 0x0000000000000000}, - {0x00c3009200df000c, 0x00f20055007f008f, 0x00000000006b0075, 0x0000000000000000}, - {0x008700dd0084001e, 0x001300a70015003c, 0x00000000002a0078, 0x0000000000000000}, - {0x00be000100ae0033, 0x005e00200064002e, 0x00000000001c00a9, 0x0000000000000000}, - {0x00ed000a002c00f1, 0x006600b9003600c4, 0x0000000000080082, 0x0000000000000000}, - {0x00e50044009c0009, 0x0062007c004600cb, 0x00000000006f0036, 0x0000000000000000}, - {0x0045009200d60098, 0x000b00d70044004e, 0x000000000093000a, 0x0000000000000000}, - {0x002d00dd00a90061, 0x0035002400e4007f, 0x0000000000db00d0, 0x0000000000000000}, - {0x005e00010037007c, 0x00e2000300590084, 0x0000000000eb0091, 0x0000000000000000}, - {0x00ec000a00eb00c6, 0x00aa00fd003a0019, 0x000000000094008a, 0x0000000000000000}, - {0x00f10044006000f2, 0x00a600a900a100cf, 0x0000000000d9008f, 0x0000000000000000}, - {0x0048009200fd0080, 0x001d00ae00ed00ee, 0x00000000003900e7, 0x0000000000000000}, - {0x00c900dd002e005d, 0x005f00e900b300af, 0x0000000000790021, 0x0000000000000000}, - {0x000f00010096001a, 0x003b00c100240055, 0x0000000000260064, 0x0000000000000000}, - {0x00cc000a00f40039, 0x00e30011008f00e0, 0x0000000000ca00ad, 0x0000000000000000}, - {0x004b0044000300e0, 0x00f7007200780002, 0x00000000005c0050, 0x0000000000000000}, - {0x00f50092000f00ad, 0x0027005900b80050, 0x00000000005700ce, 0x0000000000000000}, - {0x001800dd0033009f, 0x00e10074006e0068, 0x00000000008300fc, 0x0000000000000000}, - {0x00fd000100ff00e2, 0x004d00be002c00e6, 0x0000000000050024, 0x0000000000000000}, - {0x00b8000a002400a8, 0x0038003b003500f2, 0x0000000000d0000c, 0x0000000000000000}, - {0x0095004400b40019, 0x000400ff00b600e8, 0x00000000003f006b, 0x0000000000000000}, - {0x00cb0092005e00b0, 0x006900f40029005f, 0x0000000000120015, 0x0000000000000000}, - {0x002700dd003b0025, 0x003e0060003800ed, 0x00000000000c0007, 0x0000000000000000}, - {0x00d6000100d700d6, 0x00d700d6000100d7, 0x0000000000d60001, 0x0000000000000000}, - {0x009e000a00ac00da, 0x0048008400500009, 0x00000000005400ba, 0x0000000000000000}, - {0x00570044002600c4, 0x000c006400d00075, 0x000000000038003e, 0x0000000000000000}, - {0x0058009200be00f7, 0x00bb006c00bf0089, 0x00000000001000b3, 0x0000000000000000}, - {0x009400dd007c0006, 0x0042000500c300cc, 0x0000000000de003d, 0x0000000000000000} -}; - - -/** - * @brief Encodes a message message of PARAM_K bits to a Reed-Solomon codeword codeword of PARAM_N1 bytes - * - * Following @cite lin1983error (Chapter 4 - Cyclic Codes), - * We perform a systematic encoding using a linear (PARAM_N1 - PARAM_K)-stage shift register - * with feedback connections based on the generator polynomial PARAM_RS_POLY of the Reed-Solomon code. - * - * @param[out] cdw Array of size VEC_N1_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_K_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS256_AVX2_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg) { - size_t i, k; - uint8_t gate_value = 0; - uint8_t prev, x; - - union { - uint16_t arr16[16 * CEIL_DIVIDE(PARAM_G, 16)]; - __m256i dummy; - } tmp = {0}; - - union { - uint16_t arr16[16 * CEIL_DIVIDE(PARAM_G, 16)]; - __m256i dummy; - } PARAM_RS_POLY = {{ RS_POLY_COEFS }}; - - __m256i *tmp256 = (__m256i *)tmp.arr16; - __m256i *param256 = (__m256i *)PARAM_RS_POLY.arr16; - - for (i = 0; i < PARAM_K; ++i) { - gate_value = (uint8_t) (msg[PARAM_K - 1 - i] ^ cdw[PARAM_N1 - PARAM_K - 1]); - _mm256_storeu_si256(&tmp256[0], PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(_mm256_set1_epi16(gate_value), param256[0])); - _mm256_storeu_si256(&tmp256[1], PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(_mm256_set1_epi16(gate_value), param256[1])); - _mm256_storeu_si256(&tmp256[2], PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(_mm256_set1_epi16(gate_value), param256[2])); - _mm256_storeu_si256(&tmp256[3], PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(_mm256_set1_epi16(gate_value), param256[3])); - - prev = 0; - for (k = 0; k < PARAM_N1 - PARAM_K; k++) { - x = cdw[k]; - cdw[k] = (uint8_t) (prev ^ tmp.arr16[k]); - prev = x; - } - } - - memcpy(cdw + PARAM_N1 - PARAM_K, msg, PARAM_K); -} - - - -/** - * @brief Computes 2 * PARAM_DELTA syndromes - * - * @param[out] syndromes Array of size 2 * PARAM_DELTA receiving the computed syndromes - * @param[in] cdw Array of size PARAM_N1 storing the received vector - */ -void compute_syndromes(uint16_t *syndromes, uint8_t *cdw) { - __m256i *syndromes256 = (__m256i *) syndromes; - __m256i last_syndromes256; - syndromes256[0] = _mm256_set1_epi16(cdw[0]); - - for (size_t i = 0; i < PARAM_N1 - 1; ++i) { - syndromes256[0] ^= PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(_mm256_set1_epi16(cdw[i + 1]), alpha_ij256_1[i]); - } - - syndromes256[1] = _mm256_set1_epi16(cdw[0]); - for (size_t i = 0; i < PARAM_N1 - 1; ++i) { - syndromes256[1] ^= PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(_mm256_set1_epi16(cdw[i + 1]), alpha_ij256_2[i]); - } - - syndromes256[2] = _mm256_set1_epi16(cdw[0]); - for (size_t i = 0; i < PARAM_N1 - 1; ++i) { - syndromes256[2] ^= PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(_mm256_set1_epi16(cdw[i + 1]), alpha_ij256_3[i]); - } - - last_syndromes256 = _mm256_set1_epi16(cdw[0]); - for (size_t i = 0; i < PARAM_N1 - 1; ++i) { - last_syndromes256 ^= PQCLEAN_HQCRMRS256_AVX2_gf_mul_vect(_mm256_set1_epi16(cdw[i + 1]), alpha_ij256_4[i]); - } - - __m128i *s128 = (__m128i *) &last_syndromes256; - _mm_store_si128((__m128i *) (syndromes + 48), *s128); - - uint32_t *s12 = (uint32_t *) (syndromes + 56); - uint32_t *s32 = ((uint32_t *) &last_syndromes256) + 4; - s12[0] = *s32; -} - - - -/** - * @brief Computes the error locator polynomial (ELP) sigma - * - * This is a constant time implementation of Berlekamp's simplified algorithm (see @cite lin1983error (Chapter 6 - BCH Codes).
- * We use the letter p for rho which is initialized at -1.
- * The array X_sigma_p represents the polynomial X^(mu-rho)*sigma_p(X).
- * Instead of maintaining a list of sigmas, we update in place both sigma and X_sigma_p.
- * sigma_copy serves as a temporary save of sigma in case X_sigma_p needs to be updated.
- * We can properly correct only if the degree of sigma does not exceed PARAM_DELTA. - * This means only the first PARAM_DELTA + 1 coefficients of sigma are of value - * and we only need to save its first PARAM_DELTA - 1 coefficients. - * - * @returns the degree of the ELP sigma - * @param[out] sigma Array of size (at least) PARAM_DELTA receiving the ELP - * @param[in] syndromes Array of size (at least) 2*PARAM_DELTA storing the syndromes - */ -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes) { - uint16_t deg_sigma = 0; - uint16_t deg_sigma_p = 0; - uint16_t deg_sigma_copy = 0; - uint16_t sigma_copy[PARAM_DELTA + 1] = {0}; - uint16_t X_sigma_p[PARAM_DELTA + 1] = {0, 1}; - uint16_t pp = (uint16_t) -1; // 2*rho - uint16_t d_p = 1; - uint16_t d = syndromes[0]; - - uint16_t mask1, mask2, mask12; - uint16_t deg_X, deg_X_sigma_p; - uint16_t dd; - uint16_t mu; - - uint16_t i; - - sigma[0] = 1; - for (mu = 0; (mu < (2 * PARAM_DELTA)); ++mu) { - // Save sigma in case we need it to update X_sigma_p - memcpy(sigma_copy, sigma, 2 * (PARAM_DELTA)); - deg_sigma_copy = deg_sigma; - - dd = PQCLEAN_HQCRMRS256_AVX2_gf_mul(d, PQCLEAN_HQCRMRS256_AVX2_gf_inverse(d_p)); - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - sigma[i] ^= PQCLEAN_HQCRMRS256_AVX2_gf_mul(dd, X_sigma_p[i]); - } - - deg_X = mu - pp; - deg_X_sigma_p = deg_X + deg_sigma_p; - - // mask1 = 0xffff if(d != 0) and 0 otherwise - mask1 = -((uint16_t) - d >> 15); - - // mask2 = 0xffff if(deg_X_sigma_p > deg_sigma) and 0 otherwise - mask2 = -((uint16_t) (deg_sigma - deg_X_sigma_p) >> 15); - - // mask12 = 0xffff if the deg_sigma increased and 0 otherwise - mask12 = mask1 & mask2; - deg_sigma ^= mask12 & (deg_X_sigma_p ^ deg_sigma); - - if (mu == (2 * PARAM_DELTA - 1)) { - break; - } - - pp ^= mask12 & (mu ^ pp); - d_p ^= mask12 & (d ^ d_p); - for (i = PARAM_DELTA; i; --i) { - X_sigma_p[i] = (mask12 & sigma_copy[i - 1]) ^ (~mask12 & X_sigma_p[i - 1]); - } - - deg_sigma_p ^= mask12 & (deg_sigma_copy ^ deg_sigma_p); - d = syndromes[mu + 1]; - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - d ^= PQCLEAN_HQCRMRS256_AVX2_gf_mul(sigma[i], syndromes[mu + 1 - i]); - } - } - - return deg_sigma; -} - - - -/** - * @brief Computes the error polynomial error from the error locator polynomial sigma - * - * See function PQCLEAN_HQCRMRS256_AVX2_fft for more details. - * - * @param[out] error Array of 2^PARAM_M elements receiving the error polynomial - * @param[out] error_compact Array of PARAM_DELTA + PARAM_N1 elements receiving a compact representation of the vector error - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - */ -static void compute_roots(uint8_t *error, uint16_t *sigma) { - uint16_t w[1 << PARAM_M] = {0}; - - PQCLEAN_HQCRMRS256_AVX2_fft(w, sigma, PARAM_DELTA + 1); - PQCLEAN_HQCRMRS256_AVX2_fft_retrieve_error_poly(error, w); -} - - - -/** - * @brief Computes the polynomial z(x) - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] z Array of PARAM_DELTA + 1 elements receiving the polynomial z(x) - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - * @param[in] degree Integer that is the degree of polynomial sigma - * @param[in] syndromes Array of 2 * PARAM_DELTA storing the syndromes - */ -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes) { - size_t i, j; - uint16_t mask; - - z[0] = 1; - - for (i = 1; i < PARAM_DELTA + 1; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] = mask & sigma[i]; - } - - z[1] ^= syndromes[0]; - - for (i = 2; i <= PARAM_DELTA; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] ^= mask & syndromes[i - 1]; - - for (j = 1; j < i; ++j) { - z[i] ^= mask & PQCLEAN_HQCRMRS256_AVX2_gf_mul(sigma[j], syndromes[i - j - 1]); - } - } -} - - - -/** - * @brief Computes the error values - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] error_values Array of PARAM_DELTA elements receiving the error values - * @param[in] z Array of PARAM_DELTA + 1 elements storing the polynomial z(x) - * @param[in] z_degree Integer that is the degree of polynomial z(x) - * @param[in] error_compact Array of PARAM_DELTA + PARAM_N1 storing compact representation of the error - */ -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error) { - uint16_t beta_j[PARAM_DELTA] = {0}; - uint16_t e_j[PARAM_DELTA] = {0}; - - uint16_t delta_counter; - uint16_t delta_real_value; - uint16_t found; - uint16_t mask1; - uint16_t mask2; - uint16_t tmp1; - uint16_t tmp2; - uint16_t inverse; - uint16_t inverse_power_j; - - // Compute the beta_{j_i} page 31 of the documentation - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; i++) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - beta_j[j] += mask1 & mask2 & gf_exp[i]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } - delta_real_value = delta_counter; - - // Compute the e_{j_i} page 31 of the documentation - for (size_t i = 0; i < PARAM_DELTA; ++i) { - tmp1 = 1; - tmp2 = 1; - inverse = PQCLEAN_HQCRMRS256_AVX2_gf_inverse(beta_j[i]); - inverse_power_j = 1; - - for (size_t j = 1; j <= PARAM_DELTA; ++j) { - inverse_power_j = PQCLEAN_HQCRMRS256_AVX2_gf_mul(inverse_power_j, inverse); - tmp1 ^= PQCLEAN_HQCRMRS256_AVX2_gf_mul(inverse_power_j, z[j]); - } - for (size_t k = 1; k < PARAM_DELTA; ++k) { - tmp2 = PQCLEAN_HQCRMRS256_AVX2_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS256_AVX2_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA]))); - } - mask1 = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value - e_j[i] = mask1 & PQCLEAN_HQCRMRS256_AVX2_gf_mul(tmp1, PQCLEAN_HQCRMRS256_AVX2_gf_inverse(tmp2)); - } - - // Place the delta e_{j_i} values at the right coordinates of the output vector - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; ++i) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - error_values[i] += mask1 & mask2 & e_j[j]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } -} - - - -/** - * @brief Correct the errors - * - * @param[out] cdw Array of PARAM_N1 elements receiving the corrected vector - * @param[in] error Array of the error vector - * @param[in] error_values Array of PARAM_DELTA elements storing the error values - */ -static void correct_errors(uint8_t *cdw, const uint16_t *error_values) { - for (size_t i = 0; i < PARAM_N1; ++i) { - cdw[i] ^= error_values[i]; - } -} - - - -/** - * @brief Decodes the received word - * - * This function relies on six steps: - *
    - *
  1. The first step, is the computation of the 2*PARAM_DELTA syndromes. - *
  2. The second step is the computation of the error-locator polynomial sigma. - *
  3. The third step, done by additive FFT, is finding the error-locator numbers by calculating the roots of the polynomial sigma and takings their inverses. - *
  4. The fourth step, is the polynomial z(x). - *
  5. The fifth step, is the computation of the error values. - *
  6. The sixth step is the correction of the errors in the received polynomial. - *
- * For a more complete picture on Reed-Solomon decoding, see Shu. Lin and Daniel J. Costello in Error Control Coding: Fundamentals and Applications @cite lin1983error - * - * @param[out] msg Array of size VEC_K_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS256_AVX2_reed_solomon_decode(uint8_t *msg, uint8_t *cdw) { - uint16_t syndromes[2 * PARAM_DELTA] = {0}; - uint16_t sigma[1 << PARAM_FFT] = {0}; - uint8_t error[1 << PARAM_M] = {0}; - uint16_t z[PARAM_N1] = {0}; - uint16_t error_values[PARAM_N1] = {0}; - uint16_t deg; - - // Calculate the 2*PARAM_DELTA syndromes - compute_syndromes(syndromes, cdw); - - // Compute the error locator polynomial sigma - // Sigma's degree is at most PARAM_DELTA but the FFT requires the extra room - deg = compute_elp(sigma, syndromes); - - // Compute the error polynomial error - compute_roots(error, sigma); - - // Compute the polynomial z(x) - compute_z_poly(z, sigma, deg, syndromes); - - // Compute the error values - compute_error_values(error_values, z, error); - - // Correct the errors - correct_errors(cdw, error_values); - - // Retrieve the message from the decoded codeword - memcpy(msg, cdw + (PARAM_G - 1), PARAM_K); - -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/reed_solomon.h b/crypto_kem/hqc-rmrs-256/avx2/reed_solomon.h deleted file mode 100644 index bf9994d5..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/reed_solomon.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef REED_SOLOMON_H -#define REED_SOLOMON_H - - -/** - * @file reed_solomon.h - * Header file of reed_solomon.c - */ -#include "parameters.h" -#include -#include - -static const uint16_t alpha_ij_pow [46][77] = {{2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60}, {4, 16, 64, 29, 116, 205, 19, 76, 45, 180, 234, 143, 6, 24, 96, 157, 78, 37, 148, 106, 181, 238, 159, 70, 5, 20, 80, 93, 105, 185, 222, 95, 97, 153, 94, 101, 137, 30, 120, 253, 211, 107, 177, 254, 223, 91, 113, 217, 67, 17, 68, 13, 52, 208, 103, 129, 62, 248, 199, 59, 236, 151, 102, 133, 46, 184, 218, 79, 33, 132, 42, 168, 154, 82, 85, 73, 57}, {8, 64, 58, 205, 38, 45, 117, 143, 12, 96, 39, 37, 53, 181, 193, 70, 10, 80, 186, 185, 161, 97, 47, 101, 15, 120, 231, 107, 127, 223, 182, 217, 134, 68, 26, 208, 206, 62, 237, 59, 197, 102, 23, 184, 169, 33, 21, 168, 41, 85, 146, 228, 115, 191, 145, 252, 179, 241, 219, 150, 196, 110, 87, 130, 100, 7, 56, 221, 166, 89, 242, 195, 86, 138, 36, 61, 245}, {16, 29, 205, 76, 180, 143, 24, 157, 37, 106, 238, 70, 20, 93, 185, 95, 153, 101, 30, 253, 107, 254, 91, 217, 17, 13, 208, 129, 248, 59, 151, 133, 184, 79, 132, 168, 82, 73, 228, 230, 198, 252, 123, 227, 150, 149, 165, 130, 200, 28, 221, 81, 121, 195, 172, 18, 61, 247, 203, 44, 250, 27, 173, 2, 32, 58, 135, 152, 117, 3, 48, 39, 74, 212, 193, 140, 40}, {32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59, 51, 46, 169, 132, 77, 85, 114, 230, 145, 215, 255, 150, 55, 174, 100, 28, 167, 89, 239, 172, 36, 244, 235, 44, 233, 108, 1, 32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59, 51, 46}, {64, 205, 45, 143, 96, 37, 181, 70, 80, 185, 97, 101, 120, 107, 223, 217, 68, 208, 62, 59, 102, 184, 33, 168, 85, 228, 191, 252, 241, 150, 110, 130, 7, 221, 89, 195, 138, 61, 251, 44, 207, 173, 8, 58, 38, 117, 12, 39, 53, 193, 10, 186, 161, 47, 15, 231, 127, 182, 134, 26, 206, 237, 197, 23, 169, 21, 41, 146, 115, 145, 179, 219, 196, 87, 100, 56, 166}, {128, 19, 117, 24, 156, 181, 140, 93, 161, 94, 60, 107, 163, 67, 26, 129, 147, 102, 109, 132, 41, 57, 209, 252, 255, 98, 87, 200, 224, 89, 155, 18, 245, 11, 233, 173, 16, 232, 45, 3, 157, 53, 159, 40, 185, 194, 137, 231, 254, 226, 68, 189, 248, 197, 46, 158, 168, 170, 183, 145, 123, 75, 110, 25, 28, 166, 249, 69, 61, 235, 176, 54, 2, 29, 38, 234, 48}, {29, 76, 143, 157, 106, 70, 93, 95, 101, 253, 254, 217, 13, 129, 59, 133, 79, 168, 73, 230, 252, 227, 149, 130, 28, 81, 195, 18, 247, 44, 27, 2, 58, 152, 3, 39, 212, 140, 186, 190, 202, 231, 225, 175, 26, 31, 118, 23, 158, 77, 146, 209, 229, 219, 55, 25, 56, 162, 155, 36, 243, 88, 54, 4, 116, 45, 6, 78, 181, 5, 105, 97, 137, 211, 223, 67, 52}, {58, 45, 12, 37, 193, 80, 161, 101, 231, 223, 134, 208, 237, 102, 169, 168, 146, 191, 179, 150, 87, 7, 166, 195, 36, 251, 125, 173, 64, 38, 143, 39, 181, 10, 185, 47, 120, 127, 217, 26, 62, 197, 184, 21, 85, 115, 252, 219, 110, 100, 221, 242, 138, 245, 44, 54, 8, 205, 117, 96, 53, 70, 186, 97, 15, 107, 182, 68, 206, 59, 23, 33, 41, 228, 145, 241, 196}, {116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44, 108, 32, 38, 3, 156, 193, 160, 190, 15, 214, 226, 26, 124, 51, 169, 77, 114, 145, 255, 55, 100, 167, 239, 36, 235, 233, 1, 116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44, 108, 32}, {232, 234, 39, 238, 160, 97, 60, 254, 134, 103, 118, 184, 84, 57, 145, 227, 220, 7, 162, 172, 245, 176, 71, 58, 180, 192, 181, 40, 95, 15, 177, 175, 208, 147, 46, 21, 73, 99, 241, 55, 200, 166, 43, 122, 44, 216, 128, 45, 48, 106, 10, 222, 202, 107, 226, 52, 237, 133, 66, 85, 209, 123, 196, 50, 167, 195, 144, 11, 54, 32, 76, 12, 148, 140, 185, 188, 211}, {205, 143, 37, 70, 185, 101, 107, 217, 208, 59, 184, 168, 228, 252, 150, 130, 221, 195, 61, 44, 173, 58, 117, 39, 193, 186, 47, 231, 182, 26, 237, 23, 21, 146, 145, 219, 87, 56, 242, 36, 139, 54, 64, 45, 96, 181, 80, 97, 120, 223, 68, 62, 102, 33, 85, 191, 241, 110, 7, 89, 138, 251, 207, 8, 38, 12, 53, 10, 161, 15, 127, 134, 206, 197, 169, 41, 115}, {135, 6, 53, 20, 190, 120, 163, 13, 237, 46, 84, 228, 229, 98, 100, 81, 69, 251, 131, 32, 45, 192, 238, 186, 94, 187, 217, 189, 236, 169, 82, 209, 241, 220, 28, 242, 72, 22, 173, 116, 201, 37, 140, 222, 15, 254, 34, 62, 204, 132, 146, 63, 75, 130, 167, 43, 245, 250, 4, 38, 24, 212, 80, 194, 253, 182, 52, 147, 184, 77, 183, 179, 149, 141, 89, 9, 203}, {19, 24, 181, 93, 94, 107, 67, 129, 102, 132, 57, 252, 98, 200, 89, 18, 11, 173, 232, 3, 53, 40, 194, 231, 226, 189, 197, 158, 170, 145, 75, 25, 166, 69, 235, 54, 29, 234, 37, 5, 95, 120, 91, 52, 59, 218, 82, 191, 227, 174, 221, 43, 247, 207, 32, 90, 39, 35, 111, 15, 225, 136, 237, 92, 77, 115, 246, 220, 56, 239, 122, 125, 4, 76, 96, 238, 105}, {38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169}, {76, 157, 70, 95, 253, 217, 129, 133, 168, 230, 227, 130, 81, 18, 44, 2, 152, 39, 140, 190, 231, 175, 31, 23, 77, 209, 219, 25, 162, 36, 88, 4, 45, 78, 5, 97, 211, 67, 62, 46, 154, 191, 171, 50, 89, 72, 176, 8, 90, 156, 10, 194, 187, 134, 124, 92, 41, 99, 75, 100, 178, 144, 125, 16, 180, 37, 20, 153, 107, 17, 248, 184, 82, 198, 150, 200, 121}, {152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78}, {45, 37, 80, 101, 223, 208, 102, 168, 191, 150, 7, 195, 251, 173, 38, 39, 10, 47, 127, 26, 197, 21, 115, 219, 100, 242, 245, 54, 205, 96, 70, 97, 107, 68, 59, 33, 228, 241, 130, 89, 61, 207, 58, 12, 193, 161, 231, 134, 237, 169, 146, 179, 87, 166, 36, 125, 64, 143, 181, 185, 120, 217, 62, 184, 85, 252, 110, 221, 138, 44, 8, 117, 53, 186, 15, 182, 206}, {90, 148, 186, 30, 226, 62, 109, 73, 179, 174, 162, 61, 131, 232, 96, 140, 153, 127, 52, 51, 168, 99, 98, 56, 172, 22, 8, 234, 212, 185, 240, 67, 237, 79, 114, 241, 25, 121, 245, 108, 19, 39, 20, 188, 223, 189, 133, 41, 63, 55, 221, 9, 176, 64, 3, 238, 161, 211, 34, 59, 66, 183, 219, 200, 239, 251, 71, 152, 37, 160, 137, 182, 129, 92, 85, 229, 165}, {180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36, 233, 116, 96, 5, 94, 223, 103, 46, 85, 215, 174, 89, 244, 108, 38, 156, 160, 15, 226, 124, 169, 114, 255, 100, 239, 235, 1, 180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36, 233, 116}, {117, 181, 161, 107, 26, 102, 41, 252, 87, 89, 245, 173, 45, 53, 185, 231, 68, 197, 168, 145, 110, 166, 61, 54, 38, 37, 186, 120, 134, 59, 21, 191, 196, 221, 36, 207, 205, 39, 80, 15, 217, 237, 33, 115, 150, 56, 138, 125, 58, 96, 10, 101, 182, 62, 169, 228, 219, 7, 86, 44, 64, 12, 70, 47, 223, 206, 184, 146, 241, 100, 195, 139, 8, 143, 193, 97, 127}, {234, 238, 97, 254, 103, 184, 57, 227, 7, 172, 176, 58, 192, 40, 15, 175, 147, 21, 99, 55, 166, 122, 216, 45, 106, 222, 107, 52, 133, 85, 123, 50, 195, 11, 32, 12, 140, 188, 182, 124, 158, 115, 49, 224, 36, 131, 19, 37, 105, 253, 68, 151, 154, 252, 174, 121, 251, 2, 201, 193, 194, 225, 206, 109, 114, 219, 14, 69, 125, 116, 157, 80, 30, 67, 59, 42, 198}, {201, 159, 47, 91, 124, 33, 209, 149, 166, 244, 71, 117, 238, 194, 223, 31, 79, 115, 98, 167, 61, 216, 90, 181, 190, 254, 206, 218, 213, 150, 224, 72, 54, 152, 106, 161, 177, 189, 184, 114, 171, 56, 18, 131, 38, 148, 111, 107, 104, 46, 146, 227, 14, 138, 233, 135, 37, 210, 211, 26, 133, 170, 241, 141, 172, 125, 232, 78, 186, 253, 136, 102, 164, 123, 100, 43, 88}, {143, 70, 101, 217, 59, 168, 252, 130, 195, 44, 58, 39, 186, 231, 26, 23, 146, 219, 56, 36, 54, 45, 181, 97, 223, 62, 33, 191, 110, 89, 251, 8, 12, 10, 15, 134, 197, 41, 179, 100, 86, 125, 205, 37, 185, 107, 208, 184, 228, 150, 221, 61, 173, 117, 193, 47, 182, 237, 21, 145, 87, 242, 139, 64, 96, 80, 120, 68, 102, 85, 241, 7, 138, 207, 38, 53, 161}, {3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223, 124, 132, 145, 174, 239, 44, 116, 156, 185, 214, 103, 169, 230, 55, 89, 235, 32, 96, 160, 253, 26, 46, 114, 150, 167, 244, 1, 3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223, 124, 132}, {6, 20, 120, 13, 46, 228, 98, 81, 251, 32, 192, 186, 187, 189, 169, 209, 220, 242, 22, 116, 37, 222, 254, 62, 132, 63, 130, 43, 250, 38, 212, 194, 182, 147, 77, 179, 141, 9, 54, 180, 159, 101, 67, 151, 85, 227, 112, 61, 142, 3, 10, 60, 136, 23, 114, 49, 166, 243, 16, 96, 93, 211, 208, 218, 230, 110, 121, 11, 58, 156, 111, 127, 31, 66, 145, 65, 155}, {12, 80, 231, 208, 169, 191, 87, 195, 125, 38, 181, 47, 217, 197, 85, 219, 221, 245, 8, 96, 186, 107, 206, 33, 145, 130, 86, 207, 45, 193, 101, 134, 102, 146, 150, 166, 251, 64, 39, 185, 127, 62, 21, 252, 100, 138, 54, 117, 70, 15, 68, 23, 228, 196, 89, 139, 58, 37, 161, 223, 237, 168, 179, 7, 36, 173, 143, 10, 120, 26, 184, 115, 110, 242, 44, 205, 53}, {24, 93, 107, 129, 132, 252, 200, 18, 173, 3, 40, 231, 189, 158, 145, 25, 69, 54, 234, 5, 120, 52, 218, 191, 174, 43, 207, 90, 35, 15, 136, 92, 115, 220, 239, 125, 76, 238, 101, 17, 133, 228, 149, 121, 44, 135, 212, 47, 175, 51, 146, 49, 162, 139, 116, 148, 97, 113, 236, 85, 171, 83, 251, 128, 156, 161, 163, 147, 41, 255, 224, 245, 16, 157, 185, 254, 248}, {48, 105, 127, 248, 77, 241, 224, 247, 64, 156, 95, 182, 236, 170, 150, 162, 11, 205, 212, 94, 134, 133, 213, 110, 239, 250, 45, 35, 30, 26, 218, 99, 130, 69, 108, 143, 40, 211, 206, 132, 229, 7, 144, 2, 96, 210, 254, 237, 154, 255, 221, 243, 128, 37, 190, 113, 197, 73, 49, 89, 22, 135, 181, 188, 17, 23, 183, 220, 195, 233, 90, 70, 60, 52, 169, 198, 25}, {96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38}, {192, 222, 182, 151, 114, 110, 155, 27, 143, 160, 177, 237, 82, 75, 89, 88, 152, 70, 240, 103, 21, 123, 224, 251, 116, 212, 101, 136, 218, 145, 200, 144, 8, 78, 190, 217, 204, 183, 87, 172, 216, 12, 105, 225, 59, 170, 98, 242, 250, 180, 10, 211, 31, 168, 255, 83, 139, 135, 238, 15, 52, 158, 252, 14, 244, 64, 74, 153, 134, 46, 209, 130, 9, 142, 96, 111, 91}, {157, 95, 217, 133, 230, 130, 18, 2, 39, 190, 175, 23, 209, 25, 36, 4, 78, 97, 67, 46, 191, 50, 72, 8, 156, 194, 134, 92, 99, 100, 144, 16, 37, 153, 17, 184, 198, 200, 61, 32, 74, 47, 34, 109, 145, 141, 122, 64, 148, 94, 68, 218, 63, 7, 244, 128, 53, 188, 136, 169, 126, 14, 245, 29, 106, 101, 13, 79, 252, 28, 247, 58, 212, 202, 26, 158, 229}, {39, 97, 134, 184, 145, 7, 245, 58, 181, 15, 208, 21, 241, 166, 44, 45, 10, 107, 237, 85, 196, 195, 54, 12, 185, 182, 102, 115, 130, 36, 8, 37, 47, 68, 169, 252, 56, 251, 205, 193, 120, 206, 168, 219, 89, 125, 117, 80, 127, 59, 146, 110, 86, 173, 96, 161, 217, 23, 191, 100, 61, 64, 53, 101, 26, 33, 179, 221, 139, 38, 70, 231, 62, 41, 150, 242, 207}, {78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153}, {156, 94, 26, 132, 255, 89, 233, 3, 185, 226, 46, 145, 28, 235, 38, 5, 214, 59, 114, 174, 36, 32, 106, 15, 103, 77, 150, 239, 108, 96, 190, 17, 169, 215, 167, 44, 180, 160, 223, 51, 230, 100, 244, 116, 193, 253, 124, 85, 55, 172, 1, 156, 94, 26, 132, 255, 89, 233, 3, 185, 226, 46, 145, 28, 235, 38, 5, 214, 59, 114, 174, 36, 32, 106, 15, 103, 77}, {37, 101, 208, 168, 150, 195, 173, 39, 47, 26, 21, 219, 242, 54, 96, 97, 68, 33, 241, 89, 207, 12, 161, 134, 169, 179, 166, 125, 143, 185, 217, 184, 252, 221, 44, 117, 186, 182, 23, 145, 56, 139, 45, 80, 223, 102, 191, 7, 251, 38, 10, 127, 197, 115, 100, 245, 205, 70, 107, 59, 228, 130, 61, 58, 193, 231, 237, 146, 87, 36, 64, 181, 120, 62, 85, 110, 138}, {74, 137, 206, 82, 55, 138, 16, 212, 120, 124, 73, 87, 72, 29, 193, 211, 147, 228, 25, 244, 205, 140, 177, 197, 230, 141, 251, 76, 40, 223, 204, 198, 56, 11, 180, 186, 113, 92, 252, 167, 176, 143, 111, 67, 169, 123, 162, 207, 24, 190, 68, 66, 227, 242, 108, 157, 47, 52, 84, 150, 155, 142, 37, 202, 103, 41, 149, 69, 8, 106, 60, 62, 170, 165, 36, 128, 238}, {148, 30, 62, 73, 174, 61, 232, 140, 127, 51, 99, 56, 22, 234, 185, 67, 79, 241, 121, 108, 39, 188, 189, 41, 55, 9, 64, 238, 211, 59, 183, 200, 251, 152, 160, 182, 92, 229, 166, 233, 24, 97, 13, 42, 150, 43, 2, 53, 60, 124, 146, 65, 122, 205, 5, 254, 102, 198, 112, 44, 201, 111, 134, 158, 255, 242, 216, 78, 101, 103, 82, 110, 18, 128, 193, 187, 118}, {53, 120, 237, 228, 100, 251, 45, 186, 217, 169, 241, 242, 173, 37, 15, 62, 146, 130, 245, 38, 80, 182, 184, 179, 89, 54, 39, 101, 206, 85, 87, 61, 205, 10, 223, 23, 252, 166, 207, 96, 47, 208, 41, 110, 36, 58, 70, 127, 102, 145, 221, 125, 12, 97, 26, 168, 196, 138, 64, 193, 107, 197, 191, 56, 44, 143, 161, 68, 21, 150, 86, 8, 181, 231, 59, 115, 7}, {106, 253, 59, 230, 28, 44, 3, 190, 26, 77, 55, 36, 116, 5, 223, 46, 215, 89, 108, 156, 15, 124, 114, 100, 235, 180, 185, 17, 132, 150, 172, 32, 193, 214, 51, 145, 167, 233, 96, 94, 103, 85, 174, 244, 38, 160, 226, 169, 255, 239, 1, 106, 253, 59, 230, 28, 44, 3, 190, 26, 77, 55, 36, 116, 5, 223, 46, 215, 89, 108, 156, 15, 124, 114, 100, 235, 180}, {212, 211, 197, 198, 167, 207, 157, 202, 62, 114, 200, 139, 201, 95, 26, 154, 220, 61, 19, 160, 217, 158, 171, 86, 32, 159, 127, 133, 229, 89, 216, 74, 120, 147, 230, 56, 176, 24, 47, 103, 170, 130, 243, 90, 185, 34, 42, 196, 18, 116, 10, 91, 109, 241, 239, 2, 181, 187, 151, 145, 83, 131, 39, 137, 124, 228, 141, 11, 143, 190, 52, 41, 165, 122, 38, 93, 175}, {181, 107, 102, 252, 89, 173, 53, 231, 197, 145, 166, 54, 37, 120, 59, 191, 221, 207, 39, 15, 237, 115, 56, 125, 96, 101, 62, 228, 7, 44, 12, 47, 206, 146, 100, 139, 143, 97, 208, 85, 130, 251, 117, 161, 26, 41, 87, 245, 45, 185, 68, 168, 110, 61, 38, 186, 134, 21, 196, 36, 205, 80, 217, 33, 150, 138, 58, 10, 182, 169, 219, 86, 64, 70, 223, 184, 241}, {119, 177, 23, 123, 239, 8, 159, 225, 184, 255, 43, 64, 140, 91, 169, 171, 69, 58, 20, 226, 33, 49, 18, 205, 160, 67, 21, 149, 144, 38, 105, 34, 168, 220, 244, 45, 111, 13, 41, 174, 243, 117, 95, 104, 85, 25, 203, 143, 194, 103, 146, 200, 22, 12, 94, 31, 228, 14, 176, 96, 202, 248, 115, 112, 233, 39, 30, 147, 191, 167, 27, 37, 240, 236, 145, 81, 216}, {238, 254, 184, 227, 172, 58, 40, 175, 21, 55, 122, 45, 222, 52, 85, 50, 11, 12, 188, 124, 115, 224, 131, 37, 253, 151, 252, 121, 2, 193, 225, 109, 219, 69, 116, 80, 67, 42, 110, 244, 90, 161, 104, 170, 100, 22, 24, 101, 248, 230, 221, 27, 74, 231, 51, 229, 242, 4, 159, 223, 218, 171, 138, 232, 160, 134, 84, 220, 245, 180, 95, 208, 73, 200, 44, 48, 202}, {193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85}, {159, 91, 33, 149, 244, 117, 194, 31, 115, 167, 216, 181, 254, 218, 150, 72, 152, 161, 189, 114, 56, 131, 148, 107, 46, 227, 138, 135, 210, 26, 170, 141, 125, 78, 253, 102, 123, 43, 58, 160, 34, 41, 25, 22, 96, 30, 236, 252, 249, 32, 10, 175, 84, 87, 235, 6, 101, 199, 198, 89, 2, 35, 182, 66, 55, 245, 234, 153, 62, 230, 83, 173, 119, 225, 169, 49, 144}}; - -void PQCLEAN_HQCRMRS256_AVX2_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS256_AVX2_reed_solomon_decode(uint8_t *msg, uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/avx2/vector.c b/crypto_kem/hqc-rmrs-256/avx2/vector.c deleted file mode 100644 index 83f0e06b..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/vector.c +++ /dev/null @@ -1,178 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -#include -/** - * @file vector.c - * @brief Implementation of vectors sampling and some utilities for the HQC scheme - */ - - - -/** - * @brief Generates a vector of a given Hamming weight - * - * This function generates uniformly at random a binary vector of a Hamming weight equal to the parameter weight. - * To generate the vector we have to sample uniformly at random values in the interval [0, PARAM_N -1]. Suppose the PARAM_N is equal to \f$ 70853 \f$, to select a position \f$ r\f$ the function works as follow: - * 1. It makes a call to the seedexpander function to obtain a random number \f$ x\f$ in \f$ [0, 2^{24}[ \f$. - * 2. Let \f$ t = \lfloor {2^{24} \over 70853} \rfloor \times 70853\f$ - * 3. If \f$ x \geq t\f$, go to 1 - * 4. It return \f$ r = x \mod 70853\f$ - * - * The parameter \f$ t \f$ is precomputed and it's denoted by UTILS_REJECTION_THRESHOLD (see the file parameters.h). - * - * @param[in] v Pointer to an array - * @param[in] weight Integer that is the Hamming weight - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS256_AVX2_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight) { - size_t random_bytes_size = 3 * weight; - uint8_t rand_bytes[3 * PARAM_OMEGA_R] = {0}; - uint32_t tmp[PARAM_OMEGA_R] = {0}; - __m256i bit256[PARAM_OMEGA_R]; - __m256i bloc256[PARAM_OMEGA_R]; - __m256i posCmp256 = _mm256_set_epi64x(3, 2, 1, 0); - __m256i pos256; - __m256i mask256; - __m256i aux; - __m256i i256; - uint64_t bloc, pos, bit64; - uint8_t inc; - size_t i, j, k; - - i = 0; - j = random_bytes_size; - while (i < weight) { - do { - if (j == random_bytes_size) { - seedexpander(ctx, rand_bytes, random_bytes_size); - j = 0; - } - - tmp[i] = ((uint32_t) rand_bytes[j++]) << 16; - tmp[i] |= ((uint32_t) rand_bytes[j++]) << 8; - tmp[i] |= rand_bytes[j++]; - - } while (tmp[i] >= UTILS_REJECTION_THRESHOLD); - - tmp[i] = tmp[i] % PARAM_N; - - inc = 1; - for (k = 0; k < i; k++) { - if (tmp[k] == tmp[i]) { - inc = 0; - } - } - i += inc; - } - - for (i = 0; i < weight; i++) { - // we store the bloc number and bit position of each vb[i] - bloc = tmp[i] >> 6; - bloc256[i] = _mm256_set1_epi64x(bloc >> 2); - pos = (bloc & 0x3UL); - pos256 = _mm256_set1_epi64x(pos); - mask256 = _mm256_cmpeq_epi64(pos256, posCmp256); - bit64 = 1ULL << (tmp[i] & 0x3f); - bit256[i] = _mm256_set1_epi64x(bit64)&mask256; - } - - for (i = 0; i < CEIL_DIVIDE(PARAM_N, 256); i++) { - aux = _mm256_loadu_si256(((__m256i *)v) + i); - i256 = _mm256_set1_epi64x(i); - - for (j = 0; j < weight; j++) { - mask256 = _mm256_cmpeq_epi64(bloc256[j], i256); - aux ^= bit256[j] & mask256; - } - _mm256_storeu_si256(((__m256i *)v) + i, aux); - } - -} - - - -/** - * @brief Generates a random vector of dimension PARAM_N - * - * This function generates a random binary vector of dimension PARAM_N. It generates a random - * array of bytes using the seedexpander function, and drop the extra bits using a mask. - * - * @param[in] v Pointer to an array - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS256_AVX2_vect_set_random(AES_XOF_struct *ctx, uint64_t *v) { - uint8_t rand_bytes[VEC_N_SIZE_BYTES] = {0}; - - seedexpander(ctx, rand_bytes, VEC_N_SIZE_BYTES); - - PQCLEAN_HQCRMRS256_AVX2_load8_arr(v, VEC_N_SIZE_64, rand_bytes, VEC_N_SIZE_BYTES); - v[VEC_N_SIZE_64 - 1] &= RED_MASK; -} - - - -/** - * @brief Adds two vectors - * - * @param[out] o Pointer to an array that is the result - * @param[in] v1 Pointer to an array that is the first vector - * @param[in] v2 Pointer to an array that is the second vector - * @param[in] size Integer that is the size of the vectors - */ -void PQCLEAN_HQCRMRS256_AVX2_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size) { - for (uint32_t i = 0; i < size; ++i) { - o[i] = v1[i] ^ v2[i]; - } -} - - - -/** - * @brief Compares two vectors - * - * @param[in] v1 Pointer to an array that is first vector - * @param[in] v2 Pointer to an array that is second vector - * @param[in] size Integer that is the size of the vectors - * @returns 0 if the vectors are equals and a negative/psotive value otherwise - */ -uint8_t PQCLEAN_HQCRMRS256_AVX2_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size) { - uint64_t r = 0; - for (size_t i = 0; i < size; i++) { - r |= v1[i] ^ v2[i]; - } - r = (~r + 1) >> 63; - return (uint8_t) r; -} - - - -/** - * @brief Resize a vector so that it contains size_o bits - * - * @param[out] o Pointer to the output vector - * @param[in] size_o Integer that is the size of the output vector in bits - * @param[in] v Pointer to the input vector - * @param[in] size_v Integer that is the size of the input vector in bits - */ -void PQCLEAN_HQCRMRS256_AVX2_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v) { - uint64_t mask = 0x7FFFFFFFFFFFFFFF; - int8_t val = 0; - if (size_o < size_v) { - if (size_o % 64) { - val = 64 - (size_o % 64); - } - - memcpy(o, v, VEC_N1N2_SIZE_BYTES); - - for (int8_t i = 0; i < val; ++i) { - o[VEC_N1N2_SIZE_64 - 1] &= (mask >> i); - } - } else { - memcpy(o, v, CEIL_DIVIDE(size_v, 8)); - } -} diff --git a/crypto_kem/hqc-rmrs-256/avx2/vector.h b/crypto_kem/hqc-rmrs-256/avx2/vector.h deleted file mode 100644 index 1508d0b7..00000000 --- a/crypto_kem/hqc-rmrs-256/avx2/vector.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef VECTOR_H -#define VECTOR_H - - -/** - * @file vector.h - * @brief Header file for vector.c - */ -#include "nistseedexpander.h" -#include "randombytes.h" -#include - -void PQCLEAN_HQCRMRS256_AVX2_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight); - -void PQCLEAN_HQCRMRS256_AVX2_vect_set_random(AES_XOF_struct *ctx, uint64_t *v); - -void PQCLEAN_HQCRMRS256_AVX2_vect_set_random_from_randombytes(uint64_t *v); - - -void PQCLEAN_HQCRMRS256_AVX2_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size); - -uint8_t PQCLEAN_HQCRMRS256_AVX2_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size); - -void PQCLEAN_HQCRMRS256_AVX2_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/LICENSE b/crypto_kem/hqc-rmrs-256/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/hqc-rmrs-256/clean/Makefile.Microsoft_nmake b/crypto_kem/hqc-rmrs-256/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 2378a4f6..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libhqc-rmrs-256_clean.lib -OBJECTS=code.obj fft.obj gf2x.obj gf.obj hqc.obj kem.obj parsing.obj reed_muller.obj reed_solomon.obj vector.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/hqc-rmrs-256/clean/api.h b/crypto_kem/hqc-rmrs-256/clean/api.h deleted file mode 100644 index d8bd7d2e..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/api.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_HQCRMRS256_CLEAN_API_H -#define PQCLEAN_HQCRMRS256_CLEAN_API_H -/** - * @file api.h - * @brief NIST KEM API used by the HQC_KEM IND-CCA2 scheme - */ - -#define PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_ALGNAME "HQC-RMRS-256" - -#define PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_SECRETKEYBYTES 7285 -#define PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_PUBLICKEYBYTES 7245 -#define PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_BYTES 64 -#define PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_CIPHERTEXTBYTES 14469 - -// As a technicality, the public key is appended to the secret key in order to respect the NIST API. -// Without this constraint, PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_SECRETKEYBYTES would be defined as 32 - -int PQCLEAN_HQCRMRS256_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_HQCRMRS256_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk); - -int PQCLEAN_HQCRMRS256_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/code.c b/crypto_kem/hqc-rmrs-256/clean/code.c deleted file mode 100644 index 1178b56e..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/code.c +++ /dev/null @@ -1,46 +0,0 @@ -#include "code.h" -#include "parameters.h" -#include "reed_muller.h" -#include "reed_solomon.h" -#include -#include -/** - * @file code.c - * @brief Implementation of concatenated code - */ - - - -/** - * - * @brief Encoding the message m to a code word em using the concatenated code - * - * First we encode the message using the Reed-Solomon code, then with the duplicated Reed-Muller code we obtain - * a concatenated code word. - * - * @param[out] em Pointer to an array that is the tensor code word - * @param[in] m Pointer to an array that is the message - */ -void PQCLEAN_HQCRMRS256_CLEAN_code_encode(uint8_t *em, const uint8_t *m) { - uint8_t tmp[VEC_N1_SIZE_BYTES] = {0}; - - PQCLEAN_HQCRMRS256_CLEAN_reed_solomon_encode(tmp, m); - PQCLEAN_HQCRMRS256_CLEAN_reed_muller_encode(em, tmp); - -} - - - -/** - * @brief Decoding the code word em to a message m using the concatenated code - * - * @param[out] m Pointer to an array that is the message - * @param[in] em Pointer to an array that is the code word - */ -void PQCLEAN_HQCRMRS256_CLEAN_code_decode(uint8_t *m, const uint8_t *em) { - uint8_t tmp[VEC_N1_SIZE_BYTES] = {0}; - - PQCLEAN_HQCRMRS256_CLEAN_reed_muller_decode(tmp, em); - PQCLEAN_HQCRMRS256_CLEAN_reed_solomon_decode(m, tmp); - -} diff --git a/crypto_kem/hqc-rmrs-256/clean/code.h b/crypto_kem/hqc-rmrs-256/clean/code.h deleted file mode 100644 index 6de64ab9..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/code.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef CODE_H -#define CODE_H - - -/** - * @file code.h - * Header file of code.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS256_CLEAN_code_encode(uint8_t *em, const uint8_t *message); - -void PQCLEAN_HQCRMRS256_CLEAN_code_decode(uint8_t *m, const uint8_t *em); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/fft.c b/crypto_kem/hqc-rmrs-256/clean/fft.c deleted file mode 100644 index 6a680972..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/fft.c +++ /dev/null @@ -1,351 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include -#include -/** - * @file fft.c - * Implementation of the additive FFT and its transpose. - * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf - */ - - -static void compute_fft_betas(uint16_t *betas); -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size); -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f); -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas); - - -/** - * @brief Computes the basis of betas (omitting 1) used in the additive FFT and its transpose - * - * @param[out] betas Array of size PARAM_M-1 - */ -static void compute_fft_betas(uint16_t *betas) { - size_t i; - for (i = 0; i < PARAM_M - 1; ++i) { - betas[i] = 1 << (PARAM_M - 1 - i); - } -} - - - -/** - * @brief Computes the subset sums of the given set - * - * The array subset_sums is such that its ith element is - * the subset sum of the set elements given by the binary form of i. - * - * @param[out] subset_sums Array of size 2^set_size receiving the subset sums - * @param[in] set Array of set_size elements - * @param[in] set_size Size of the array set - */ -static void compute_subset_sums(uint16_t *subset_sums, const uint16_t *set, uint16_t set_size) { - uint16_t i, j; - subset_sums[0] = 0; - - for (i = 0; i < set_size; ++i) { - for (j = 0; j < (1 << i); ++j) { - subset_sums[(1 << i) + j] = set[i] ^ subset_sums[j]; - } - } -} - - - -/** - * @brief Computes the radix conversion of a polynomial f in GF(2^m)[x] - * - * Computes f0 and f1 such that f(x) = f0(x^2-x) + x.f1(x^2-x) - * as proposed by Bernstein, Chou and Schwabe: - * https://binary.cr.yp.to/mcbits-20130616.pdf - * - * @param[out] f0 Array half the size of f - * @param[out] f1 Array half the size of f - * @param[in] f Array of size a power of 2 - * @param[in] m_f 2^{m_f} is the smallest power of 2 greater or equal to the number of coefficients of f - */ -static void radix(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - switch (m_f) { - case 4: - f0[4] = f[8] ^ f[12]; - f0[6] = f[12] ^ f[14]; - f0[7] = f[14] ^ f[15]; - f1[5] = f[11] ^ f[13]; - f1[6] = f[13] ^ f[14]; - f1[7] = f[15]; - f0[5] = f[10] ^ f[12] ^ f1[5]; - f1[4] = f[9] ^ f[13] ^ f0[5]; - - f0[0] = f[0]; - f1[3] = f[7] ^ f[11] ^ f[15]; - f0[3] = f[6] ^ f[10] ^ f[14] ^ f1[3]; - f0[2] = f[4] ^ f0[4] ^ f0[3] ^ f1[3]; - f1[1] = f[3] ^ f[5] ^ f[9] ^ f[13] ^ f1[3]; - f1[2] = f[3] ^ f1[1] ^ f0[3]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 3: - f0[0] = f[0]; - f0[2] = f[4] ^ f[6]; - f0[3] = f[6] ^ f[7]; - f1[1] = f[3] ^ f[5] ^ f[7]; - f1[2] = f[5] ^ f[6]; - f1[3] = f[7]; - f0[1] = f[2] ^ f0[2] ^ f1[1]; - f1[0] = f[1] ^ f0[1]; - break; - - case 2: - f0[0] = f[0]; - f0[1] = f[2] ^ f[3]; - f1[0] = f[1] ^ f0[1]; - f1[1] = f[3]; - break; - - case 1: - f0[0] = f[0]; - f1[0] = f[1]; - break; - - default: - radix_big(f0, f1, f, m_f); - break; - } -} - -static void radix_big(uint16_t *f0, uint16_t *f1, const uint16_t *f, uint32_t m_f) { - uint16_t Q[2 * (1 << (PARAM_FFT - 2))] = {0}; - uint16_t R[2 * (1 << (PARAM_FFT - 2))] = {0}; - - uint16_t Q0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t Q1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t R1[1 << (PARAM_FFT - 2)] = {0}; - - size_t i, n; - - n = 1; - n <<= (m_f - 2); - memcpy(Q, f + 3 * n, 2 * n); - memcpy(Q + n, f + 3 * n, 2 * n); - memcpy(R, f, 4 * n); - - for (i = 0; i < n; ++i) { - Q[i] ^= f[2 * n + i]; - R[n + i] ^= Q[i]; - } - - radix(Q0, Q1, Q, m_f - 1); - radix(R0, R1, R, m_f - 1); - - memcpy(f0, R0, 2 * n); - memcpy(f0 + n, Q0, 2 * n); - memcpy(f1, R1, 2 * n); - memcpy(f1 + n, Q1, 2 * n); -} - - - -/** - * @brief Evaluates f at all subset sums of a given set - * - * This function is a subroutine of the function PQCLEAN_HQCRMRS256_CLEAN_fft. - * - * @param[out] w Array - * @param[in] f Array - * @param[in] f_coeffs Number of coefficients of f - * @param[in] m Number of betas - * @param[in] m_f Number of coefficients of f (one more than its degree) - * @param[in] betas FFT constants - */ -static void fft_rec(uint16_t *w, uint16_t *f, size_t f_coeffs, uint8_t m, uint32_t m_f, const uint16_t *betas) { - uint16_t f0[1 << (PARAM_FFT - 2)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 2)] = {0}; - uint16_t gammas[PARAM_M - 2] = {0}; - uint16_t deltas[PARAM_M - 2] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 2)] = {0}; - uint16_t u[1 << (PARAM_M - 2)] = {0}; - uint16_t v[1 << (PARAM_M - 2)] = {0}; - uint16_t tmp[PARAM_M - (PARAM_FFT - 1)] = {0}; - - uint16_t beta_m_pow; - size_t i, j, k; - size_t x; - - // Step 1 - if (m_f == 1) { - for (i = 0; i < m; ++i) { - tmp[i] = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(betas[i], f[1]); - } - - w[0] = f[0]; - x = 1; - for (j = 0; j < m; ++j) { - for (k = 0; k < x; ++k) { - w[x + k] = w[k] ^ tmp[j]; - } - x <<= 1; - } - - return; - } - - // Step 2: compute g - if (betas[m - 1] != 1) { - beta_m_pow = 1; - x = 1; - x <<= m_f; - for (i = 1; i < x; ++i) { - beta_m_pow = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(beta_m_pow, betas[m - 1]); - f[i] = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(beta_m_pow, f[i]); - } - } - - // Step 3 - radix(f0, f1, f, m_f); - - // Step 4: compute gammas and deltas - for (i = 0; i + 1 < m; ++i) { - gammas[i] = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(betas[i], PQCLEAN_HQCRMRS256_CLEAN_gf_inverse(betas[m - 1])); - deltas[i] = PQCLEAN_HQCRMRS256_CLEAN_gf_square(gammas[i]) ^ gammas[i]; - } - - // Compute gammas sums - compute_subset_sums(gammas_sums, gammas, m - 1); - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, m - 1, m_f - 1, deltas); - - k = 1; - k <<= ((m - 1) & 0xf); // &0xf is to let the compiler know that m-1 is small. - if (f_coeffs <= 3) { // 3-coefficient polynomial f case: f1 is constant - w[0] = u[0]; - w[k] = u[0] ^ f1[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS256_CLEAN_gf_mul(gammas_sums[i], f1[0]); - w[k + i] = w[i] ^ f1[0]; - } - } else { - fft_rec(v, f1, f_coeffs / 2, m - 1, m_f - 1, deltas); - - // Step 6 - memcpy(w + k, v, 2 * k); - w[0] = u[0]; - w[k] ^= u[0]; - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS256_CLEAN_gf_mul(gammas_sums[i], v[i]); - w[k + i] ^= w[i]; - } - } -} - - - -/** - * @brief Evaluates f on all fields elements using an additive FFT algorithm - * - * f_coeffs is the number of coefficients of f (one less than its degree).
- * The FFT proceeds recursively to evaluate f at all subset sums of a basis B.
- * This implementation is based on the paper from Gao and Mateer:
- * Shuhong Gao and Todd Mateer, Additive Fast Fourier Transforms over Finite Fields, - * IEEE Transactions on Information Theory 56 (2010), 6265--6272. - * http://www.math.clemson.edu/~sgao/papers/GM10.pdf
- * and includes improvements proposed by Bernstein, Chou and Schwabe here: - * https://binary.cr.yp.to/mcbits-20130616.pdf
- * Note that on this first call (as opposed to the recursive calls to fft_rec), gammas are equal to betas, - * meaning the first gammas subset sums are actually the subset sums of betas (except 1).
- * Also note that f is altered during computation (twisted at each level). - * - * @param[out] w Array - * @param[in] f Array of 2^PARAM_FFT elements - * @param[in] f_coeffs Number coefficients of f (i.e. deg(f)+1) - */ -void PQCLEAN_HQCRMRS256_CLEAN_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs) { - uint16_t betas[PARAM_M - 1] = {0}; - uint16_t betas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t f0[1 << (PARAM_FFT - 1)] = {0}; - uint16_t f1[1 << (PARAM_FFT - 1)] = {0}; - uint16_t deltas[PARAM_M - 1] = {0}; - uint16_t u[1 << (PARAM_M - 1)] = {0}; - uint16_t v[1 << (PARAM_M - 1)] = {0}; - - size_t i, k; - - // Follows Gao and Mateer algorithm - compute_fft_betas(betas); - - // Step 1: PARAM_FFT > 1, nothing to do - - // Compute gammas sums - compute_subset_sums(betas_sums, betas, PARAM_M - 1); - - // Step 2: beta_m = 1, nothing to do - - // Step 3 - radix(f0, f1, f, PARAM_FFT); - - // Step 4: Compute deltas - for (i = 0; i < PARAM_M - 1; ++i) { - deltas[i] = PQCLEAN_HQCRMRS256_CLEAN_gf_square(betas[i]) ^ betas[i]; - } - - // Step 5 - fft_rec(u, f0, (f_coeffs + 1) / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - fft_rec(v, f1, f_coeffs / 2, PARAM_M - 1, PARAM_FFT - 1, deltas); - - k = 1 << (PARAM_M - 1); - // Step 6, 7 and error polynomial computation - memcpy(w + k, v, 2 * k); - - // Check if 0 is root - w[0] = u[0]; - - // Check if 1 is root - w[k] ^= u[0]; - - // Find other roots - for (i = 1; i < k; ++i) { - w[i] = u[i] ^ PQCLEAN_HQCRMRS256_CLEAN_gf_mul(betas_sums[i], v[i]); - w[k + i] ^= w[i]; - } -} - - - -/** - * @brief Retrieves the error polynomial error from the evaluations w of the ELP (Error Locator Polynomial) on all field elements. - * - * @param[out] error Array with the error - * @param[out] error_compact Array with the error in a compact form - * @param[in] w Array of size 2^PARAM_M - */ -void PQCLEAN_HQCRMRS256_CLEAN_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w) { - uint16_t gammas[PARAM_M - 1] = {0}; - uint16_t gammas_sums[1 << (PARAM_M - 1)] = {0}; - uint16_t k; - size_t i, index; - - compute_fft_betas(gammas); - compute_subset_sums(gammas_sums, gammas, PARAM_M - 1); - - k = 1 << (PARAM_M - 1); - error[0] ^= 1 ^ ((uint16_t) - w[0] >> 15); - error[0] ^= 1 ^ ((uint16_t) - w[k] >> 15); - - for (i = 1; i < k; ++i) { - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i]]; - error[index] ^= 1 ^ ((uint16_t) - w[i] >> 15); - - index = PARAM_GF_MUL_ORDER - gf_log[gammas_sums[i] ^ 1]; - error[index] ^= 1 ^ ((uint16_t) - w[k + i] >> 15); - } -} diff --git a/crypto_kem/hqc-rmrs-256/clean/fft.h b/crypto_kem/hqc-rmrs-256/clean/fft.h deleted file mode 100644 index e53d9daa..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/fft.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef FFT_H -#define FFT_H - - -/** - * @file fft.h - * Header file of fft.c - */ - -#include -#include - -void PQCLEAN_HQCRMRS256_CLEAN_fft(uint16_t *w, const uint16_t *f, size_t f_coeffs); - -void PQCLEAN_HQCRMRS256_CLEAN_fft_retrieve_error_poly(uint8_t *error, const uint16_t *w); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/gf.c b/crypto_kem/hqc-rmrs-256/clean/gf.c deleted file mode 100644 index 1f10ccdf..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/gf.c +++ /dev/null @@ -1,63 +0,0 @@ -#include "gf.h" -#include "parameters.h" -#include -/** - * @file gf.c - * Galois field implementation with multiplication using lookup tables - */ - - -/** - * @brief Multiplies nonzero element a by element b - * @returns the product a*b - * @param[in] a First element of GF(2^PARAM_M) to multiply (cannot be zero) - * @param[in] b Second element of GF(2^PARAM_M) to multiply (cannot be zero) - */ -uint16_t PQCLEAN_HQCRMRS256_CLEAN_gf_mul(uint16_t a, uint16_t b) { - uint16_t mask; - mask = (uint16_t) (-((int32_t) a) >> 31); // a != 0 - mask &= (uint16_t) (-((int32_t) b) >> 31); // b != 0 - return mask & gf_exp[PQCLEAN_HQCRMRS256_CLEAN_gf_mod(gf_log[a] + gf_log[b])]; -} - - - -/** - * @brief Squares an element of GF(2^PARAM_M) - * @returns a^2 - * @param[in] a Element of GF(2^PARAM_M) - */ -uint16_t PQCLEAN_HQCRMRS256_CLEAN_gf_square(uint16_t a) { - int16_t mask = (uint16_t) (-((int32_t) a) >> 31); // a != 0 - return mask & gf_exp[PQCLEAN_HQCRMRS256_CLEAN_gf_mod(2 * gf_log[a])]; -} - - - -/** - * @brief Computes the inverse of an element of GF(2^PARAM_M) - * @returns the inverse of a - * @param[in] a Element of GF(2^PARAM_M) - */ -uint16_t PQCLEAN_HQCRMRS256_CLEAN_gf_inverse(uint16_t a) { - int16_t mask = (uint16_t) (-((int32_t) a) >> 31); // a != 0 - return mask & gf_exp[PARAM_GF_MUL_ORDER - gf_log[a]]; -} - - - -/** - * @brief Returns i modulo 2^PARAM_M-1 - * i must be less than 2*(2^PARAM_M-1). - * Therefore, the return value is either i or i-2^PARAM_M+1. - * @returns i mod (2^PARAM_M-1) - * @param[in] i The integer whose modulo is taken - */ -uint16_t PQCLEAN_HQCRMRS256_CLEAN_gf_mod(uint16_t i) { - uint16_t tmp = (uint16_t) (i - PARAM_GF_MUL_ORDER); - - // mask = 0xffff if(i < PARAM_GF_MUL_ORDER) - uint16_t mask = -(tmp >> 15); - - return tmp + (mask & PARAM_GF_MUL_ORDER); -} diff --git a/crypto_kem/hqc-rmrs-256/clean/gf.h b/crypto_kem/hqc-rmrs-256/clean/gf.h deleted file mode 100644 index 0d94dd8d..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/gf.h +++ /dev/null @@ -1,39 +0,0 @@ -#ifndef GF_H -#define GF_H - - -/** - * @file gf.h - * Header file of gf.c - */ - -#include -#include - - -/** - * Powers of the root alpha of 1 + x^2 + x^3 + x^4 + x^8. - * The last two elements are needed by the PQCLEAN_HQCRMRS256_CLEAN_gf_mul function - * (for example if both elements to multiply are zero). - */ -static const uint16_t gf_exp[258] = { 1, 2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60, 120, 240, 253, 231, 211, 187, 107, 214, 177, 127, 254, 225, 223, 163, 91, 182, 113, 226, 217, 175, 67, 134, 17, 34, 68, 136, 13, 26, 52, 104, 208, 189, 103, 206, 129, 31, 62, 124, 248, 237, 199, 147, 59, 118, 236, 197, 151, 51, 102, 204, 133, 23, 46, 92, 184, 109, 218, 169, 79, 158, 33, 66, 132, 21, 42, 84, 168, 77, 154, 41, 82, 164, 85, 170, 73, 146, 57, 114, 228, 213, 183, 115, 230, 209, 191, 99, 198, 145, 63, 126, 252, 229, 215, 179, 123, 246, 241, 255, 227, 219, 171, 75, 150, 49, 98, 196, 149, 55, 110, 220, 165, 87, 174, 65, 130, 25, 50, 100, 200, 141, 7, 14, 28, 56, 112, 224, 221, 167, 83, 166, 81, 162, 89, 178, 121, 242, 249, 239, 195, 155, 43, 86, 172, 69, 138, 9, 18, 36, 72, 144, 61, 122, 244, 245, 247, 243, 251, 235, 203, 139, 11, 22, 44, 88, 176, 125, 250, 233, 207, 131, 27, 54, 108, 216, 173, 71, 142, 1, 2, 4 }; - - - -/** - * Logarithm of elements of GF(2^8) to the base alpha (root of 1 + x^2 + x^3 + x^4 + x^8). - * The logarithm of 0 is set to 0 by convention. - */ -static const uint16_t gf_log[256] = { 0, 0, 1, 25, 2, 50, 26, 198, 3, 223, 51, 238, 27, 104, 199, 75, 4, 100, 224, 14, 52, 141, 239, 129, 28, 193, 105, 248, 200, 8, 76, 113, 5, 138, 101, 47, 225, 36, 15, 33, 53, 147, 142, 218, 240, 18, 130, 69, 29, 181, 194, 125, 106, 39, 249, 185, 201, 154, 9, 120, 77, 228, 114, 166, 6, 191, 139, 98, 102, 221, 48, 253, 226, 152, 37, 179, 16, 145, 34, 136, 54, 208, 148, 206, 143, 150, 219, 189, 241, 210, 19, 92, 131, 56, 70, 64, 30, 66, 182, 163, 195, 72, 126, 110, 107, 58, 40, 84, 250, 133, 186, 61, 202, 94, 155, 159, 10, 21, 121, 43, 78, 212, 229, 172, 115, 243, 167, 87, 7, 112, 192, 247, 140, 128, 99, 13, 103, 74, 222, 237, 49, 197, 254, 24, 227, 165, 153, 119, 38, 184, 180, 124, 17, 68, 146, 217, 35, 32, 137, 46, 55, 63, 209, 91, 149, 188, 207, 205, 144, 135, 151, 178, 220, 252, 190, 97, 242, 86, 211, 171, 20, 42, 93, 158, 132, 60, 57, 83, 71, 109, 65, 162, 31, 45, 67, 216, 183, 123, 164, 118, 196, 23, 73, 236, 127, 12, 111, 246, 108, 161, 59, 82, 41, 157, 85, 170, 251, 96, 134, 177, 187, 204, 62, 90, 203, 89, 95, 176, 156, 169, 160, 81, 11, 245, 22, 235, 122, 117, 44, 215, 79, 174, 213, 233, 230, 231, 173, 232, 116, 214, 244, 234, 168, 80, 88, 175 }; - - -uint16_t PQCLEAN_HQCRMRS256_CLEAN_gf_mul(uint16_t a, uint16_t b); - -uint16_t PQCLEAN_HQCRMRS256_CLEAN_gf_square(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS256_CLEAN_gf_inverse(uint16_t a); - -uint16_t PQCLEAN_HQCRMRS256_CLEAN_gf_mod(uint16_t i); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/gf2x.c b/crypto_kem/hqc-rmrs-256/clean/gf2x.c deleted file mode 100644 index bcd1f985..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/gf2x.c +++ /dev/null @@ -1,154 +0,0 @@ -#include "gf2x.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include -/** - * \file gf2x.c - * \brief Implementation of multiplication of two polynomials - */ - - -static inline void swap(uint16_t *tab, uint16_t elt1, uint16_t elt2); -static void reduce(uint64_t *o, const uint64_t *a); -static void fast_convolution_mult(uint8_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx); - -/** - * @brief swap two elements in a table - * - * This function exchanges tab[elt1] with tab[elt2] - * - * @param[in] tab Pointer to the table - * @param[in] elt1 Index of the first element - * @param[in] elt2 Index of the second element - */ -static inline void swap(uint16_t *tab, uint16_t elt1, uint16_t elt2) { - uint16_t tmp = tab[elt1]; - - tab[elt1] = tab[elt2]; - tab[elt2] = tmp; -} - - - -/** - * @brief Compute o(x) = a(x) mod \f$ X^n - 1\f$ - * - * This function computes the modular reduction of the polynomial a(x) - * - * @param[in] a Pointer to the polynomial a(x) - * @param[out] o Pointer to the result - */ -static void reduce(uint64_t *o, const uint64_t *a) { - size_t i; - uint64_t r; - uint64_t carry; - - for (i = 0; i < VEC_N_SIZE_64; i++) { - r = a[i + VEC_N_SIZE_64 - 1] >> (PARAM_N & 63); - carry = (uint64_t) (a[i + VEC_N_SIZE_64] << (64 - (PARAM_N & 63))); - o[i] = a[i] ^ r ^ carry; - } - - o[VEC_N_SIZE_64 - 1] &= RED_MASK; -} - - - -/** - * @brief computes product of the polynomial a1(x) with the sparse polynomial a2 - * - * o(x) = a1(x)a2(x) - * - * @param[out] o Pointer to the result - * @param[in] a1 Pointer to the sparse polynomial a2 (list of degrees of the monomials which appear in a2) - * @param[in] a2 Pointer to the polynomial a1(x) - * @param[in] weight Hamming wifht of the sparse polynomial a2 - * @param[in] ctx Pointer to a seed expander used to randomize the multiplication process - */ -static void fast_convolution_mult(uint8_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx) { -//static uint32_t fast_convolution_mult(const uint64_t *A, const uint32_t *vB, uint64_t *C, const uint16_t w, AES_XOF_struct *ctx) - uint64_t carry; - uint32_t dec, s; - uint64_t table[16 * (VEC_N_SIZE_64 + 1)]; - uint16_t permuted_table[16]; - uint16_t permutation_table[16]; - uint16_t permuted_sparse_vect[PARAM_OMEGA_E]; - uint16_t permutation_sparse_vect[PARAM_OMEGA_E]; - uint64_t tmp; - uint64_t *pt; - uint8_t *res; - size_t i, j; - - for (i = 0; i < 16; i++) { - permuted_table[i] = (uint16_t) i; - } - - seedexpander(ctx, (uint8_t *) permutation_table, 16 * sizeof(uint16_t)); - - for (i = 0; i < 15; i++) { - swap(permuted_table + i, 0, permutation_table[i] % (16 - i)); - } - - pt = table + (permuted_table[0] * (VEC_N_SIZE_64 + 1)); - for (j = 0; j < VEC_N_SIZE_64; j++) { - pt[j] = a2[j]; - } - pt[VEC_N_SIZE_64] = 0x0; - - for (i = 1; i < 16; i++) { - carry = 0; - pt = table + (permuted_table[i] * (VEC_N_SIZE_64 + 1)); - for (j = 0; j < VEC_N_SIZE_64; j++) { - pt[j] = (a2[j] << i) ^ carry; - carry = (a2[j] >> ((64 - i))); - } - pt[VEC_N_SIZE_64] = carry; - } - - for (i = 0; i < weight; i++) { - permuted_sparse_vect[i] = (uint16_t) i; - } - - seedexpander(ctx, (uint8_t *) permutation_sparse_vect, weight * sizeof(uint16_t)); - - for (i = 0; i + 1 < weight; i++) { - swap(permuted_sparse_vect + i, 0, (uint16_t) (permutation_sparse_vect[i] % (weight - i))); - } - - for (i = 0; i < weight; i++) { - dec = a1[permuted_sparse_vect[i]] & 0xf; - s = a1[permuted_sparse_vect[i]] >> 4; - res = o + 2 * s; - pt = table + (permuted_table[dec] * (VEC_N_SIZE_64 + 1)); - - for (j = 0; j < VEC_N_SIZE_64 + 1; j++) { - tmp = PQCLEAN_HQCRMRS256_CLEAN_load8(res); - PQCLEAN_HQCRMRS256_CLEAN_store8(res, tmp ^ pt[j]); - res += 8; - } - } -} - - - -/** - * @brief Multiply two polynomials modulo \f$ X^n - 1\f$. - * - * This functions multiplies a sparse polynomial a1 (of Hamming weight equal to weight) - * and a dense polynomial a2. The multiplication is done modulo \f$ X^n - 1\f$. - * - * @param[out] o Pointer to the result - * @param[in] a1 Pointer to the sparse polynomial - * @param[in] a2 Pointer to the dense polynomial - * @param[in] weight Integer that is the weigt of the sparse polynomial - * @param[in] ctx Pointer to the randomness context - */ -void PQCLEAN_HQCRMRS256_CLEAN_vect_mul(uint64_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx) { - uint64_t tmp[2 * VEC_N_SIZE_64 + 1] = {0}; - - fast_convolution_mult((uint8_t *) tmp, a1, a2, weight, ctx); - PQCLEAN_HQCRMRS256_CLEAN_load8_arr(tmp, 2 * VEC_N_SIZE_64 + 1, (uint8_t *) tmp, sizeof(tmp)); - reduce(o, tmp); -} diff --git a/crypto_kem/hqc-rmrs-256/clean/gf2x.h b/crypto_kem/hqc-rmrs-256/clean/gf2x.h deleted file mode 100644 index 0aa8cf5f..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/gf2x.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef GF2X_H -#define GF2X_H - - -/** - * @file gf2x.h - * @brief Header file for gf2x.c - */ -#include "nistseedexpander.h" -#include "randombytes.h" -#include - -void PQCLEAN_HQCRMRS256_CLEAN_vect_mul(uint64_t *o, const uint32_t *a1, const uint64_t *a2, uint16_t weight, AES_XOF_struct *ctx); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/hqc.c b/crypto_kem/hqc-rmrs-256/clean/hqc.c deleted file mode 100644 index fdf908c2..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/hqc.c +++ /dev/null @@ -1,144 +0,0 @@ -#include "code.h" -#include "gf2x.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -/** - * @file hqc.c - * @brief Implementation of hqc.h - */ - - - -/** - * @brief Keygen of the HQC_PKE IND_CPA scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_keygen(unsigned char *pk, unsigned char *sk) { - AES_XOF_struct sk_seedexpander; - AES_XOF_struct pk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - uint8_t pk_seed[SEED_BYTES] = {0}; - uint64_t x[VEC_N_SIZE_64] = {0}; - uint32_t y[PARAM_OMEGA] = {0}; - uint64_t h[VEC_N_SIZE_64] = {0}; - uint64_t s[VEC_N_SIZE_64] = {0}; - - // Create seed_expanders for public key and secret key - randombytes(sk_seed, SEED_BYTES); - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - randombytes(pk_seed, SEED_BYTES); - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - // Compute secret key - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight_by_coordinates(&sk_seedexpander, y, PARAM_OMEGA); - - // Compute public key - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random(&pk_seedexpander, h); - PQCLEAN_HQCRMRS256_CLEAN_vect_mul(s, y, h, PARAM_OMEGA, &sk_seedexpander); - PQCLEAN_HQCRMRS256_CLEAN_vect_add(s, x, s, VEC_N_SIZE_64); - - // Parse keys to string - PQCLEAN_HQCRMRS256_CLEAN_hqc_public_key_to_string(pk, pk_seed, s); - PQCLEAN_HQCRMRS256_CLEAN_hqc_secret_key_to_string(sk, sk_seed, pk); - -} - - - -/** - * @brief Encryption of the HQC_PKE IND_CPA scheme - * - * The cihertext is composed of vectors u and v. - * - * @param[out] u Vector u (first part of the ciphertext) - * @param[out] v Vector v (second part of the ciphertext) - * @param[in] m Vector representing the message to encrypt - * @param[in] theta Seed used to derive randomness required for encryption - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk) { - AES_XOF_struct seedexpander; - uint64_t h[VEC_N_SIZE_64] = {0}; - uint64_t s[VEC_N_SIZE_64] = {0}; - uint64_t r1[VEC_N_SIZE_64] = {0}; - uint32_t r2[PARAM_OMEGA_R] = {0}; - uint64_t e[VEC_N_SIZE_64] = {0}; - uint64_t tmp1[VEC_N_SIZE_64] = {0}; - uint64_t tmp2[VEC_N_SIZE_64] = {0}; - - // Create seed_expander from theta - seedexpander_init(&seedexpander, theta, theta + 32, SEEDEXPANDER_MAX_LENGTH); - - // Retrieve h and s from public key - PQCLEAN_HQCRMRS256_CLEAN_hqc_public_key_from_string(h, s, pk); - - // Generate r1, r2 and e - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight(&seedexpander, r1, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight_by_coordinates(&seedexpander, r2, PARAM_OMEGA_R); - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight(&seedexpander, e, PARAM_OMEGA_E); - - // Compute u = r1 + r2.h - PQCLEAN_HQCRMRS256_CLEAN_vect_mul(u, r2, h, PARAM_OMEGA_R, &seedexpander); - PQCLEAN_HQCRMRS256_CLEAN_vect_add(u, r1, u, VEC_N_SIZE_64); - - // Compute v = m.G by encoding the message - PQCLEAN_HQCRMRS256_CLEAN_code_encode((uint8_t *)v, m); - PQCLEAN_HQCRMRS256_CLEAN_load8_arr(v, VEC_N1N2_SIZE_64, (uint8_t *)v, VEC_N1N2_SIZE_BYTES); - PQCLEAN_HQCRMRS256_CLEAN_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - - // Compute v = m.G + s.r2 + e - PQCLEAN_HQCRMRS256_CLEAN_vect_mul(tmp2, r2, s, PARAM_OMEGA_R, &seedexpander); - PQCLEAN_HQCRMRS256_CLEAN_vect_add(tmp2, e, tmp2, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS256_CLEAN_vect_add(tmp2, tmp1, tmp2, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS256_CLEAN_vect_resize(v, PARAM_N1N2, tmp2, PARAM_N); - -} - - - -/** - * @brief Decryption of the HQC_PKE IND_CPA scheme - * - * @param[out] m Vector representing the decrypted message - * @param[in] u Vector u (first part of the ciphertext) - * @param[in] v Vector v (second part of the ciphertext) - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk) { - uint8_t pk[PUBLIC_KEY_BYTES] = {0}; - uint64_t tmp1[VEC_N_SIZE_64] = {0}; - uint64_t tmp2[VEC_N_SIZE_64] = {0}; - uint32_t y[PARAM_OMEGA] = {0}; - AES_XOF_struct perm_seedexpander; - uint8_t perm_seed[SEED_BYTES] = {0}; - - // Retrieve x, y, pk from secret key - PQCLEAN_HQCRMRS256_CLEAN_hqc_secret_key_from_string(tmp1, y, pk, sk); - - randombytes(perm_seed, SEED_BYTES); - seedexpander_init(&perm_seedexpander, perm_seed, perm_seed + 32, SEEDEXPANDER_MAX_LENGTH); - - // Compute v - u.y - PQCLEAN_HQCRMRS256_CLEAN_vect_resize(tmp1, PARAM_N, v, PARAM_N1N2); - PQCLEAN_HQCRMRS256_CLEAN_vect_mul(tmp2, y, u, PARAM_OMEGA, &perm_seedexpander); - PQCLEAN_HQCRMRS256_CLEAN_vect_add(tmp2, tmp1, tmp2, VEC_N_SIZE_64); - - - // Compute m by decoding v - u.y - PQCLEAN_HQCRMRS256_CLEAN_store8_arr((uint8_t *)tmp1, VEC_N_SIZE_BYTES, tmp2, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS256_CLEAN_code_decode(m, (uint8_t *)tmp1); -} diff --git a/crypto_kem/hqc-rmrs-256/clean/hqc.h b/crypto_kem/hqc-rmrs-256/clean/hqc.h deleted file mode 100644 index ade5dfc9..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/hqc.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef HQC_H -#define HQC_H - - -/** - * @file hqc.h - * @brief Functions of the HQC_PKE IND_CPA scheme - */ - -#include - -void PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_keygen(unsigned char *pk, unsigned char *sk); - -void PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_encrypt(uint64_t *u, uint64_t *v, uint8_t *m, unsigned char *theta, const unsigned char *pk); - -void PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_decrypt(uint8_t *m, const uint64_t *u, const uint64_t *v, const unsigned char *sk); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/kem.c b/crypto_kem/hqc-rmrs-256/clean/kem.c deleted file mode 100644 index 3320be82..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/kem.c +++ /dev/null @@ -1,140 +0,0 @@ -#include "api.h" -#include "fips202.h" -#include "hqc.h" -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "sha2.h" -#include "vector.h" -#include -#include -/** - * @file kem.c - * @brief Implementation of api.h - */ - - - -/** - * @brief Keygen of the HQC_KEM IND_CAA2 scheme - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h. - * - * The secret key is composed of the seed used to generate vectors x and y. - * As a technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] pk String containing the public key - * @param[out] sk String containing the secret key - * @returns 0 if keygen is successful - */ -int PQCLEAN_HQCRMRS256_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - - PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_keygen(pk, sk); - return 0; -} - - - -/** - * @brief Encapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ct String containing the ciphertext - * @param[out] ss String containing the shared secret - * @param[in] pk String containing the public key - * @returns 0 if encapsulation is successful - */ -int PQCLEAN_HQCRMRS256_CLEAN_crypto_kem_enc(unsigned char *ct, unsigned char *ss, const unsigned char *pk) { - - uint8_t theta[SHA512_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - uint64_t u[VEC_N_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Computing m - randombytes(m, VEC_K_SIZE_BYTES); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m - PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_encrypt(u, v, m, theta, pk); - - // Computing d - sha512(d, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS256_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS256_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Computing ciphertext - PQCLEAN_HQCRMRS256_CLEAN_hqc_ciphertext_to_string(ct, u, v, d); - - - return 0; -} - - - -/** - * @brief Decapsulation of the HQC_KEM IND_CAA2 scheme - * - * @param[out] ss String containing the shared secret - * @param[in] ct String containing the cipĥertext - * @param[in] sk String containing the secret key - * @returns 0 if decapsulation is successful, -1 otherwise - */ -int PQCLEAN_HQCRMRS256_CLEAN_crypto_kem_dec(unsigned char *ss, const unsigned char *ct, const unsigned char *sk) { - - uint8_t result; - uint64_t u[VEC_N_SIZE_64] = {0}; - uint64_t v[VEC_N1N2_SIZE_64] = {0}; - unsigned char d[SHA512_BYTES] = {0}; - unsigned char pk[PUBLIC_KEY_BYTES] = {0}; - uint8_t m[VEC_K_SIZE_BYTES] = {0}; - uint8_t theta[SHA512_BYTES] = {0}; - uint64_t u2[VEC_N_SIZE_64] = {0}; - uint64_t v2[VEC_N1N2_SIZE_64] = {0}; - unsigned char d2[SHA512_BYTES] = {0}; - unsigned char mc[VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES] = {0}; - - // Retrieving u, v and d from ciphertext - PQCLEAN_HQCRMRS256_CLEAN_hqc_ciphertext_from_string(u, v, d, ct); - - // Retrieving pk from sk - memcpy(pk, sk + SEED_BYTES, PUBLIC_KEY_BYTES); - - // Decryting - PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_decrypt(m, u, v, sk); - - // Computing theta - sha3_512(theta, m, VEC_K_SIZE_BYTES); - - // Encrypting m' - PQCLEAN_HQCRMRS256_CLEAN_hqc_pke_encrypt(u2, v2, m, theta, pk); - - // Computing d' - sha512(d2, m, VEC_K_SIZE_BYTES); - - // Computing shared secret - memcpy(mc, m, VEC_K_SIZE_BYTES); - PQCLEAN_HQCRMRS256_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - PQCLEAN_HQCRMRS256_CLEAN_store8_arr(mc + VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - sha512(ss, mc, VEC_K_SIZE_BYTES + VEC_N_SIZE_BYTES + VEC_N1N2_SIZE_BYTES); - - // Abort if c != c' or d != d' - result = PQCLEAN_HQCRMRS256_CLEAN_vect_compare((uint8_t *)u, (uint8_t *)u2, VEC_N_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS256_CLEAN_vect_compare((uint8_t *)v, (uint8_t *)v2, VEC_N1N2_SIZE_BYTES); - result |= PQCLEAN_HQCRMRS256_CLEAN_vect_compare(d, d2, SHA512_BYTES); - result = (uint8_t) (-((int16_t) result) >> 15); - for (size_t i = 0; i < SHARED_SECRET_BYTES; i++) { - ss[i] &= ~result; - } - - - return -(result & 1); -} diff --git a/crypto_kem/hqc-rmrs-256/clean/parameters.h b/crypto_kem/hqc-rmrs-256/clean/parameters.h deleted file mode 100644 index 69d0f17c..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/parameters.h +++ /dev/null @@ -1,98 +0,0 @@ -#ifndef HQC_PARAMETERS_H -#define HQC_PARAMETERS_H - - -/** - * @file parameters.h - * @brief Parameters of the HQC_KEM IND-CCA2 scheme - */ -#include "api.h" - - -#define CEIL_DIVIDE(a, b) (((a)+(b)-1)/(b)) /*!< Divide a by b and ceil the result*/ - -/* - #define PARAM_N Define the parameter n of the scheme - #define PARAM_N1 Define the parameter n1 of the scheme (length of Reed-Solomon code) - #define PARAM_N2 Define the parameter n2 of the scheme (length of Duplicated Reed-Muller code) - #define PARAM_N1N2 Define the length in bits of the Concatenated code - #define PARAM_OMEGA Define the parameter omega of the scheme - #define PARAM_OMEGA_E Define the parameter omega_e of the scheme - #define PARAM_OMEGA_R Define the parameter omega_r of the scheme - #define PARAM_SECURITY Define the security level corresponding to the chosen parameters - #define PARAM_DFR_EXP Define the decryption failure rate corresponding to the chosen parameters - - #define SECRET_KEY_BYTES Define the size of the secret key in bytes - #define PUBLIC_KEY_BYTES Define the size of the public key in bytes - #define SHARED_SECRET_BYTES Define the size of the shared secret in bytes - #define CIPHERTEXT_BYTES Define the size of the ciphertext in bytes - - #define UTILS_REJECTION_THRESHOLD Define the rejection threshold used to generate given weight vectors (see vector_set_random_fixed_weight function) - #define VEC_N_SIZE_BYTES Define the size of the array used to store a PARAM_N sized vector in bytes - #define VEC_K_SIZE_BYTES Define the size of the array used to store a PARAM_K sized vector in bytes - #define VEC_N1Y_SIZE_BYTES Define the size of the array used to store a PARAM_N1 sized vector in bytes - #define VEC_N1N2_SIZE_BYTES Define the size of the array used to store a PARAM_N1N2 sized vector in bytes - - #define VEC_N_SIZE_64 Define the size of the array used to store a PARAM_N sized vector in 64 bits - #define VEC_K_SIZE_64 Define the size of the array used to store a PARAM_K sized vector in 64 bits - #define VEC_N1_SIZE_64 Define the size of the array used to store a PARAM_N1 sized vector in 64 bits - #define VEC_N1N2_SIZE_64 Define the size of the array used to store a PARAM_N1N2 sized vector in 64 bits - - #define PARAM_DELTA Define the parameter delta of the scheme (correcting capacity of the Reed-Solomon code) - #define PARAM_M Define a positive integer - #define PARAM_GF_POLY Generator polynomial of galois field GF(2^PARAM_M), represented in hexadecimial form - #define PARAM_GF_MUL_ORDER Define the size of the multiplicative group of GF(2^PARAM_M), i.e 2^PARAM_M -1 - #define PARAM_K Define the size of the information bits of the Reed-Solomon code - #define PARAM_G Define the size of the generator polynomial of Reed-Solomon code - #define PARAM_FFT The additive FFT takes a 2^PARAM_FFT polynomial as input - We use the FFT to compute the roots of sigma, whose degree if PARAM_DELTA=24 - The smallest power of 2 greater than 24+1 is 32=2^5 - #define RS_POLY_COEFS Coefficients of the generator polynomial of the Reed-Solomon code - - #define RED_MASK A mask fot the higher bits of a vector - #define SHA512_BYTES Define the size of SHA512 output in bytes - #define SEED_BYTES Define the size of the seed in bytes - #define SEEDEXPANDER_MAX_LENGTH Define the seed expander max length -*/ - -#define PARAM_N 57637 -#define PARAM_N1 90 -#define PARAM_N2 640 -#define PARAM_N1N2 57600 -#define PARAM_OMEGA 131 -#define PARAM_OMEGA_E 149 -#define PARAM_OMEGA_R 149 -#define PARAM_SECURITY 256 -#define PARAM_DFR_EXP 256 - -#define SECRET_KEY_BYTES PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_SECRETKEYBYTES -#define PUBLIC_KEY_BYTES PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_PUBLICKEYBYTES -#define SHARED_SECRET_BYTES PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_BYTES -#define CIPHERTEXT_BYTES PQCLEAN_HQCRMRS256_CLEAN_CRYPTO_CIPHERTEXTBYTES - -#define UTILS_REJECTION_THRESHOLD 16772367 -#define VEC_N_SIZE_BYTES CEIL_DIVIDE(PARAM_N, 8) -#define VEC_K_SIZE_BYTES PARAM_K -#define VEC_N1_SIZE_BYTES PARAM_N1 -#define VEC_N1N2_SIZE_BYTES CEIL_DIVIDE(PARAM_N1N2, 8) - -#define VEC_N_SIZE_64 CEIL_DIVIDE(PARAM_N, 64) -#define VEC_K_SIZE_64 CEIL_DIVIDE(PARAM_K, 8) -#define VEC_N1_SIZE_64 CEIL_DIVIDE(PARAM_N1, 8) -#define VEC_N1N2_SIZE_64 CEIL_DIVIDE(PARAM_N1N2, 64) - -#define PARAM_DELTA 29 -#define PARAM_M 8 -#define PARAM_GF_POLY 0x11D -#define PARAM_GF_MUL_ORDER 255 -#define PARAM_K 32 -#define PARAM_G 59 -#define PARAM_FFT 5 -#define RS_POLY_COEFS 49,167,49,39,200,121,124,91,240,63,148,71,150,123,87,101,32,215,159,71,201,115,97,210,186,183,141,217,123,12,31,243,180,219,152,239,99,141,4,246,191,144,8,232,47,27,141,178,130,64,124,47,39,188,216,48,199,187,1 - -#define RED_MASK 0x1fffffffff -#define SHA512_BYTES 64 -#define SEED_BYTES 40 -#define SEEDEXPANDER_MAX_LENGTH 4294967295 - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/parsing.c b/crypto_kem/hqc-rmrs-256/clean/parsing.c deleted file mode 100644 index 0178147a..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/parsing.c +++ /dev/null @@ -1,186 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -/** - * @file parsing.c - * @brief Functions to parse secret key, public key and ciphertext of the HQC scheme - */ - - -void PQCLEAN_HQCRMRS256_CLEAN_store8(unsigned char *out, uint64_t in) { - out[0] = (in >> 0x00) & 0xFF; - out[1] = (in >> 0x08) & 0xFF; - out[2] = (in >> 0x10) & 0xFF; - out[3] = (in >> 0x18) & 0xFF; - out[4] = (in >> 0x20) & 0xFF; - out[5] = (in >> 0x28) & 0xFF; - out[6] = (in >> 0x30) & 0xFF; - out[7] = (in >> 0x38) & 0xFF; -} - - -uint64_t PQCLEAN_HQCRMRS256_CLEAN_load8(const unsigned char *in) { - uint64_t ret = in[7]; - - for (int8_t i = 6; i >= 0; i--) { - ret <<= 8; - ret |= in[i]; - } - - return ret; -} - -void PQCLEAN_HQCRMRS256_CLEAN_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen) { - size_t index_in = 0; - size_t index_out = 0; - - // first copy by 8 bytes - if (inlen >= 8 && outlen >= 1) { - while (index_out < outlen && index_in + 8 <= inlen) { - out64[index_out] = PQCLEAN_HQCRMRS256_CLEAN_load8(in8 + index_in); - - index_in += 8; - index_out += 1; - } - } - - // we now need to do the last 7 bytes if necessary - if (index_in >= inlen || index_out >= outlen) { - return; - } - out64[index_out] = in8[inlen - 1]; - for (int8_t i = (int8_t)(inlen - index_in) - 2; i >= 0; i--) { - out64[index_out] <<= 8; - out64[index_out] |= in8[index_in + i]; - } -} - -void PQCLEAN_HQCRMRS256_CLEAN_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen) { - for (size_t index_out = 0, index_in = 0; index_out < outlen && index_in < inlen;) { - out8[index_out] = (in64[index_in] >> ((index_out % 8) * 8)) & 0xFF; - index_out++; - if (index_out % 8 == 0) { - index_in++; - } - } -} - - -/** - * @brief Parse a secret key into a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] sk String containing the secret key - * @param[in] sk_seed Seed used to generate the secret key - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS256_CLEAN_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk) { - memcpy(sk, sk_seed, SEED_BYTES); - sk += SEED_BYTES; - memcpy(sk, pk, PUBLIC_KEY_BYTES); -} - -/** - * @brief Parse a secret key from a string - * - * The secret key is composed of the seed used to generate vectors x and y. - * As technicality, the public key is appended to the secret key in order to respect NIST API. - * - * @param[out] x uint64_t representation of vector x - * @param[out] y uint32_t representation of vector y - * @param[out] pk String containing the public key - * @param[in] sk String containing the secret key - */ -void PQCLEAN_HQCRMRS256_CLEAN_hqc_secret_key_from_string(uint64_t *x, uint32_t *y, uint8_t *pk, const uint8_t *sk) { - AES_XOF_struct sk_seedexpander; - uint8_t sk_seed[SEED_BYTES] = {0}; - - memcpy(sk_seed, sk, SEED_BYTES); - sk += SEED_BYTES; - memcpy(pk, sk, PUBLIC_KEY_BYTES); - - seedexpander_init(&sk_seedexpander, sk_seed, sk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight(&sk_seedexpander, x, PARAM_OMEGA); - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight_by_coordinates(&sk_seedexpander, y, PARAM_OMEGA); -} - -/** - * @brief Parse a public key into a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] pk String containing the public key - * @param[in] pk_seed Seed used to generate the public key - * @param[in] s uint8_t representation of vector s - */ -void PQCLEAN_HQCRMRS256_CLEAN_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s) { - memcpy(pk, pk_seed, SEED_BYTES); - PQCLEAN_HQCRMRS256_CLEAN_store8_arr(pk + SEED_BYTES, VEC_N_SIZE_BYTES, s, VEC_N_SIZE_64); -} - - - -/** - * @brief Parse a public key from a string - * - * The public key is composed of the syndrome s as well as the seed used to generate the vector h - * - * @param[out] h uint8_t representation of vector h - * @param[out] s uint8_t representation of vector s - * @param[in] pk String containing the public key - */ -void PQCLEAN_HQCRMRS256_CLEAN_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk) { - AES_XOF_struct pk_seedexpander; - uint8_t pk_seed[SEED_BYTES] = {0}; - - memcpy(pk_seed, pk, SEED_BYTES); - pk += SEED_BYTES; - PQCLEAN_HQCRMRS256_CLEAN_load8_arr(s, VEC_N_SIZE_64, pk, VEC_N_SIZE_BYTES); - - seedexpander_init(&pk_seedexpander, pk_seed, pk_seed + 32, SEEDEXPANDER_MAX_LENGTH); - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random(&pk_seedexpander, h); -} - - -/** - * @brief Parse a ciphertext into a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] ct String containing the ciphertext - * @param[in] u uint8_t representation of vector u - * @param[in] v uint8_t representation of vector v - * @param[in] d String containing the hash d - */ -void PQCLEAN_HQCRMRS256_CLEAN_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d) { - PQCLEAN_HQCRMRS256_CLEAN_store8_arr(ct, VEC_N_SIZE_BYTES, u, VEC_N_SIZE_64); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS256_CLEAN_store8_arr(ct, VEC_N1N2_SIZE_BYTES, v, VEC_N1N2_SIZE_64); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(ct, d, SHA512_BYTES); -} - - -/** - * @brief Parse a ciphertext from a string - * - * The ciphertext is composed of vectors u, v and hash d. - * - * @param[out] u uint8_t representation of vector u - * @param[out] v uint8_t representation of vector v - * @param[out] d String containing the hash d - * @param[in] ct String containing the ciphertext - */ -void PQCLEAN_HQCRMRS256_CLEAN_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct) { - PQCLEAN_HQCRMRS256_CLEAN_load8_arr(u, VEC_N_SIZE_64, ct, VEC_N_SIZE_BYTES); - ct += VEC_N_SIZE_BYTES; - PQCLEAN_HQCRMRS256_CLEAN_load8_arr(v, VEC_N1N2_SIZE_64, ct, VEC_N1N2_SIZE_BYTES); - ct += VEC_N1N2_SIZE_BYTES; - memcpy(d, ct, SHA512_BYTES); -} diff --git a/crypto_kem/hqc-rmrs-256/clean/parsing.h b/crypto_kem/hqc-rmrs-256/clean/parsing.h deleted file mode 100644 index 26eb332b..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/parsing.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PARSING_H -#define PARSING_H - - -/** - * @file parsing.h - * @brief Header file for parsing.c - */ - -#include - -void PQCLEAN_HQCRMRS256_CLEAN_store8(unsigned char *out, uint64_t in); - -uint64_t PQCLEAN_HQCRMRS256_CLEAN_load8(const unsigned char *in); - -void PQCLEAN_HQCRMRS256_CLEAN_load8_arr(uint64_t *out64, size_t outlen, const uint8_t *in8, size_t inlen); - -void PQCLEAN_HQCRMRS256_CLEAN_store8_arr(uint8_t *out8, size_t outlen, const uint64_t *in64, size_t inlen); - - -void PQCLEAN_HQCRMRS256_CLEAN_hqc_secret_key_to_string(uint8_t *sk, const uint8_t *sk_seed, const uint8_t *pk); - -void PQCLEAN_HQCRMRS256_CLEAN_hqc_secret_key_from_string(uint64_t *x, uint32_t *y, uint8_t *pk, const uint8_t *sk); - - -void PQCLEAN_HQCRMRS256_CLEAN_hqc_public_key_to_string(uint8_t *pk, const uint8_t *pk_seed, const uint64_t *s); - -void PQCLEAN_HQCRMRS256_CLEAN_hqc_public_key_from_string(uint64_t *h, uint64_t *s, const uint8_t *pk); - - -void PQCLEAN_HQCRMRS256_CLEAN_hqc_ciphertext_to_string(uint8_t *ct, const uint64_t *u, const uint64_t *v, const uint8_t *d); - -void PQCLEAN_HQCRMRS256_CLEAN_hqc_ciphertext_from_string(uint64_t *u, uint64_t *v, uint8_t *d, const uint8_t *ct); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/reed_muller.c b/crypto_kem/hqc-rmrs-256/clean/reed_muller.c deleted file mode 100644 index cf24481e..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/reed_muller.c +++ /dev/null @@ -1,237 +0,0 @@ -#include "parameters.h" -#include "reed_muller.h" -#include -#include -/** - * @file reed_muller.c - * Constant time implementation of Reed-Muller code RM(1,7) - */ - - - -// number of repeated code words -#define MULTIPLICITY CEIL_DIVIDE(PARAM_N2, 128) - -// copy bit 0 into all bits of a 32 bit value -#define BIT0MASK(x) (-((x) & 1)) - - -static void encode(uint8_t *word, uint8_t message); -static void hadamard(uint16_t src[128], uint16_t dst[128]); -static void expand_and_sum(uint16_t dest[128], const uint8_t src[16 * MULTIPLICITY]); -static uint8_t find_peaks(const uint16_t transform[128]); - - - -/** - * @brief Encode a single byte into a single codeword using RM(1,7) - * - * Encoding matrix of this code: - * bit pattern (note that bits are numbered big endian) - * 0 aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa - * 1 cccccccc cccccccc cccccccc cccccccc - * 2 f0f0f0f0 f0f0f0f0 f0f0f0f0 f0f0f0f0 - * 3 ff00ff00 ff00ff00 ff00ff00 ff00ff00 - * 4 ffff0000 ffff0000 ffff0000 ffff0000 - * 5 ffffffff 00000000 ffffffff 00000000 - * 6 ffffffff ffffffff 00000000 00000000 - * 7 ffffffff ffffffff ffffffff ffffffff - * - * @param[out] word An RM(1,7) codeword - * @param[in] message A message - */ -static void encode(uint8_t *word, uint8_t message) { - uint32_t e; - // bit 7 flips all the bits, do that first to save work - e = BIT0MASK(message >> 7); - // bits 0, 1, 2, 3, 4 are the same for all four longs - // (Warning: in the bit matrix above, low bits are at the left!) - e ^= BIT0MASK(message >> 0) & 0xaaaaaaaa; - e ^= BIT0MASK(message >> 1) & 0xcccccccc; - e ^= BIT0MASK(message >> 2) & 0xf0f0f0f0; - e ^= BIT0MASK(message >> 3) & 0xff00ff00; - e ^= BIT0MASK(message >> 4) & 0xffff0000; - // we can store this in the first quarter - word[0 + 0] = (e >> 0x00) & 0xff; - word[0 + 1] = (e >> 0x08) & 0xff; - word[0 + 2] = (e >> 0x10) & 0xff; - word[0 + 3] = (e >> 0x18) & 0xff; - // bit 5 flips entries 1 and 3; bit 6 flips 2 and 3 - e ^= BIT0MASK(message >> 5); - word[4 + 0] = (e >> 0x00) & 0xff; - word[4 + 1] = (e >> 0x08) & 0xff; - word[4 + 2] = (e >> 0x10) & 0xff; - word[4 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 6); - word[12 + 0] = (e >> 0x00) & 0xff; - word[12 + 1] = (e >> 0x08) & 0xff; - word[12 + 2] = (e >> 0x10) & 0xff; - word[12 + 3] = (e >> 0x18) & 0xff; - e ^= BIT0MASK(message >> 5); - word[8 + 0] = (e >> 0x00) & 0xff; - word[8 + 1] = (e >> 0x08) & 0xff; - word[8 + 2] = (e >> 0x10) & 0xff; - word[8 + 3] = (e >> 0x18) & 0xff; -} - - - -/** - * @brief Hadamard transform - * - * Perform hadamard transform of src and store result in dst - * src is overwritten: it is also used as intermediate buffer - * Method is best explained if we use H(3) instead of H(7): - * - * The routine multiplies by the matrix H(3): - * [1 1 1 1 1 1 1 1] - * [1 -1 1 -1 1 -1 1 -1] - * [1 1 -1 -1 1 1 -1 -1] - * [a b c d e f g h] * [1 -1 -1 1 1 -1 -1 1] = result of routine - * [1 1 1 1 -1 -1 -1 -1] - * [1 -1 1 -1 -1 1 -1 1] - * [1 1 -1 -1 -1 -1 1 1] - * [1 -1 -1 1 -1 1 1 -1] - * You can do this in three passes, where each pass does this: - * set lower half of buffer to pairwise sums, - * and upper half to differences - * index 0 1 2 3 4 5 6 7 - * input: a, b, c, d, e, f, g, h - * pass 1: a+b, c+d, e+f, g+h, a-b, c-d, e-f, g-h - * pass 2: a+b+c+d, e+f+g+h, a-b+c-d, e-f+g-h, a+b-c-d, e+f-g-h, a-b-c+d, e-f-g+h - * pass 3: a+b+c+d+e+f+g+h a+b-c-d+e+f-g-h a+b+c+d-e-f-g-h a+b-c-d-e+-f+g+h - * a-b+c-d+e-f+g-h a-b-c+d+e-f-g+h a-b+c-d-e+f-g+h a-b-c+d-e+f+g-h - * This order of computation is chosen because it vectorises well. - * Likewise, this routine multiplies by H(7) in seven passes. - * - * @param[out] src Structure that contain the expanded codeword - * @param[out] dst Structure that contain the expanded codeword - */ -static void hadamard(uint16_t src[128], uint16_t dst[128]) { - // the passes move data: - // src -> dst -> src -> dst -> src -> dst -> src -> dst - // using p1 and p2 alternately - uint16_t *p1 = src; - uint16_t *p2 = dst; - uint16_t *p3; - for (uint32_t pass = 0; pass < 7; pass++) { - for (uint32_t i = 0; i < 64; i++) { - p2[i] = p1[2 * i] + p1[2 * i + 1]; - p2[i + 64] = p1[2 * i] - p1[2 * i + 1]; - } - // swap p1, p2 for next round - p3 = p1; - p1 = p2; - p2 = p3; - } -} - - - -/** - * @brief Add multiple codewords into expanded codeword - * - * Accesses memory in order - * Note: this does not write the codewords as -1 or +1 as the green machine does - * instead, just 0 and 1 is used. - * The resulting hadamard transform has: - * all values are halved - * the first entry is 64 too high - * - * @param[out] dest Structure that contain the expanded codeword - * @param[in] src Structure that contain the codeword - */ -static void expand_and_sum(uint16_t dest[128], const uint8_t src[16 * MULTIPLICITY]) { - size_t part, bit, copy; - // start with the first copy - for (part = 0; part < 16; part++) { - for (bit = 0; bit < 8; bit++) { - dest[part * 8 + bit] = (uint16_t) ((src[part] >> bit) & 1); - } - } - // sum the rest of the copies - for (copy = 1; copy < MULTIPLICITY; copy++) { - for (part = 0; part < 16; part++) { - for (bit = 0; bit < 8; bit++) { - dest[part * 8 + bit] += (uint16_t) ((src[16 * copy + part] >> bit) & 1); - } - } - } -} - - - -/** - * @brief Finding the location of the highest value - * - * This is the final step of the green machine: find the location of the highest value, - * and add 128 if the peak is positive - * if there are two identical peaks, the peak with smallest value - * in the lowest 7 bits it taken - * @param[in] transform Structure that contain the expanded codeword - */ -static uint8_t find_peaks(const uint16_t transform[128]) { - uint16_t peak_abs = 0; - uint16_t peak = 0; - uint16_t pos = 0; - uint16_t t, abs, mask; - for (uint16_t i = 0; i < 128; i++) { - t = transform[i]; - abs = t ^ ((-(t >> 15)) & (t ^ -t)); // t = abs(t) - mask = -(((uint16_t)(peak_abs - abs)) >> 15); - peak ^= mask & (peak ^ t); - pos ^= mask & (pos ^ i); - peak_abs ^= mask & (peak_abs ^ abs); - } - pos |= 128 & ((peak >> 15) - 1); - return (uint8_t) pos; -} - - - - -/** - * @brief Encodes the received word - * - * The message consists of N1 bytes each byte is encoded into PARAM_N2 bits, - * or MULTIPLICITY repeats of 128 bits - * - * @param[out] cdw Array of size VEC_N1N2_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_N1_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS256_CLEAN_reed_muller_encode(uint8_t *cdw, const uint8_t *msg) { - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // encode first word - encode(&cdw[16 * i * MULTIPLICITY], msg[i]); - // copy to other identical codewords - for (size_t copy = 1; copy < MULTIPLICITY; copy++) { - memcpy(&cdw[16 * i * MULTIPLICITY + 16 * copy], &cdw[16 * i * MULTIPLICITY], 16); - } - } -} - - - -/** - * @brief Decodes the received word - * - * Decoding uses fast hadamard transform, for a more complete picture on Reed-Muller decoding, see MacWilliams, Florence Jessie, and Neil James Alexander Sloane. - * The theory of error-correcting codes codes @cite macwilliams1977theory - * - * @param[out] msg Array of size VEC_N1_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1N2_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS256_CLEAN_reed_muller_decode(uint8_t *msg, const uint8_t *cdw) { - uint16_t expanded[128]; - uint16_t transform[128]; - for (size_t i = 0; i < VEC_N1_SIZE_BYTES; i++) { - // collect the codewords - expand_and_sum(expanded, &cdw[16 * i * MULTIPLICITY]); - // apply hadamard transform - hadamard(expanded, transform); - // fix the first entry to get the half Hadamard transform - transform[0] -= 64 * MULTIPLICITY; - // finish the decoding - msg[i] = find_peaks(transform); - } -} diff --git a/crypto_kem/hqc-rmrs-256/clean/reed_muller.h b/crypto_kem/hqc-rmrs-256/clean/reed_muller.h deleted file mode 100644 index c221705c..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/reed_muller.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef REED_MULLER_H -#define REED_MULLER_H - - -/** - * @file reed_muller.h - * Header file of reed_muller.c - */ -#include "parameters.h" -#include -#include - -void PQCLEAN_HQCRMRS256_CLEAN_reed_muller_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS256_CLEAN_reed_muller_decode(uint8_t *msg, const uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/reed_solomon.c b/crypto_kem/hqc-rmrs-256/clean/reed_solomon.c deleted file mode 100644 index 9a8b393b..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/reed_solomon.c +++ /dev/null @@ -1,349 +0,0 @@ -#include "fft.h" -#include "gf.h" -#include "parameters.h" -#include "parsing.h" -#include "reed_solomon.h" -#include -#include -#include -/** - * @file reed_solomon.c - * Constant time implementation of Reed-Solomon codes - */ - - -static void compute_syndromes(uint16_t *syndromes, uint8_t *cdw); -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes); -static void compute_roots(uint8_t *error, uint16_t *sigma); -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes); -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error); -static void correct_errors(uint8_t *cdw, const uint16_t *error_values); - -/** - * @brief Encodes a message message of PARAM_K bits to a Reed-Solomon codeword codeword of PARAM_N1 bytes - * - * Following @cite lin1983error (Chapter 4 - Cyclic Codes), - * We perform a systematic encoding using a linear (PARAM_N1 - PARAM_K)-stage shift register - * with feedback connections based on the generator polynomial PARAM_RS_POLY of the Reed-Solomon code. - * - * @param[out] cdw Array of size VEC_N1_SIZE_64 receiving the encoded message - * @param[in] msg Array of size VEC_K_SIZE_64 storing the message - */ -void PQCLEAN_HQCRMRS256_CLEAN_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg) { - size_t i, j, k; - uint8_t gate_value = 0; - - uint16_t tmp[PARAM_G] = {0}; - uint16_t PARAM_RS_POLY [] = {RS_POLY_COEFS}; - uint8_t prev, x; - - for (i = 0; i < PARAM_N1; ++i) { - cdw[i] = 0; - } - - for (i = 0; i < PARAM_K; ++i) { - gate_value = (uint8_t) (msg[PARAM_K - 1 - i] ^ cdw[PARAM_N1 - PARAM_K - 1]); - - for (j = 0; j < PARAM_G; ++j) { - tmp[j] = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(gate_value, PARAM_RS_POLY[j]); - } - - prev = 0; - for (k = 0; k < PARAM_N1 - PARAM_K; k++) { - x = cdw[k]; - cdw[k] = (uint8_t) (prev ^ tmp[k]); - prev = x; - } - } - - memcpy(cdw + PARAM_N1 - PARAM_K, msg, PARAM_K); -} - - - -/** - * @brief Computes 2 * PARAM_DELTA syndromes - * - * @param[out] syndromes Array of size 2 * PARAM_DELTA receiving the computed syndromes - * @param[in] cdw Array of size PARAM_N1 storing the received vector - */ -void compute_syndromes(uint16_t *syndromes, uint8_t *cdw) { - for (size_t i = 0; i < 2 * PARAM_DELTA; ++i) { - for (size_t j = 1; j < PARAM_N1; ++j) { - syndromes[i] ^= PQCLEAN_HQCRMRS256_CLEAN_gf_mul(cdw[j], alpha_ij_pow[i][j - 1]); - } - syndromes[i] ^= cdw[0]; - } -} - - - -/** - * @brief Computes the error locator polynomial (ELP) sigma - * - * This is a constant time implementation of Berlekamp's simplified algorithm (see @cite lin1983error (Chapter 6 - BCH Codes).
- * We use the letter p for rho which is initialized at -1.
- * The array X_sigma_p represents the polynomial X^(mu-rho)*sigma_p(X).
- * Instead of maintaining a list of sigmas, we update in place both sigma and X_sigma_p.
- * sigma_copy serves as a temporary save of sigma in case X_sigma_p needs to be updated.
- * We can properly correct only if the degree of sigma does not exceed PARAM_DELTA. - * This means only the first PARAM_DELTA + 1 coefficients of sigma are of value - * and we only need to save its first PARAM_DELTA - 1 coefficients. - * - * @returns the degree of the ELP sigma - * @param[out] sigma Array of size (at least) PARAM_DELTA receiving the ELP - * @param[in] syndromes Array of size (at least) 2*PARAM_DELTA storing the syndromes - */ -static uint16_t compute_elp(uint16_t *sigma, const uint16_t *syndromes) { - uint16_t deg_sigma = 0; - uint16_t deg_sigma_p = 0; - uint16_t deg_sigma_copy = 0; - uint16_t sigma_copy[PARAM_DELTA + 1] = {0}; - uint16_t X_sigma_p[PARAM_DELTA + 1] = {0, 1}; - uint16_t pp = (uint16_t) -1; // 2*rho - uint16_t d_p = 1; - uint16_t d = syndromes[0]; - - uint16_t mask1, mask2, mask12; - uint16_t deg_X, deg_X_sigma_p; - uint16_t dd; - uint16_t mu; - - uint16_t i; - - sigma[0] = 1; - for (mu = 0; (mu < (2 * PARAM_DELTA)); ++mu) { - // Save sigma in case we need it to update X_sigma_p - memcpy(sigma_copy, sigma, 2 * (PARAM_DELTA)); - deg_sigma_copy = deg_sigma; - - dd = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(d, PQCLEAN_HQCRMRS256_CLEAN_gf_inverse(d_p)); - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - sigma[i] ^= PQCLEAN_HQCRMRS256_CLEAN_gf_mul(dd, X_sigma_p[i]); - } - - deg_X = mu - pp; - deg_X_sigma_p = deg_X + deg_sigma_p; - - // mask1 = 0xffff if(d != 0) and 0 otherwise - mask1 = -((uint16_t) - d >> 15); - - // mask2 = 0xffff if(deg_X_sigma_p > deg_sigma) and 0 otherwise - mask2 = -((uint16_t) (deg_sigma - deg_X_sigma_p) >> 15); - - // mask12 = 0xffff if the deg_sigma increased and 0 otherwise - mask12 = mask1 & mask2; - deg_sigma ^= mask12 & (deg_X_sigma_p ^ deg_sigma); - - if (mu == (2 * PARAM_DELTA - 1)) { - break; - } - - pp ^= mask12 & (mu ^ pp); - d_p ^= mask12 & (d ^ d_p); - for (i = PARAM_DELTA; i; --i) { - X_sigma_p[i] = (mask12 & sigma_copy[i - 1]) ^ (~mask12 & X_sigma_p[i - 1]); - } - - deg_sigma_p ^= mask12 & (deg_sigma_copy ^ deg_sigma_p); - d = syndromes[mu + 1]; - - for (i = 1; (i <= mu + 1) && (i <= PARAM_DELTA); ++i) { - d ^= PQCLEAN_HQCRMRS256_CLEAN_gf_mul(sigma[i], syndromes[mu + 1 - i]); - } - } - - return deg_sigma; -} - - - -/** - * @brief Computes the error polynomial error from the error locator polynomial sigma - * - * See function PQCLEAN_HQCRMRS256_CLEAN_fft for more details. - * - * @param[out] error Array of 2^PARAM_M elements receiving the error polynomial - * @param[out] error_compact Array of PARAM_DELTA + PARAM_N1 elements receiving a compact representation of the vector error - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - */ -static void compute_roots(uint8_t *error, uint16_t *sigma) { - uint16_t w[1 << PARAM_M] = {0}; - - PQCLEAN_HQCRMRS256_CLEAN_fft(w, sigma, PARAM_DELTA + 1); - PQCLEAN_HQCRMRS256_CLEAN_fft_retrieve_error_poly(error, w); -} - - - -/** - * @brief Computes the polynomial z(x) - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] z Array of PARAM_DELTA + 1 elements receiving the polynomial z(x) - * @param[in] sigma Array of 2^PARAM_FFT elements storing the error locator polynomial - * @param[in] degree Integer that is the degree of polynomial sigma - * @param[in] syndromes Array of 2 * PARAM_DELTA storing the syndromes - */ -static void compute_z_poly(uint16_t *z, const uint16_t *sigma, uint16_t degree, const uint16_t *syndromes) { - size_t i, j; - uint16_t mask; - - z[0] = 1; - - for (i = 1; i < PARAM_DELTA + 1; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] = mask & sigma[i]; - } - - z[1] ^= syndromes[0]; - - for (i = 2; i <= PARAM_DELTA; ++i) { - mask = -((uint16_t) (i - degree - 1) >> 15); - z[i] ^= mask & syndromes[i - 1]; - - for (j = 1; j < i; ++j) { - z[i] ^= mask & PQCLEAN_HQCRMRS256_CLEAN_gf_mul(sigma[j], syndromes[i - j - 1]); - } - } -} - - - -/** - * @brief Computes the error values - * - * See @cite lin1983error (Chapter 6 - BCH Codes) for more details. - * - * @param[out] error_values Array of PARAM_DELTA elements receiving the error values - * @param[in] z Array of PARAM_DELTA + 1 elements storing the polynomial z(x) - * @param[in] z_degree Integer that is the degree of polynomial z(x) - * @param[in] error_compact Array of PARAM_DELTA + PARAM_N1 storing compact representation of the error - */ -static void compute_error_values(uint16_t *error_values, const uint16_t *z, const uint8_t *error) { - uint16_t beta_j[PARAM_DELTA] = {0}; - uint16_t e_j[PARAM_DELTA] = {0}; - - uint16_t delta_counter; - uint16_t delta_real_value; - uint16_t found; - uint16_t mask1; - uint16_t mask2; - uint16_t tmp1; - uint16_t tmp2; - uint16_t inverse; - uint16_t inverse_power_j; - - // Compute the beta_{j_i} page 31 of the documentation - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; i++) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - beta_j[j] += mask1 & mask2 & gf_exp[i]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } - delta_real_value = delta_counter; - - // Compute the e_{j_i} page 31 of the documentation - for (size_t i = 0; i < PARAM_DELTA; ++i) { - tmp1 = 1; - tmp2 = 1; - inverse = PQCLEAN_HQCRMRS256_CLEAN_gf_inverse(beta_j[i]); - inverse_power_j = 1; - - for (size_t j = 1; j <= PARAM_DELTA; ++j) { - inverse_power_j = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(inverse_power_j, inverse); - tmp1 ^= PQCLEAN_HQCRMRS256_CLEAN_gf_mul(inverse_power_j, z[j]); - } - for (size_t k = 1; k < PARAM_DELTA; ++k) { - tmp2 = PQCLEAN_HQCRMRS256_CLEAN_gf_mul(tmp2, (1 ^ PQCLEAN_HQCRMRS256_CLEAN_gf_mul(inverse, beta_j[(i + k) % PARAM_DELTA]))); - } - mask1 = (uint16_t) (((int16_t) i - delta_real_value) >> 15); // i < delta_real_value - e_j[i] = mask1 & PQCLEAN_HQCRMRS256_CLEAN_gf_mul(tmp1, PQCLEAN_HQCRMRS256_CLEAN_gf_inverse(tmp2)); - } - - // Place the delta e_{j_i} values at the right coordinates of the output vector - delta_counter = 0; - for (size_t i = 0; i < PARAM_N1; ++i) { - found = 0; - mask1 = (uint16_t) (-((int32_t)error[i]) >> 31); // error[i] != 0 - for (size_t j = 0; j < PARAM_DELTA; j++) { - mask2 = ~((uint16_t) (-((int32_t) j ^ delta_counter) >> 31)); // j == delta_counter - error_values[i] += mask1 & mask2 & e_j[j]; - found += mask1 & mask2 & 1; - } - delta_counter += found; - } -} - - - -/** - * @brief Correct the errors - * - * @param[out] cdw Array of PARAM_N1 elements receiving the corrected vector - * @param[in] error Array of the error vector - * @param[in] error_values Array of PARAM_DELTA elements storing the error values - */ -static void correct_errors(uint8_t *cdw, const uint16_t *error_values) { - for (size_t i = 0; i < PARAM_N1; ++i) { - cdw[i] ^= error_values[i]; - } -} - - - -/** - * @brief Decodes the received word - * - * This function relies on six steps: - *
    - *
  1. The first step, is the computation of the 2*PARAM_DELTA syndromes. - *
  2. The second step is the computation of the error-locator polynomial sigma. - *
  3. The third step, done by additive FFT, is finding the error-locator numbers by calculating the roots of the polynomial sigma and takings their inverses. - *
  4. The fourth step, is the polynomial z(x). - *
  5. The fifth step, is the computation of the error values. - *
  6. The sixth step is the correction of the errors in the received polynomial. - *
- * For a more complete picture on Reed-Solomon decoding, see Shu. Lin and Daniel J. Costello in Error Control Coding: Fundamentals and Applications @cite lin1983error - * - * @param[out] msg Array of size VEC_K_SIZE_64 receiving the decoded message - * @param[in] cdw Array of size VEC_N1_SIZE_64 storing the received word - */ -void PQCLEAN_HQCRMRS256_CLEAN_reed_solomon_decode(uint8_t *msg, uint8_t *cdw) { - uint16_t syndromes[2 * PARAM_DELTA] = {0}; - uint16_t sigma[1 << PARAM_FFT] = {0}; - uint8_t error[1 << PARAM_M] = {0}; - uint16_t z[PARAM_N1] = {0}; - uint16_t error_values[PARAM_N1] = {0}; - uint16_t deg; - - // Calculate the 2*PARAM_DELTA syndromes - compute_syndromes(syndromes, cdw); - - // Compute the error locator polynomial sigma - // Sigma's degree is at most PARAM_DELTA but the FFT requires the extra room - deg = compute_elp(sigma, syndromes); - - // Compute the error polynomial error - compute_roots(error, sigma); - - // Compute the polynomial z(x) - compute_z_poly(z, sigma, deg, syndromes); - - // Compute the error values - compute_error_values(error_values, z, error); - - // Correct the errors - correct_errors(cdw, error_values); - - // Retrieve the message from the decoded codeword - memcpy(msg, cdw + (PARAM_G - 1), PARAM_K); - -} diff --git a/crypto_kem/hqc-rmrs-256/clean/reed_solomon.h b/crypto_kem/hqc-rmrs-256/clean/reed_solomon.h deleted file mode 100644 index dd46fde9..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/reed_solomon.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef REED_SOLOMON_H -#define REED_SOLOMON_H - - -/** - * @file reed_solomon.h - * Header file of reed_solomon.c - */ -#include "parameters.h" -#include -#include - -static const uint16_t alpha_ij_pow [58][89] = {{2, 4, 8, 16, 32, 64, 128, 29, 58, 116, 232, 205, 135, 19, 38, 76, 152, 45, 90, 180, 117, 234, 201, 143, 3, 6, 12, 24, 48, 96, 192, 157, 39, 78, 156, 37, 74, 148, 53, 106, 212, 181, 119, 238, 193, 159, 35, 70, 140, 5, 10, 20, 40, 80, 160, 93, 186, 105, 210, 185, 111, 222, 161, 95, 190, 97, 194, 153, 47, 94, 188, 101, 202, 137, 15, 30, 60, 120, 240, 253, 231, 211, 187, 107, 214, 177, 127, 254, 225}, {4, 16, 64, 29, 116, 205, 19, 76, 45, 180, 234, 143, 6, 24, 96, 157, 78, 37, 148, 106, 181, 238, 159, 70, 5, 20, 80, 93, 105, 185, 222, 95, 97, 153, 94, 101, 137, 30, 120, 253, 211, 107, 177, 254, 223, 91, 113, 217, 67, 17, 68, 13, 52, 208, 103, 129, 62, 248, 199, 59, 236, 151, 102, 133, 46, 184, 218, 79, 33, 132, 42, 168, 154, 82, 85, 73, 57, 228, 183, 230, 191, 198, 63, 252, 215, 123, 241, 227, 171}, {8, 64, 58, 205, 38, 45, 117, 143, 12, 96, 39, 37, 53, 181, 193, 70, 10, 80, 186, 185, 161, 97, 47, 101, 15, 120, 231, 107, 127, 223, 182, 217, 134, 68, 26, 208, 206, 62, 237, 59, 197, 102, 23, 184, 169, 33, 21, 168, 41, 85, 146, 228, 115, 191, 145, 252, 179, 241, 219, 150, 196, 110, 87, 130, 100, 7, 56, 221, 166, 89, 242, 195, 86, 138, 36, 61, 245, 251, 139, 44, 125, 207, 54, 173, 1, 8, 64, 58, 205}, {16, 29, 205, 76, 180, 143, 24, 157, 37, 106, 238, 70, 20, 93, 185, 95, 153, 101, 30, 253, 107, 254, 91, 217, 17, 13, 208, 129, 248, 59, 151, 133, 184, 79, 132, 168, 82, 73, 228, 230, 198, 252, 123, 227, 150, 149, 165, 130, 200, 28, 221, 81, 121, 195, 172, 18, 61, 247, 203, 44, 250, 27, 173, 2, 32, 58, 135, 152, 117, 3, 48, 39, 74, 212, 193, 140, 40, 186, 111, 190, 47, 202, 60, 231, 214, 225, 182, 175, 34}, {32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59, 51, 46, 169, 132, 77, 85, 114, 230, 145, 215, 255, 150, 55, 174, 100, 28, 167, 89, 239, 172, 36, 244, 235, 44, 233, 108, 1, 32, 116, 38, 180, 3, 96, 156, 106, 193, 5, 160, 185, 190, 94, 15, 253, 214, 223, 226, 17, 26, 103, 124, 59, 51, 46, 169, 132, 77, 85, 114, 230, 145, 215, 255, 150, 55, 174}, {64, 205, 45, 143, 96, 37, 181, 70, 80, 185, 97, 101, 120, 107, 223, 217, 68, 208, 62, 59, 102, 184, 33, 168, 85, 228, 191, 252, 241, 150, 110, 130, 7, 221, 89, 195, 138, 61, 251, 44, 207, 173, 8, 58, 38, 117, 12, 39, 53, 193, 10, 186, 161, 47, 15, 231, 127, 182, 134, 26, 206, 237, 197, 23, 169, 21, 41, 146, 115, 145, 179, 219, 196, 87, 100, 56, 166, 242, 86, 36, 245, 139, 125, 54, 1, 64, 205, 45, 143}, {128, 19, 117, 24, 156, 181, 140, 93, 161, 94, 60, 107, 163, 67, 26, 129, 147, 102, 109, 132, 41, 57, 209, 252, 255, 98, 87, 200, 224, 89, 155, 18, 245, 11, 233, 173, 16, 232, 45, 3, 157, 53, 159, 40, 185, 194, 137, 231, 254, 226, 68, 189, 248, 197, 46, 158, 168, 170, 183, 145, 123, 75, 110, 25, 28, 166, 249, 69, 61, 235, 176, 54, 2, 29, 38, 234, 48, 37, 119, 5, 186, 95, 188, 120, 214, 91, 134, 52, 31}, {29, 76, 143, 157, 106, 70, 93, 95, 101, 253, 254, 217, 13, 129, 59, 133, 79, 168, 73, 230, 252, 227, 149, 130, 28, 81, 195, 18, 247, 44, 27, 2, 58, 152, 3, 39, 212, 140, 186, 190, 202, 231, 225, 175, 26, 31, 118, 23, 158, 77, 146, 209, 229, 219, 55, 25, 56, 162, 155, 36, 243, 88, 54, 4, 116, 45, 6, 78, 181, 5, 105, 97, 137, 211, 223, 67, 52, 62, 236, 46, 33, 154, 57, 191, 215, 171, 110, 50, 112}, {58, 45, 12, 37, 193, 80, 161, 101, 231, 223, 134, 208, 237, 102, 169, 168, 146, 191, 179, 150, 87, 7, 166, 195, 36, 251, 125, 173, 64, 38, 143, 39, 181, 10, 185, 47, 120, 127, 217, 26, 62, 197, 184, 21, 85, 115, 252, 219, 110, 100, 221, 242, 138, 245, 44, 54, 8, 205, 117, 96, 53, 70, 186, 97, 15, 107, 182, 68, 206, 59, 23, 33, 41, 228, 145, 241, 196, 130, 56, 89, 86, 61, 139, 207, 1, 58, 45, 12, 37}, {116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44, 108, 32, 38, 3, 156, 193, 160, 190, 15, 214, 226, 26, 124, 51, 169, 77, 114, 145, 255, 55, 100, 167, 239, 36, 235, 233, 1, 116, 180, 96, 106, 5, 185, 94, 253, 223, 17, 103, 59, 46, 132, 85, 230, 215, 150, 174, 28, 89, 172, 244, 44, 108, 32, 38, 3, 156, 193, 160, 190, 15, 214, 226, 26, 124, 51}, {232, 234, 39, 238, 160, 97, 60, 254, 134, 103, 118, 184, 84, 57, 145, 227, 220, 7, 162, 172, 245, 176, 71, 58, 180, 192, 181, 40, 95, 15, 177, 175, 208, 147, 46, 21, 73, 99, 241, 55, 200, 166, 43, 122, 44, 216, 128, 45, 48, 106, 10, 222, 202, 107, 226, 52, 237, 133, 66, 85, 209, 123, 196, 50, 167, 195, 144, 11, 54, 32, 76, 12, 148, 140, 185, 188, 211, 182, 13, 124, 102, 158, 82, 115, 215, 49, 130, 224, 249}, {205, 143, 37, 70, 185, 101, 107, 217, 208, 59, 184, 168, 228, 252, 150, 130, 221, 195, 61, 44, 173, 58, 117, 39, 193, 186, 47, 231, 182, 26, 237, 23, 21, 146, 145, 219, 87, 56, 242, 36, 139, 54, 64, 45, 96, 181, 80, 97, 120, 223, 68, 62, 102, 33, 85, 191, 241, 110, 7, 89, 138, 251, 207, 8, 38, 12, 53, 10, 161, 15, 127, 134, 206, 197, 169, 41, 115, 179, 196, 100, 166, 86, 245, 125, 1, 205, 143, 37, 70}, {135, 6, 53, 20, 190, 120, 163, 13, 237, 46, 84, 228, 229, 98, 100, 81, 69, 251, 131, 32, 45, 192, 238, 186, 94, 187, 217, 189, 236, 169, 82, 209, 241, 220, 28, 242, 72, 22, 173, 116, 201, 37, 140, 222, 15, 254, 34, 62, 204, 132, 146, 63, 75, 130, 167, 43, 245, 250, 4, 38, 24, 212, 80, 194, 253, 182, 52, 147, 184, 77, 183, 179, 149, 141, 89, 9, 203, 54, 128, 180, 39, 159, 210, 101, 214, 67, 206, 151, 158}, {19, 24, 181, 93, 94, 107, 67, 129, 102, 132, 57, 252, 98, 200, 89, 18, 11, 173, 232, 3, 53, 40, 194, 231, 226, 189, 197, 158, 170, 145, 75, 25, 166, 69, 235, 54, 29, 234, 37, 5, 95, 120, 91, 52, 59, 218, 82, 191, 227, 174, 221, 43, 247, 207, 32, 90, 39, 35, 111, 15, 225, 136, 237, 92, 77, 115, 246, 220, 56, 239, 122, 125, 4, 76, 96, 238, 105, 101, 177, 17, 62, 133, 42, 228, 215, 149, 7, 121, 72}, {38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185, 15, 223, 26, 59, 169, 85, 145, 150, 100, 89, 36, 44, 1, 38, 96, 193, 185}, {76, 157, 70, 95, 253, 217, 129, 133, 168, 230, 227, 130, 81, 18, 44, 2, 152, 39, 140, 190, 231, 175, 31, 23, 77, 209, 219, 25, 162, 36, 88, 4, 45, 78, 5, 97, 211, 67, 62, 46, 154, 191, 171, 50, 89, 72, 176, 8, 90, 156, 10, 194, 187, 134, 124, 92, 41, 99, 75, 100, 178, 144, 125, 16, 180, 37, 20, 153, 107, 17, 248, 184, 82, 198, 150, 200, 121, 61, 250, 32, 117, 74, 40, 47, 214, 34, 237, 109, 164}, {152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11, 1, 152, 78, 10, 153, 214, 68, 147, 79, 146, 215, 220, 221, 69, 11}, {45, 37, 80, 101, 223, 208, 102, 168, 191, 150, 7, 195, 251, 173, 38, 39, 10, 47, 127, 26, 197, 21, 115, 219, 100, 242, 245, 54, 205, 96, 70, 97, 107, 68, 59, 33, 228, 241, 130, 89, 61, 207, 58, 12, 193, 161, 231, 134, 237, 169, 146, 179, 87, 166, 36, 125, 64, 143, 181, 185, 120, 217, 62, 184, 85, 252, 110, 221, 138, 44, 8, 117, 53, 186, 15, 182, 206, 23, 41, 145, 196, 56, 86, 139, 1, 45, 37, 80, 101}, {90, 148, 186, 30, 226, 62, 109, 73, 179, 174, 162, 61, 131, 232, 96, 140, 153, 127, 52, 51, 168, 99, 98, 56, 172, 22, 8, 234, 212, 185, 240, 67, 237, 79, 114, 241, 25, 121, 245, 108, 19, 39, 20, 188, 223, 189, 133, 41, 63, 55, 221, 9, 176, 64, 3, 238, 161, 211, 34, 59, 66, 183, 219, 200, 239, 251, 71, 152, 37, 160, 137, 182, 129, 92, 85, 229, 165, 166, 72, 233, 58, 24, 35, 97, 214, 13, 197, 42, 209}, {180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36, 233, 116, 96, 5, 94, 223, 103, 46, 85, 215, 174, 89, 244, 108, 38, 156, 160, 15, 226, 124, 169, 114, 255, 100, 239, 235, 1, 180, 106, 185, 253, 17, 59, 132, 230, 150, 28, 172, 44, 32, 3, 193, 190, 214, 26, 51, 77, 145, 55, 167, 36, 233, 116, 96, 5, 94, 223, 103, 46, 85, 215, 174, 89, 244, 108}, {117, 181, 161, 107, 26, 102, 41, 252, 87, 89, 245, 173, 45, 53, 185, 231, 68, 197, 168, 145, 110, 166, 61, 54, 38, 37, 186, 120, 134, 59, 21, 191, 196, 221, 36, 207, 205, 39, 80, 15, 217, 237, 33, 115, 150, 56, 138, 125, 58, 96, 10, 101, 182, 62, 169, 228, 219, 7, 86, 44, 64, 12, 70, 47, 223, 206, 184, 146, 241, 100, 195, 139, 8, 143, 193, 97, 127, 208, 23, 85, 179, 130, 242, 251, 1, 117, 181, 161, 107}, {234, 238, 97, 254, 103, 184, 57, 227, 7, 172, 176, 58, 192, 40, 15, 175, 147, 21, 99, 55, 166, 122, 216, 45, 106, 222, 107, 52, 133, 85, 123, 50, 195, 11, 32, 12, 140, 188, 182, 124, 158, 115, 49, 224, 36, 131, 19, 37, 105, 253, 68, 151, 154, 252, 174, 121, 251, 2, 201, 193, 194, 225, 206, 109, 114, 219, 14, 69, 125, 116, 157, 80, 30, 67, 59, 42, 198, 110, 81, 244, 173, 90, 212, 161, 214, 104, 23, 170, 246}, {201, 159, 47, 91, 124, 33, 209, 149, 166, 244, 71, 117, 238, 194, 223, 31, 79, 115, 98, 167, 61, 216, 90, 181, 190, 254, 206, 218, 213, 150, 224, 72, 54, 152, 106, 161, 177, 189, 184, 114, 171, 56, 18, 131, 38, 148, 111, 107, 104, 46, 146, 227, 14, 138, 233, 135, 37, 210, 211, 26, 133, 170, 241, 141, 172, 125, 232, 78, 186, 253, 136, 102, 164, 123, 100, 43, 88, 58, 157, 160, 120, 34, 151, 41, 215, 25, 195, 22, 128}, {143, 70, 101, 217, 59, 168, 252, 130, 195, 44, 58, 39, 186, 231, 26, 23, 146, 219, 56, 36, 54, 45, 181, 97, 223, 62, 33, 191, 110, 89, 251, 8, 12, 10, 15, 134, 197, 41, 179, 100, 86, 125, 205, 37, 185, 107, 208, 184, 228, 150, 221, 61, 173, 117, 193, 47, 182, 237, 21, 145, 87, 242, 139, 64, 96, 80, 120, 68, 102, 85, 241, 7, 138, 207, 38, 53, 161, 127, 206, 169, 115, 196, 166, 245, 1, 143, 70, 101, 217}, {3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223, 124, 132, 145, 174, 239, 44, 116, 156, 185, 214, 103, 169, 230, 55, 89, 235, 32, 96, 160, 253, 26, 46, 114, 150, 167, 244, 1, 3, 5, 15, 17, 51, 85, 255, 28, 36, 108, 180, 193, 94, 226, 59, 77, 215, 100, 172, 233, 38, 106, 190, 223, 124, 132, 145, 174, 239, 44, 116, 156, 185, 214, 103, 169, 230, 55}, {6, 20, 120, 13, 46, 228, 98, 81, 251, 32, 192, 186, 187, 189, 169, 209, 220, 242, 22, 116, 37, 222, 254, 62, 132, 63, 130, 43, 250, 38, 212, 194, 182, 147, 77, 179, 141, 9, 54, 180, 159, 101, 67, 151, 85, 227, 112, 61, 142, 3, 10, 60, 136, 23, 114, 49, 166, 243, 16, 96, 93, 211, 208, 218, 230, 110, 121, 11, 58, 156, 111, 127, 31, 66, 145, 65, 155, 125, 19, 106, 97, 91, 199, 168, 215, 200, 138, 27, 90}, {12, 80, 231, 208, 169, 191, 87, 195, 125, 38, 181, 47, 217, 197, 85, 219, 221, 245, 8, 96, 186, 107, 206, 33, 145, 130, 86, 207, 45, 193, 101, 134, 102, 146, 150, 166, 251, 64, 39, 185, 127, 62, 21, 252, 100, 138, 54, 117, 70, 15, 68, 23, 228, 196, 89, 139, 58, 37, 161, 223, 237, 168, 179, 7, 36, 173, 143, 10, 120, 26, 184, 115, 110, 242, 44, 205, 53, 97, 182, 59, 41, 241, 56, 61, 1, 12, 80, 231, 208}, {24, 93, 107, 129, 132, 252, 200, 18, 173, 3, 40, 231, 189, 158, 145, 25, 69, 54, 234, 5, 120, 52, 218, 191, 174, 43, 207, 90, 35, 15, 136, 92, 115, 220, 239, 125, 76, 238, 101, 17, 133, 228, 149, 121, 44, 135, 212, 47, 175, 51, 146, 49, 162, 139, 116, 148, 97, 113, 236, 85, 171, 83, 251, 128, 156, 161, 163, 147, 41, 255, 224, 245, 16, 157, 185, 254, 248, 168, 123, 28, 61, 2, 48, 186, 214, 31, 21, 229, 141}, {48, 105, 127, 248, 77, 241, 224, 247, 64, 156, 95, 182, 236, 170, 150, 162, 11, 205, 212, 94, 134, 133, 213, 110, 239, 250, 45, 35, 30, 26, 218, 99, 130, 69, 108, 143, 40, 211, 206, 132, 229, 7, 144, 2, 96, 210, 254, 237, 154, 255, 221, 243, 128, 37, 190, 113, 197, 73, 49, 89, 22, 135, 181, 188, 17, 23, 183, 220, 195, 233, 90, 70, 60, 52, 169, 198, 25, 138, 216, 3, 80, 187, 129, 21, 215, 14, 61, 4, 192}, {96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59, 85, 150, 89, 44, 38, 193, 15, 26, 169, 145, 100, 36, 1, 96, 185, 223, 59}, {192, 222, 182, 151, 114, 110, 155, 27, 143, 160, 177, 237, 82, 75, 89, 88, 152, 70, 240, 103, 21, 123, 224, 251, 116, 212, 101, 136, 218, 145, 200, 144, 8, 78, 190, 217, 204, 183, 87, 172, 216, 12, 105, 225, 59, 170, 98, 242, 250, 180, 10, 211, 31, 168, 255, 83, 139, 135, 238, 15, 52, 158, 252, 14, 244, 64, 74, 153, 134, 46, 209, 130, 9, 142, 96, 111, 91, 197, 57, 55, 195, 131, 201, 80, 214, 248, 41, 171, 162}, {157, 95, 217, 133, 230, 130, 18, 2, 39, 190, 175, 23, 209, 25, 36, 4, 78, 97, 67, 46, 191, 50, 72, 8, 156, 194, 134, 92, 99, 100, 144, 16, 37, 153, 17, 184, 198, 200, 61, 32, 74, 47, 34, 109, 145, 141, 122, 64, 148, 94, 68, 218, 63, 7, 244, 128, 53, 188, 136, 169, 126, 14, 245, 29, 106, 101, 13, 79, 252, 28, 247, 58, 212, 202, 26, 158, 229, 56, 243, 116, 181, 137, 52, 33, 215, 112, 251, 232, 119}, {39, 97, 134, 184, 145, 7, 245, 58, 181, 15, 208, 21, 241, 166, 44, 45, 10, 107, 237, 85, 196, 195, 54, 12, 185, 182, 102, 115, 130, 36, 8, 37, 47, 68, 169, 252, 56, 251, 205, 193, 120, 206, 168, 219, 89, 125, 117, 80, 127, 59, 146, 110, 86, 173, 96, 161, 217, 23, 191, 100, 61, 64, 53, 101, 26, 33, 179, 221, 139, 38, 70, 231, 62, 41, 150, 242, 207, 143, 186, 223, 197, 228, 87, 138, 1, 39, 97, 134, 184}, {78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69, 1, 78, 153, 68, 79, 215, 221, 11, 152, 10, 214, 147, 146, 220, 69}, {156, 94, 26, 132, 255, 89, 233, 3, 185, 226, 46, 145, 28, 235, 38, 5, 214, 59, 114, 174, 36, 32, 106, 15, 103, 77, 150, 239, 108, 96, 190, 17, 169, 215, 167, 44, 180, 160, 223, 51, 230, 100, 244, 116, 193, 253, 124, 85, 55, 172, 1, 156, 94, 26, 132, 255, 89, 233, 3, 185, 226, 46, 145, 28, 235, 38, 5, 214, 59, 114, 174, 36, 32, 106, 15, 103, 77, 150, 239, 108, 96, 190, 17, 169, 215, 167, 44, 180, 160}, {37, 101, 208, 168, 150, 195, 173, 39, 47, 26, 21, 219, 242, 54, 96, 97, 68, 33, 241, 89, 207, 12, 161, 134, 169, 179, 166, 125, 143, 185, 217, 184, 252, 221, 44, 117, 186, 182, 23, 145, 56, 139, 45, 80, 223, 102, 191, 7, 251, 38, 10, 127, 197, 115, 100, 245, 205, 70, 107, 59, 228, 130, 61, 58, 193, 231, 237, 146, 87, 36, 64, 181, 120, 62, 85, 110, 138, 8, 53, 15, 206, 41, 196, 86, 1, 37, 101, 208, 168}, {74, 137, 206, 82, 55, 138, 16, 212, 120, 124, 73, 87, 72, 29, 193, 211, 147, 228, 25, 244, 205, 140, 177, 197, 230, 141, 251, 76, 40, 223, 204, 198, 56, 11, 180, 186, 113, 92, 252, 167, 176, 143, 111, 67, 169, 123, 162, 207, 24, 190, 68, 66, 227, 242, 108, 157, 47, 52, 84, 150, 155, 142, 37, 202, 103, 41, 149, 69, 8, 106, 60, 62, 170, 165, 36, 128, 238, 231, 199, 114, 130, 122, 232, 70, 214, 236, 115, 200, 243}, {148, 30, 62, 73, 174, 61, 232, 140, 127, 51, 99, 56, 22, 234, 185, 67, 79, 241, 121, 108, 39, 188, 189, 41, 55, 9, 64, 238, 211, 59, 183, 200, 251, 152, 160, 182, 92, 229, 166, 233, 24, 97, 13, 42, 150, 43, 2, 53, 60, 124, 146, 65, 122, 205, 5, 254, 102, 198, 112, 44, 201, 111, 134, 158, 255, 242, 216, 78, 101, 103, 82, 110, 18, 128, 193, 187, 118, 115, 141, 235, 45, 93, 113, 184, 215, 81, 207, 48, 194}, {53, 120, 237, 228, 100, 251, 45, 186, 217, 169, 241, 242, 173, 37, 15, 62, 146, 130, 245, 38, 80, 182, 184, 179, 89, 54, 39, 101, 206, 85, 87, 61, 205, 10, 223, 23, 252, 166, 207, 96, 47, 208, 41, 110, 36, 58, 70, 127, 102, 145, 221, 125, 12, 97, 26, 168, 196, 138, 64, 193, 107, 197, 191, 56, 44, 143, 161, 68, 21, 150, 86, 8, 181, 231, 59, 115, 7, 139, 117, 185, 134, 33, 219, 195, 1, 53, 120, 237, 228}, {106, 253, 59, 230, 28, 44, 3, 190, 26, 77, 55, 36, 116, 5, 223, 46, 215, 89, 108, 156, 15, 124, 114, 100, 235, 180, 185, 17, 132, 150, 172, 32, 193, 214, 51, 145, 167, 233, 96, 94, 103, 85, 174, 244, 38, 160, 226, 169, 255, 239, 1, 106, 253, 59, 230, 28, 44, 3, 190, 26, 77, 55, 36, 116, 5, 223, 46, 215, 89, 108, 156, 15, 124, 114, 100, 235, 180, 185, 17, 132, 150, 172, 32, 193, 214, 51, 145, 167, 233}, {212, 211, 197, 198, 167, 207, 157, 202, 62, 114, 200, 139, 201, 95, 26, 154, 220, 61, 19, 160, 217, 158, 171, 86, 32, 159, 127, 133, 229, 89, 216, 74, 120, 147, 230, 56, 176, 24, 47, 103, 170, 130, 243, 90, 185, 34, 42, 196, 18, 116, 10, 91, 109, 241, 239, 2, 181, 187, 151, 145, 83, 131, 39, 137, 124, 228, 141, 11, 143, 190, 52, 41, 165, 122, 38, 93, 175, 33, 75, 172, 64, 35, 254, 23, 215, 178, 173, 148, 240}, {181, 107, 102, 252, 89, 173, 53, 231, 197, 145, 166, 54, 37, 120, 59, 191, 221, 207, 39, 15, 237, 115, 56, 125, 96, 101, 62, 228, 7, 44, 12, 47, 206, 146, 100, 139, 143, 97, 208, 85, 130, 251, 117, 161, 26, 41, 87, 245, 45, 185, 68, 168, 110, 61, 38, 186, 134, 21, 196, 36, 205, 80, 217, 33, 150, 138, 58, 10, 182, 169, 219, 86, 64, 70, 223, 184, 241, 195, 8, 193, 127, 23, 179, 242, 1, 181, 107, 102, 252}, {119, 177, 23, 123, 239, 8, 159, 225, 184, 255, 43, 64, 140, 91, 169, 171, 69, 58, 20, 226, 33, 49, 18, 205, 160, 67, 21, 149, 144, 38, 105, 34, 168, 220, 244, 45, 111, 13, 41, 174, 243, 117, 95, 104, 85, 25, 203, 143, 194, 103, 146, 200, 22, 12, 94, 31, 228, 14, 176, 96, 202, 248, 115, 112, 233, 39, 30, 147, 191, 167, 27, 37, 240, 236, 145, 81, 216, 53, 211, 51, 252, 178, 142, 181, 214, 133, 179, 249, 4}, {238, 254, 184, 227, 172, 58, 40, 175, 21, 55, 122, 45, 222, 52, 85, 50, 11, 12, 188, 124, 115, 224, 131, 37, 253, 151, 252, 121, 2, 193, 225, 109, 219, 69, 116, 80, 67, 42, 110, 244, 90, 161, 104, 170, 100, 22, 24, 101, 248, 230, 221, 27, 74, 231, 51, 229, 242, 4, 159, 223, 218, 171, 138, 232, 160, 134, 84, 220, 245, 180, 95, 208, 73, 200, 44, 48, 202, 237, 209, 167, 54, 148, 211, 102, 215, 249, 8, 35, 163}, {193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150, 36, 38, 185, 26, 85, 100, 44, 96, 15, 59, 145, 89, 1, 193, 223, 169, 150}, {159, 91, 33, 149, 244, 117, 194, 31, 115, 167, 216, 181, 254, 218, 150, 72, 152, 161, 189, 114, 56, 131, 148, 107, 46, 227, 138, 135, 210, 26, 170, 141, 125, 78, 253, 102, 123, 43, 58, 160, 34, 41, 25, 22, 96, 30, 236, 252, 249, 32, 10, 175, 84, 87, 235, 6, 101, 199, 198, 89, 2, 35, 182, 66, 55, 245, 234, 153, 62, 230, 83, 173, 119, 225, 169, 49, 144, 45, 95, 103, 228, 112, 27, 53, 214, 92, 219, 9, 19}, {35, 113, 21, 165, 235, 12, 137, 118, 252, 239, 128, 80, 34, 82, 100, 176, 78, 231, 133, 255, 138, 19, 111, 208, 114, 112, 54, 212, 254, 169, 98, 122, 117, 153, 124, 191, 162, 2, 70, 226, 42, 87, 203, 24, 15, 236, 229, 195, 29, 160, 68, 164, 200, 125, 156, 211, 23, 227, 9, 38, 222, 189, 228, 224, 108, 181, 225, 79, 196, 244, 234, 47, 248, 99, 89, 4, 140, 217, 84, 174, 139, 48, 30, 197, 215, 155, 58, 93, 136}, {70, 217, 168, 130, 44, 39, 231, 23, 219, 36, 45, 97, 62, 191, 89, 8, 10, 134, 41, 100, 125, 37, 107, 184, 150, 61, 117, 47, 237, 145, 242, 64, 80, 68, 85, 7, 207, 53, 127, 169, 196, 245, 143, 101, 59, 252, 195, 58, 186, 26, 146, 56, 54, 181, 223, 33, 110, 251, 12, 15, 197, 179, 86, 205, 185, 208, 228, 221, 173, 193, 182, 21, 87, 139, 96, 120, 102, 241, 138, 38, 161, 206, 115, 166, 1, 70, 217, 168, 130}, {140, 67, 41, 200, 233, 53, 254, 158, 110, 235, 48, 120, 204, 227, 36, 90, 153, 237, 63, 239, 58, 105, 104, 228, 167, 142, 70, 175, 154, 100, 250, 148, 127, 79, 55, 251, 24, 60, 102, 255, 18, 45, 194, 248, 145, 249, 29, 186, 52, 114, 221, 71, 35, 217, 77, 50, 125, 74, 177, 169, 149, 243, 12, 30, 51, 241, 9, 152, 97, 124, 198, 242, 128, 93, 26, 57, 224, 173, 159, 226, 168, 25, 176, 37, 214, 218, 196, 247, 6}, {5, 17, 85, 28, 108, 193, 226, 77, 100, 233, 106, 223, 132, 174, 44, 156, 214, 169, 55, 235, 96, 253, 46, 150, 244, 3, 15, 51, 255, 36, 180, 94, 59, 215, 172, 38, 190, 124, 145, 239, 116, 185, 103, 230, 89, 32, 160, 26, 114, 167, 1, 5, 17, 85, 28, 108, 193, 226, 77, 100, 233, 106, 223, 132, 174, 44, 156, 214, 169, 55, 235, 96, 253, 46, 150, 244, 3, 15, 51, 255, 36, 180, 94, 59, 215, 172, 38, 190, 124}, {10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221, 1, 10, 68, 146, 221}, {20, 13, 228, 81, 32, 186, 189, 209, 242, 116, 222, 62, 63, 43, 38, 194, 147, 179, 9, 180, 101, 151, 227, 61, 3, 60, 23, 49, 243, 96, 211, 218, 110, 11, 156, 127, 66, 65, 125, 106, 91, 168, 200, 27, 193, 175, 164, 56, 71, 5, 68, 57, 83, 8, 160, 104, 115, 178, 29, 185, 129, 198, 195, 135, 190, 237, 229, 69, 45, 94, 236, 241, 72, 201, 15, 204, 75, 245, 24, 253, 184, 149, 203, 39, 214, 158, 87, 88, 148}, {40, 52, 115, 121, 116, 161, 248, 229, 138, 180, 202, 102, 75, 247, 96, 187, 79, 87, 176, 106, 182, 154, 14, 173, 5, 136, 228, 162, 128, 185, 31, 63, 86, 152, 94, 197, 227, 122, 12, 253, 109, 110, 22, 74, 223, 84, 200, 54, 35, 17, 146, 83, 16, 186, 103, 99, 195, 19, 194, 59, 246, 72, 143, 60, 46, 196, 203, 78, 127, 132, 25, 207, 238, 175, 85, 224, 2, 80, 104, 230, 242, 232, 95, 237, 215, 9, 117, 137, 204}, {80, 208, 191, 195, 38, 47, 197, 219, 245, 96, 107, 33, 130, 207, 193, 134, 146, 166, 64, 185, 62, 252, 138, 117, 15, 23, 196, 139, 37, 223, 168, 7, 173, 10, 26, 115, 242, 205, 97, 59, 241, 61, 12, 231, 169, 87, 125, 181, 217, 85, 221, 8, 186, 206, 145, 86, 45, 101, 102, 150, 251, 39, 127, 21, 100, 54, 70, 68, 228, 89, 58, 161, 237, 179, 36, 143, 120, 184, 110, 44, 53, 182, 41, 56, 1, 80, 208, 191, 195}, {160, 103, 145, 172, 180, 15, 46, 55, 44, 106, 226, 85, 167, 32, 185, 124, 215, 36, 3, 253, 169, 174, 233, 193, 17, 114, 89, 116, 190, 59, 255, 244, 96, 214, 132, 100, 108, 5, 26, 230, 239, 38, 94, 51, 150, 235, 156, 223, 77, 28, 1, 160, 103, 145, 172, 180, 15, 46, 55, 44, 106, 226, 85, 167, 32, 185, 124, 215, 36, 3, 253, 169, 174, 233, 193, 17, 114, 89, 116, 190, 59, 255, 244, 96, 214, 132, 100, 108, 5}, {93, 129, 252, 18, 3, 231, 158, 25, 54, 5, 52, 191, 43, 90, 15, 92, 220, 125, 238, 17, 228, 121, 135, 47, 51, 49, 139, 148, 113, 85, 83, 128, 161, 147, 255, 245, 157, 254, 168, 28, 2, 186, 31, 229, 36, 6, 211, 33, 50, 108, 10, 104, 99, 86, 180, 30, 184, 165, 250, 193, 34, 213, 242, 19, 94, 102, 98, 11, 53, 226, 170, 166, 29, 95, 59, 227, 247, 39, 225, 77, 56, 4, 105, 62, 215, 72, 12, 187, 66}, {186, 62, 179, 61, 96, 127, 168, 56, 8, 185, 237, 241, 245, 39, 223, 41, 221, 64, 161, 59, 219, 251, 37, 182, 85, 166, 58, 97, 197, 150, 139, 53, 217, 146, 89, 205, 47, 102, 196, 44, 181, 134, 228, 242, 38, 101, 23, 110, 125, 193, 68, 115, 195, 45, 15, 184, 87, 207, 70, 26, 191, 86, 117, 120, 169, 130, 54, 10, 208, 145, 138, 143, 231, 33, 100, 173, 80, 206, 252, 36, 12, 107, 21, 7, 1, 186, 62, 179, 61}, {105, 248, 241, 247, 156, 182, 170, 162, 205, 94, 133, 110, 250, 35, 26, 99, 69, 143, 211, 132, 7, 2, 210, 237, 255, 243, 37, 113, 73, 89, 135, 188, 23, 220, 233, 70, 52, 198, 138, 3, 187, 21, 14, 4, 185, 199, 227, 251, 74, 226, 146, 178, 19, 101, 46, 165, 207, 140, 104, 145, 9, 6, 107, 42, 28, 8, 111, 147, 219, 235, 148, 217, 57, 121, 38, 202, 92, 87, 131, 5, 208, 63, 18, 12, 214, 84, 56, 16, 222}}; - -void PQCLEAN_HQCRMRS256_CLEAN_reed_solomon_encode(uint8_t *cdw, const uint8_t *msg); - -void PQCLEAN_HQCRMRS256_CLEAN_reed_solomon_decode(uint8_t *msg, uint8_t *cdw); - - -#endif diff --git a/crypto_kem/hqc-rmrs-256/clean/vector.c b/crypto_kem/hqc-rmrs-256/clean/vector.c deleted file mode 100644 index 139e5bc3..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/vector.c +++ /dev/null @@ -1,176 +0,0 @@ -#include "nistseedexpander.h" -#include "parameters.h" -#include "parsing.h" -#include "randombytes.h" -#include "vector.h" -#include -#include -/** - * @file vector.c - * @brief Implementation of vectors sampling and some utilities for the HQC scheme - */ - - -/** - * @brief Generates a vector of a given Hamming weight - * - * This function generates uniformly at random a binary vector of a Hamming weight equal to the parameter weight. The vector - * is stored by position. - * To generate the vector we have to sample uniformly at random values in the interval [0, PARAM_N -1]. Suppose the PARAM_N is equal to \f$ 70853 \f$, to select a position \f$ r\f$ the function works as follow: - * 1. It makes a call to the seedexpander function to obtain a random number \f$ x\f$ in \f$ [0, 2^{24}[ \f$. - * 2. Let \f$ t = \lfloor {2^{24} \over 70853} \rfloor \times 70853\f$ - * 3. If \f$ x \geq t\f$, go to 1 - * 4. It return \f$ r = x \mod 70853\f$ - * - * The parameter \f$ t \f$ is precomputed and it's denoted by UTILS_REJECTION_THRESHOLD (see the file parameters.h). - * - * @param[in] v Pointer to an array - * @param[in] weight Integer that is the Hamming weight - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight_by_coordinates(AES_XOF_struct *ctx, uint32_t *v, uint16_t weight) { - size_t random_bytes_size = 3 * weight; - uint8_t rand_bytes[3 * PARAM_OMEGA_R] = {0}; // weight is expected to be <= PARAM_OMEGA_R - uint8_t inc; - size_t i, j; - - i = 0; - j = random_bytes_size; - while (i < weight) { - do { - if (j == random_bytes_size) { - seedexpander(ctx, rand_bytes, random_bytes_size); - j = 0; - } - - v[i] = ((uint32_t) rand_bytes[j++]) << 16; - v[i] |= ((uint32_t) rand_bytes[j++]) << 8; - v[i] |= rand_bytes[j++]; - - } while (v[i] >= UTILS_REJECTION_THRESHOLD); - - v[i] = v[i] % PARAM_N; - - inc = 1; - for (size_t k = 0; k < i; k++) { - if (v[k] == v[i]) { - inc = 0; - } - } - i += inc; - } -} - - - -/** - * @brief Generates a vector of a given Hamming weight - * - * This function generates uniformly at random a binary vector of a Hamming weight equal to the parameter weight. - * To generate the vector we have to sample uniformly at random values in the interval [0, PARAM_N -1]. Suppose the PARAM_N is equal to \f$ 70853 \f$, to select a position \f$ r\f$ the function works as follow: - * 1. It makes a call to the seedexpander function to obtain a random number \f$ x\f$ in \f$ [0, 2^{24}[ \f$. - * 2. Let \f$ t = \lfloor {2^{24} \over 70853} \rfloor \times 70853\f$ - * 3. If \f$ x \geq t\f$, go to 1 - * 4. It return \f$ r = x \mod 70853\f$ - * - * The parameter \f$ t \f$ is precomputed and it's denoted by UTILS_REJECTION_THRESHOLD (see the file parameters.h). - * - * @param[in] v Pointer to an array - * @param[in] weight Integer that is the Hamming weight - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight) { - uint32_t tmp[PARAM_OMEGA_R] = {0}; - - PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight_by_coordinates(ctx, tmp, weight); - - for (size_t i = 0; i < weight; ++i) { - int32_t index = tmp[i] / 64; - int32_t pos = tmp[i] % 64; - v[index] |= ((uint64_t) 1) << pos; - } -} - - - -/** - * @brief Generates a random vector of dimension PARAM_N - * - * This function generates a random binary vector of dimension PARAM_N. It generates a random - * array of bytes using the seedexpander function, and drop the extra bits using a mask. - * - * @param[in] v Pointer to an array - * @param[in] ctx Pointer to the context of the seed expander - */ -void PQCLEAN_HQCRMRS256_CLEAN_vect_set_random(AES_XOF_struct *ctx, uint64_t *v) { - uint8_t rand_bytes[VEC_N_SIZE_BYTES] = {0}; - - seedexpander(ctx, rand_bytes, VEC_N_SIZE_BYTES); - - PQCLEAN_HQCRMRS256_CLEAN_load8_arr(v, VEC_N_SIZE_64, rand_bytes, VEC_N_SIZE_BYTES); - v[VEC_N_SIZE_64 - 1] &= RED_MASK; -} - - - -/** - * @brief Adds two vectors - * - * @param[out] o Pointer to an array that is the result - * @param[in] v1 Pointer to an array that is the first vector - * @param[in] v2 Pointer to an array that is the second vector - * @param[in] size Integer that is the size of the vectors - */ -void PQCLEAN_HQCRMRS256_CLEAN_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size) { - for (uint32_t i = 0; i < size; ++i) { - o[i] = v1[i] ^ v2[i]; - } -} - - - -/** - * @brief Compares two vectors - * - * @param[in] v1 Pointer to an array that is first vector - * @param[in] v2 Pointer to an array that is second vector - * @param[in] size Integer that is the size of the vectors - * @returns 0 if the vectors are equals and a negative/psotive value otherwise - */ -uint8_t PQCLEAN_HQCRMRS256_CLEAN_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size) { - uint64_t r = 0; - for (size_t i = 0; i < size; i++) { - r |= v1[i] ^ v2[i]; - } - r = (~r + 1) >> 63; - return (uint8_t) r; -} - - - -/** - * @brief Resize a vector so that it contains size_o bits - * - * @param[out] o Pointer to the output vector - * @param[in] size_o Integer that is the size of the output vector in bits - * @param[in] v Pointer to the input vector - * @param[in] size_v Integer that is the size of the input vector in bits - */ -void PQCLEAN_HQCRMRS256_CLEAN_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v) { - if (size_o < size_v) { - uint64_t mask = 0x7FFFFFFFFFFFFFFF; - int8_t val = 0; - - if (size_o % 64) { - val = 64 - (size_o % 64); - } - - memcpy(o, v, 8 * VEC_N1N2_SIZE_64); - - for (int8_t i = 0; i < val; ++i) { - o[VEC_N1N2_SIZE_64 - 1] &= (mask >> i); - } - } else { - memcpy(o, v, 8 * CEIL_DIVIDE(size_v, 64)); - } -} diff --git a/crypto_kem/hqc-rmrs-256/clean/vector.h b/crypto_kem/hqc-rmrs-256/clean/vector.h deleted file mode 100644 index 439cfd67..00000000 --- a/crypto_kem/hqc-rmrs-256/clean/vector.h +++ /dev/null @@ -1,27 +0,0 @@ -#ifndef VECTOR_H -#define VECTOR_H - - -/** - * @file vector.h - * @brief Header file for vector.c - */ -#include "nistseedexpander.h" -#include "randombytes.h" -#include - -void PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight_by_coordinates(AES_XOF_struct *ctx, uint32_t *v, uint16_t weight); - -void PQCLEAN_HQCRMRS256_CLEAN_vect_set_random_fixed_weight(AES_XOF_struct *ctx, uint64_t *v, uint16_t weight); - -void PQCLEAN_HQCRMRS256_CLEAN_vect_set_random(AES_XOF_struct *ctx, uint64_t *v); - - -void PQCLEAN_HQCRMRS256_CLEAN_vect_add(uint64_t *o, const uint64_t *v1, const uint64_t *v2, uint32_t size); - -uint8_t PQCLEAN_HQCRMRS256_CLEAN_vect_compare(const uint8_t *v1, const uint8_t *v2, uint32_t size); - -void PQCLEAN_HQCRMRS256_CLEAN_vect_resize(uint64_t *o, uint32_t size_o, const uint64_t *v, uint32_t size_v); - - -#endif diff --git a/crypto_kem/kyber1024-90s/META.yml b/crypto_kem/kyber1024-90s/META.yml deleted file mode 100644 index c8dd1982..00000000 --- a/crypto_kem/kyber1024-90s/META.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Kyber1024-90s -type: kem -claimed-nist-level: 5 -claimed-security: IND-CCA2 -length-public-key: 1568 -length-ciphertext: 1568 -length-secret-key: 3168 -length-shared-secret: 32 -nistkat-sha256: a1b564348a126a118fbc49a6aeaebcb74896753fd99f30eeb0f75f0b2d25115f -principal-submitters: - - Peter Schwabe -auxiliary-submitters: - - Roberto Avanzi - - Joppe Bos - - Léo Ducas - - Eike Kiltz - - Tancrède Lepoint - - Vadim Lyubashevsky - - John M. Schanck - - Gregor Seiler - - Damien Stehlé -implementations: - - name: clean - version: https://github.com/pq-crystals/kyber/commit/e7faae9f662f5b92fee4e966f09b2f23e1e91c65 via https://github.com/jschanck/package-pqclean/tree/231c9bec/kyber - - name: avx2 - version: https://github.com/pq-crystals/kyber/commit/e7faae9f662f5b92fee4e966f09b2f23e1e91c65 via https://github.com/jschanck/package-pqclean/tree/231c9bec/kyber - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - aes - - avx2 - - bmi2 - - popcnt diff --git a/crypto_kem/kyber1024-90s/avx2/LICENSE b/crypto_kem/kyber1024-90s/avx2/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_kem/kyber1024-90s/avx2/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_kem/kyber1024-90s/avx2/aes256ctr.c b/crypto_kem/kyber1024-90s/avx2/aes256ctr.c deleted file mode 100644 index 158a9a54..00000000 --- a/crypto_kem/kyber1024-90s/avx2/aes256ctr.c +++ /dev/null @@ -1,142 +0,0 @@ -#include "aes256ctr.h" -#include -#include -#include -/* Based heavily on public-domain code by Romain Dolbeau - * Different handling of nonce+counter than original version using - * separated 64-bit nonce and internal 64-bit counter, starting from zero - * Public Domain */ - - -static inline void aesni_encrypt4(uint8_t out[64], __m128i *n, const __m128i rkeys[16]) { - __m128i f, f0, f1, f2, f3; - const __m128i idx = _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 7, 6, 5, 4, 3, 2, 1, 0); - - /* Load current counter value */ - f = _mm_load_si128(n); - - /* Increase counter in 4 consecutive blocks */ - f0 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(0, 0)), idx); - f1 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(1, 0)), idx); - f2 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(2, 0)), idx); - f3 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(3, 0)), idx); - - /* Write counter for next iteration, increased by 4 */ - _mm_store_si128(n, _mm_add_epi64(f, _mm_set_epi64x(4, 0))); - - /* Actual AES encryption, 4x interleaved */ - f = _mm_load_si128(&rkeys[0]); - f0 = _mm_xor_si128(f0, f); - f1 = _mm_xor_si128(f1, f); - f2 = _mm_xor_si128(f2, f); - f3 = _mm_xor_si128(f3, f); - - for (int i = 1; i < 14; i++) { - f = _mm_load_si128(&rkeys[i]); - f0 = _mm_aesenc_si128(f0, f); - f1 = _mm_aesenc_si128(f1, f); - f2 = _mm_aesenc_si128(f2, f); - f3 = _mm_aesenc_si128(f3, f); - } - - f = _mm_load_si128(&rkeys[14]); - f0 = _mm_aesenclast_si128(f0, f); - f1 = _mm_aesenclast_si128(f1, f); - f2 = _mm_aesenclast_si128(f2, f); - f3 = _mm_aesenclast_si128(f3, f); - - /* Write results */ - _mm_storeu_si128((__m128i *)(out + 0), f0); - _mm_storeu_si128((__m128i *)(out + 16), f1); - _mm_storeu_si128((__m128i *)(out + 32), f2); - _mm_storeu_si128((__m128i *)(out + 48), f3); -} - -void PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t key[32], uint64_t nonce) { - __m128i key0, key1, temp0, temp1, temp2, temp4; - int idx = 0; - - key0 = _mm_loadu_si128((__m128i *)(key + 0)); - key1 = _mm_loadu_si128((__m128i *)(key + 16)); - state->n = _mm_loadl_epi64((__m128i *)&nonce); - - state->rkeys[idx++] = key0; - temp0 = key0; - temp2 = key1; - temp4 = _mm_setzero_si128(); - -#define BLOCK1(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp2, IMM); \ - state->rkeys[idx++] = temp2; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x10); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x8c); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xff); \ - temp0 = _mm_xor_si128(temp0, temp1) - -#define BLOCK2(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp0, IMM); \ - state->rkeys[idx++] = temp0; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x10); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x8c); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xaa); \ - temp2 = _mm_xor_si128(temp2, temp1) - - BLOCK1(0x01); - BLOCK2(0x01); - - BLOCK1(0x02); - BLOCK2(0x02); - - BLOCK1(0x04); - BLOCK2(0x04); - - BLOCK1(0x08); - BLOCK2(0x08); - - BLOCK1(0x10); - BLOCK2(0x10); - - BLOCK1(0x20); - BLOCK2(0x20); - - BLOCK1(0x40); - state->rkeys[idx++] = temp0; -} - -void PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state) { - size_t i; - for (i = 0; i < nblocks; i++) { - aesni_encrypt4(out, &state->n, state->rkeys); - out += 64; - } -} - -void PQCLEAN_KYBER102490S_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t key[32], - uint64_t nonce) { - unsigned int i; - uint8_t buf[64]; - aes256ctr_ctx state; - - PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(&state, key, nonce); - - while (outlen >= 64) { - aesni_encrypt4(out, &state.n, state.rkeys); - outlen -= 64; - out += 64; - } - - if (outlen) { - aesni_encrypt4(buf, &state.n, state.rkeys); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} diff --git a/crypto_kem/kyber1024-90s/avx2/aes256ctr.h b/crypto_kem/kyber1024-90s/avx2/aes256ctr.h deleted file mode 100644 index 3f3c08e1..00000000 --- a/crypto_kem/kyber1024-90s/avx2/aes256ctr.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_AES256CTR_H -#define PQCLEAN_KYBER102490S_AVX2_AES256CTR_H - -#include -#include -#include - - -#define AES256CTR_BLOCKBYTES 64 - -typedef struct { - __m128i rkeys[16]; - __m128i n; -} aes256ctr_ctx; - -void PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint64_t nonce); - -void PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state); - -void PQCLEAN_KYBER102490S_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t key[32], - uint64_t nonce); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/align.h b/crypto_kem/kyber1024-90s/avx2/align.h deleted file mode 100644 index 12300d15..00000000 --- a/crypto_kem/kyber1024-90s/avx2/align.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_ALIGN_H -#define PQCLEAN_KYBER102490S_AVX2_ALIGN_H - -#include -#include - -#define ALIGNED_UINT8(N) \ - union { \ - uint8_t coeffs[(N)]; \ - __m256i vec[((N)+31)/32]; \ - } - -#define ALIGNED_INT16(N) \ - union { \ - int16_t coeffs[(N)]; \ - __m256i vec[((N)+15)/16]; \ - } - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/api.h b/crypto_kem/kyber1024-90s/avx2/api.h deleted file mode 100644 index f1fab310..00000000 --- a/crypto_kem/kyber1024-90s/avx2/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_API_H -#define PQCLEAN_KYBER102490S_AVX2_API_H - -#include - -#define PQCLEAN_KYBER102490S_AVX2_CRYPTO_SECRETKEYBYTES 3168 -#define PQCLEAN_KYBER102490S_AVX2_CRYPTO_PUBLICKEYBYTES 1568 -#define PQCLEAN_KYBER102490S_AVX2_CRYPTO_CIPHERTEXTBYTES 1568 -#define PQCLEAN_KYBER102490S_AVX2_CRYPTO_BYTES 32 -#define PQCLEAN_KYBER102490S_AVX2_CRYPTO_ALGNAME "Kyber1024-90s" - -int PQCLEAN_KYBER102490S_AVX2_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_KYBER102490S_AVX2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_KYBER102490S_AVX2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/basemul.S b/crypto_kem/kyber1024-90s/avx2/basemul.S deleted file mode 100644 index ead7d7b2..00000000 --- a/crypto_kem/kyber1024-90s/avx2/basemul.S +++ /dev/null @@ -1,107 +0,0 @@ -#include "cdecl.h" - -.macro schoolbook off -vmovdqa _16XQINV*2(%rcx),%ymm0 -vmovdqa (64*\off+ 0)*2(%rsi),%ymm1 # a0 -vmovdqa (64*\off+16)*2(%rsi),%ymm2 # b0 -vmovdqa (64*\off+32)*2(%rsi),%ymm3 # a1 -vmovdqa (64*\off+48)*2(%rsi),%ymm4 # b1 - -vpmullw %ymm0,%ymm1,%ymm9 # a0.lo -vpmullw %ymm0,%ymm2,%ymm10 # b0.lo -vpmullw %ymm0,%ymm3,%ymm11 # a1.lo -vpmullw %ymm0,%ymm4,%ymm12 # b1.lo - -vmovdqa (64*\off+ 0)*2(%rdx),%ymm5 # c0 -vmovdqa (64*\off+16)*2(%rdx),%ymm6 # d0 - -vpmulhw %ymm5,%ymm1,%ymm13 # a0c0.hi -vpmulhw %ymm6,%ymm1,%ymm1 # a0d0.hi -vpmulhw %ymm5,%ymm2,%ymm14 # b0c0.hi -vpmulhw %ymm6,%ymm2,%ymm2 # b0d0.hi - -vmovdqa (64*\off+32)*2(%rdx),%ymm7 # c1 -vmovdqa (64*\off+48)*2(%rdx),%ymm8 # d1 - -vpmulhw %ymm7,%ymm3,%ymm15 # a1c1.hi -vpmulhw %ymm8,%ymm3,%ymm3 # a1d1.hi -vpmulhw %ymm7,%ymm4,%ymm0 # b1c1.hi -vpmulhw %ymm8,%ymm4,%ymm4 # b1d1.hi - -vmovdqa %ymm13,(%rsp) - -vpmullw %ymm5,%ymm9,%ymm13 # a0c0.lo -vpmullw %ymm6,%ymm9,%ymm9 # a0d0.lo -vpmullw %ymm5,%ymm10,%ymm5 # b0c0.lo -vpmullw %ymm6,%ymm10,%ymm10 # b0d0.lo - -vpmullw %ymm7,%ymm11,%ymm6 # a1c1.lo -vpmullw %ymm8,%ymm11,%ymm11 # a1d1.lo -vpmullw %ymm7,%ymm12,%ymm7 # b1c1.lo -vpmullw %ymm8,%ymm12,%ymm12 # b1d1.lo - -vmovdqa _16XQ*2(%rcx),%ymm8 -vpmulhw %ymm8,%ymm13,%ymm13 -vpmulhw %ymm8,%ymm9,%ymm9 -vpmulhw %ymm8,%ymm5,%ymm5 -vpmulhw %ymm8,%ymm10,%ymm10 -vpmulhw %ymm8,%ymm6,%ymm6 -vpmulhw %ymm8,%ymm11,%ymm11 -vpmulhw %ymm8,%ymm7,%ymm7 -vpmulhw %ymm8,%ymm12,%ymm12 - -vpsubw (%rsp),%ymm13,%ymm13 # -a0c0 -vpsubw %ymm9,%ymm1,%ymm9 # a0d0 -vpsubw %ymm5,%ymm14,%ymm5 # b0c0 -vpsubw %ymm10,%ymm2,%ymm10 # b0d0 - -vpsubw %ymm6,%ymm15,%ymm6 # a1c1 -vpsubw %ymm11,%ymm3,%ymm11 # a1d1 -vpsubw %ymm7,%ymm0,%ymm7 # b1c1 -vpsubw %ymm12,%ymm4,%ymm12 # b1d1 - -vmovdqa (%r9),%ymm0 -vmovdqa 32(%r9),%ymm1 -vpmullw %ymm0,%ymm10,%ymm2 -vpmullw %ymm0,%ymm12,%ymm3 -vpmulhw %ymm1,%ymm10,%ymm10 -vpmulhw %ymm1,%ymm12,%ymm12 -vpmulhw %ymm8,%ymm2,%ymm2 -vpmulhw %ymm8,%ymm3,%ymm3 -vpsubw %ymm2,%ymm10,%ymm10 # rb0d0 -vpsubw %ymm3,%ymm12,%ymm12 # rb1d1 - -vpaddw %ymm5,%ymm9,%ymm9 -vpaddw %ymm7,%ymm11,%ymm11 -vpsubw %ymm13,%ymm10,%ymm13 -vpsubw %ymm12,%ymm6,%ymm6 - -vmovdqa %ymm13,(64*\off+ 0)*2(%rdi) -vmovdqa %ymm9,(64*\off+16)*2(%rdi) -vmovdqa %ymm6,(64*\off+32)*2(%rdi) -vmovdqa %ymm11,(64*\off+48)*2(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_avx) -.global _cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_avx) -cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_avx): -_cdecl(PQCLEAN_KYBER102490S_AVX2_basemul_avx): -mov %rsp,%r8 -and $-32,%rsp -sub $32,%rsp - -lea (_ZETAS_EXP+176)*2(%rcx),%r9 -schoolbook 0 - -add $32*2,%r9 -schoolbook 1 - -add $192*2,%r9 -schoolbook 2 - -add $32*2,%r9 -schoolbook 3 - -mov %r8,%rsp -ret diff --git a/crypto_kem/kyber1024-90s/avx2/cbd.c b/crypto_kem/kyber1024-90s/avx2/cbd.c deleted file mode 100644 index 39d2ffde..00000000 --- a/crypto_kem/kyber1024-90s/avx2/cbd.c +++ /dev/null @@ -1,67 +0,0 @@ -#include "cbd.h" -#include "params.h" -#include -#include - -/************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const __m256i *buf: pointer to aligned input byte array -**************************************************/ -static void cbd2(poly *restrict r, const __m256i buf[2 * KYBER_N / 128]) { - unsigned int i; - __m256i f0, f1, f2, f3; - const __m256i mask55 = _mm256_set1_epi32(0x55555555); - const __m256i mask33 = _mm256_set1_epi32(0x33333333); - const __m256i mask03 = _mm256_set1_epi32(0x03030303); - const __m256i mask0F = _mm256_set1_epi32(0x0F0F0F0F); - - for (i = 0; i < KYBER_N / 64; i++) { - f0 = _mm256_load_si256(&buf[i]); - - f1 = _mm256_srli_epi16(f0, 1); - f0 = _mm256_and_si256(mask55, f0); - f1 = _mm256_and_si256(mask55, f1); - f0 = _mm256_add_epi8(f0, f1); - - f1 = _mm256_srli_epi16(f0, 2); - f0 = _mm256_and_si256(mask33, f0); - f1 = _mm256_and_si256(mask33, f1); - f0 = _mm256_add_epi8(f0, mask33); - f0 = _mm256_sub_epi8(f0, f1); - - f1 = _mm256_srli_epi16(f0, 4); - f0 = _mm256_and_si256(mask0F, f0); - f1 = _mm256_and_si256(mask0F, f1); - f0 = _mm256_sub_epi8(f0, mask03); - f1 = _mm256_sub_epi8(f1, mask03); - - f2 = _mm256_unpacklo_epi8(f0, f1); - f3 = _mm256_unpackhi_epi8(f0, f1); - - f0 = _mm256_cvtepi8_epi16(_mm256_castsi256_si128(f2)); - f1 = _mm256_cvtepi8_epi16(_mm256_extracti128_si256(f2, 1)); - f2 = _mm256_cvtepi8_epi16(_mm256_castsi256_si128(f3)); - f3 = _mm256_cvtepi8_epi16(_mm256_extracti128_si256(f3, 1)); - - _mm256_store_si256(&r->vec[4 * i + 0], f0); - _mm256_store_si256(&r->vec[4 * i + 1], f2); - _mm256_store_si256(&r->vec[4 * i + 2], f1); - _mm256_store_si256(&r->vec[4 * i + 3], f3); - } -} - - -/* buf 32 bytes longer for cbd3 */ -void PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta1(poly *r, const __m256i buf[KYBER_ETA1 * KYBER_N / 128 + 1]) { - cbd2(r, buf); -} - -void PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta2(poly *r, const __m256i buf[KYBER_ETA2 * KYBER_N / 128]) { - cbd2(r, buf); -} diff --git a/crypto_kem/kyber1024-90s/avx2/cbd.h b/crypto_kem/kyber1024-90s/avx2/cbd.h deleted file mode 100644 index 2c9d77a5..00000000 --- a/crypto_kem/kyber1024-90s/avx2/cbd.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_CBD_H -#define PQCLEAN_KYBER102490S_AVX2_CBD_H -#include "params.h" -#include "poly.h" -#include -#include - -void PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta1(poly *r, const __m256i buf[KYBER_ETA1 * KYBER_N / 128 + 1]); - -void PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta2(poly *r, const __m256i buf[KYBER_ETA2 * KYBER_N / 128]); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/cdecl.h b/crypto_kem/kyber1024-90s/avx2/cdecl.h deleted file mode 100644 index 4c262f61..00000000 --- a/crypto_kem/kyber1024-90s/avx2/cdecl.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_CDECL_H -#define PQCLEAN_KYBER102490S_AVX2_CDECL_H - - - -#define _16XQ 0 -#define _16XQINV 16 -#define _16XV 32 -#define _16XFLO 48 -#define _16XFHI 64 -#define _16XMONTSQLO 80 -#define _16XMONTSQHI 96 -#define _16XMASK 112 -#define _REVIDXB 128 -#define _REVIDXD 144 -#define _ZETAS_EXP 160 -#define _16XSHIFT 624 - -/* The C ABI on MacOS exports all symbols with a leading - * underscore. This means that any symbols we refer to from - * C files (functions) can't be found, and all symbols we - * refer to from ASM also can't be found (nttconsts.c). - * - * This define helps us get around this - */ - -#define _cdecl(s) _##s -#define cdecl(s) s - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/consts.c b/crypto_kem/kyber1024-90s/avx2/consts.c deleted file mode 100644 index db1ae9a6..00000000 --- a/crypto_kem/kyber1024-90s/avx2/consts.c +++ /dev/null @@ -1,123 +0,0 @@ -#include "align.h" -#include "consts.h" -#include "params.h" - - -#define Q KYBER_Q -#define MONT (-1044) // 2^16 mod q -#define QINV (-3327) // q^-1 mod 2^16 -#define V 20159 // floor(2^26/q + 0.5) -#define FHI 1441 // mont^2/128 -#define FLO (-10079) // qinv*FHI -#define MONTSQHI 1353 // mont^2 -#define MONTSQLO 20553 // qinv*MONTSQHI -#define MASK 4095 -#define SHIFT 32 - -const qdata_t PQCLEAN_KYBER102490S_AVX2_qdata = {.coeffs = { -//#define _16XQ 0 - Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, - -//#define _16XQINV 16 - QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV, - QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV, - -//#define _16XV 32 - V, V, V, V, V, V, V, V, V, V, V, V, V, V, V, V, - -//#define _16XFLO 48 - FLO, FLO, FLO, FLO, FLO, FLO, FLO, FLO, - FLO, FLO, FLO, FLO, FLO, FLO, FLO, FLO, - -//#define _16XFHI 64 - FHI, FHI, FHI, FHI, FHI, FHI, FHI, FHI, - FHI, FHI, FHI, FHI, FHI, FHI, FHI, FHI, - -//#define _16XMONTSQLO 80 - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - -//#define _16XMONTSQHI 96 - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - -//#define _16XMASK 112 - MASK, MASK, MASK, MASK, MASK, MASK, MASK, MASK, - MASK, MASK, MASK, MASK, MASK, MASK, MASK, MASK, - -//#define _REVIDXB 128 - 3854, 3340, 2826, 2312, 1798, 1284, 770, 256, - 3854, 3340, 2826, 2312, 1798, 1284, 770, 256, - -//#define _REVIDXD 144 - 7, 0, 6, 0, 5, 0, 4, 0, 3, 0, 2, 0, 1, 0, 0, 0, - -//#define _ZETAS_EXP 160 - 31498, 31498, 31498, 31498, -758, -758, -758, -758, - 5237, 5237, 5237, 5237, 1397, 1397, 1397, 1397, - 14745, 14745, 14745, 14745, 14745, 14745, 14745, 14745, - 14745, 14745, 14745, 14745, 14745, 14745, 14745, 14745, - -359, -359, -359, -359, -359, -359, -359, -359, - -359, -359, -359, -359, -359, -359, -359, -359, - 13525, 13525, 13525, 13525, 13525, 13525, 13525, 13525, - -12402, -12402, -12402, -12402, -12402, -12402, -12402, -12402, - 1493, 1493, 1493, 1493, 1493, 1493, 1493, 1493, - 1422, 1422, 1422, 1422, 1422, 1422, 1422, 1422, - -20907, -20907, -20907, -20907, 27758, 27758, 27758, 27758, - -3799, -3799, -3799, -3799, -15690, -15690, -15690, -15690, - -171, -171, -171, -171, 622, 622, 622, 622, - 1577, 1577, 1577, 1577, 182, 182, 182, 182, - -5827, -5827, 17363, 17363, -26360, -26360, -29057, -29057, - 5571, 5571, -1102, -1102, 21438, 21438, -26242, -26242, - 573, 573, -1325, -1325, 264, 264, 383, 383, - -829, -829, 1458, 1458, -1602, -1602, -130, -130, - -5689, -6516, 1496, 30967, -23565, 20179, 20710, 25080, - -12796, 26616, 16064, -12442, 9134, -650, -25986, 27837, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -335, -11477, -32227, 20494, -27738, 945, -14883, 6182, - 32010, 10631, 29175, -28762, -18486, 17560, -14430, -5276, - -1103, 555, -1251, 1550, 422, 177, -291, 1574, - -246, 1159, -777, -602, -1590, -872, 418, -156, - 11182, 13387, -14233, -21655, 13131, -4587, 23092, 5493, - -32502, 30317, -18741, 12639, 20100, 18525, 19529, -12619, - 430, 843, 871, 105, 587, -235, -460, 1653, - 778, -147, 1483, 1119, 644, 349, 329, -75, - 787, 787, 787, 787, 787, 787, 787, 787, - 787, 787, 787, 787, 787, 787, 787, 787, - -1517, -1517, -1517, -1517, -1517, -1517, -1517, -1517, - -1517, -1517, -1517, -1517, -1517, -1517, -1517, -1517, - 28191, 28191, 28191, 28191, 28191, 28191, 28191, 28191, - -16694, -16694, -16694, -16694, -16694, -16694, -16694, -16694, - 287, 287, 287, 287, 287, 287, 287, 287, - 202, 202, 202, 202, 202, 202, 202, 202, - 10690, 10690, 10690, 10690, 1358, 1358, 1358, 1358, - -11202, -11202, -11202, -11202, 31164, 31164, 31164, 31164, - 962, 962, 962, 962, -1202, -1202, -1202, -1202, - -1474, -1474, -1474, -1474, 1468, 1468, 1468, 1468, - -28073, -28073, 24313, 24313, -10532, -10532, 8800, 8800, - 18426, 18426, 8859, 8859, 26675, 26675, -16163, -16163, - -681, -681, 1017, 1017, 732, 732, 608, 608, - -1542, -1542, 411, 411, -205, -205, -1571, -1571, - 19883, -28250, -15887, -8898, -28309, 9075, -30199, 18249, - 13426, 14017, -29156, -12757, 16832, 4311, -24155, -17915, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -31183, 25435, -7382, 24391, -20927, 10946, 24214, 16989, - 10335, -7934, -22502, 10906, 31636, 28644, 23998, -17422, - 817, 603, 1322, -1465, -1215, 1218, -874, -1187, - -1185, -1278, -1510, -870, -108, 996, 958, 1522, - 20297, 2146, 15355, -32384, -6280, -14903, -11044, 14469, - -21498, -20198, 23210, -17442, -23860, -20257, 7756, 23132, - 1097, 610, -1285, 384, -136, -1335, 220, -1659, - -1530, 794, -854, 478, -308, 991, -1460, 1628, - -//#define _16XSHIFT 624 - SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, - SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT - } -}; diff --git a/crypto_kem/kyber1024-90s/avx2/consts.h b/crypto_kem/kyber1024-90s/avx2/consts.h deleted file mode 100644 index 61371483..00000000 --- a/crypto_kem/kyber1024-90s/avx2/consts.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_CONSTS_H -#define PQCLEAN_KYBER102490S_AVX2_CONSTS_H -#include "align.h" -#include "cdecl.h" - - -typedef ALIGNED_INT16(640) qdata_t; -extern const qdata_t PQCLEAN_KYBER102490S_AVX2_qdata; - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/fq.S b/crypto_kem/kyber1024-90s/avx2/fq.S deleted file mode 100644 index 1374c5a5..00000000 --- a/crypto_kem/kyber1024-90s/avx2/fq.S +++ /dev/null @@ -1,92 +0,0 @@ -#include "cdecl.h" -.include "fq.inc" - -.text -reduce128_avx: -#load -vmovdqa (%rdi),%ymm2 -vmovdqa 32(%rdi),%ymm3 -vmovdqa 64(%rdi),%ymm4 -vmovdqa 96(%rdi),%ymm5 -vmovdqa 128(%rdi),%ymm6 -vmovdqa 160(%rdi),%ymm7 -vmovdqa 192(%rdi),%ymm8 -vmovdqa 224(%rdi),%ymm9 - -red16 2 -red16 3 -red16 4 -red16 5 -red16 6 -red16 7 -red16 8 -red16 9 - -#store -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm3,32(%rdi) -vmovdqa %ymm4,64(%rdi) -vmovdqa %ymm5,96(%rdi) -vmovdqa %ymm6,128(%rdi) -vmovdqa %ymm7,160(%rdi) -vmovdqa %ymm8,192(%rdi) -vmovdqa %ymm9,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER102490S_AVX2_reduce_avx) -.global _cdecl(PQCLEAN_KYBER102490S_AVX2_reduce_avx) -cdecl(PQCLEAN_KYBER102490S_AVX2_reduce_avx): -_cdecl(PQCLEAN_KYBER102490S_AVX2_reduce_avx): -#consts -vmovdqa _16XQ*2(%rsi),%ymm0 -vmovdqa _16XV*2(%rsi),%ymm1 -call reduce128_avx -add $256,%rdi -call reduce128_avx -ret - -tomont128_avx: -#load -vmovdqa (%rdi),%ymm3 -vmovdqa 32(%rdi),%ymm4 -vmovdqa 64(%rdi),%ymm5 -vmovdqa 96(%rdi),%ymm6 -vmovdqa 128(%rdi),%ymm7 -vmovdqa 160(%rdi),%ymm8 -vmovdqa 192(%rdi),%ymm9 -vmovdqa 224(%rdi),%ymm10 - -fqmulprecomp 1,2,3,11 -fqmulprecomp 1,2,4,12 -fqmulprecomp 1,2,5,13 -fqmulprecomp 1,2,6,14 -fqmulprecomp 1,2,7,15 -fqmulprecomp 1,2,8,11 -fqmulprecomp 1,2,9,12 -fqmulprecomp 1,2,10,13 - -#store -vmovdqa %ymm3,(%rdi) -vmovdqa %ymm4,32(%rdi) -vmovdqa %ymm5,64(%rdi) -vmovdqa %ymm6,96(%rdi) -vmovdqa %ymm7,128(%rdi) -vmovdqa %ymm8,160(%rdi) -vmovdqa %ymm9,192(%rdi) -vmovdqa %ymm10,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER102490S_AVX2_tomont_avx) -.global _cdecl(PQCLEAN_KYBER102490S_AVX2_tomont_avx) -cdecl(PQCLEAN_KYBER102490S_AVX2_tomont_avx): -_cdecl(PQCLEAN_KYBER102490S_AVX2_tomont_avx): -#consts -vmovdqa _16XQ*2(%rsi),%ymm0 -vmovdqa _16XMONTSQLO*2(%rsi),%ymm1 -vmovdqa _16XMONTSQHI*2(%rsi),%ymm2 -call tomont128_avx -add $256,%rdi -call tomont128_avx -ret diff --git a/crypto_kem/kyber1024-90s/avx2/fq.inc b/crypto_kem/kyber1024-90s/avx2/fq.inc deleted file mode 100644 index 4b7afc31..00000000 --- a/crypto_kem/kyber1024-90s/avx2/fq.inc +++ /dev/null @@ -1,30 +0,0 @@ -.macro red16 r,rs=0,x=12 -vpmulhw %ymm1,%ymm\r,%ymm\x -.if \rs -vpmulhrsw %ymm\rs,%ymm\x,%ymm\x -.else -vpsraw $10,%ymm\x,%ymm\x -.endif -vpmullw %ymm0,%ymm\x,%ymm\x -vpsubw %ymm\x,%ymm\r,%ymm\r -.endm - -.macro csubq r,x=12 -vpsubw %ymm0,%ymm\r,%ymm\r -vpsraw $15,%ymm\r,%ymm\x -vpand %ymm0,%ymm\x,%ymm\x -vpaddw %ymm\x,%ymm\r,%ymm\r -.endm - -.macro caddq r,x=12 -vpsraw $15,%ymm\r,%ymm\x -vpand %ymm0,%ymm\x,%ymm\x -vpaddw %ymm\x,%ymm\r,%ymm\r -.endm - -.macro fqmulprecomp al,ah,b,x=12 -vpmullw %ymm\al,%ymm\b,%ymm\x -vpmulhw %ymm\ah,%ymm\b,%ymm\b -vpmulhw %ymm0,%ymm\x,%ymm\x -vpsubw %ymm\x,%ymm\b,%ymm\b -.endm diff --git a/crypto_kem/kyber1024-90s/avx2/indcpa.c b/crypto_kem/kyber1024-90s/avx2/indcpa.c deleted file mode 100644 index f1367a1d..00000000 --- a/crypto_kem/kyber1024-90s/avx2/indcpa.c +++ /dev/null @@ -1,370 +0,0 @@ -#include "align.h" -#include "cbd.h" -#include "indcpa.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "rejsample.h" -#include "symmetric.h" -#include -#include -#include - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk and the -* public seed used to generate the matrix A. -* The polynomial coefficients in pk are assumed to -* lie in the invertal [0,q], i.e. pk must be reduced -* by PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(). -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) { - size_t i; - PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes(r, pk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - r[i + KYBER_POLYVECBYTES] = seed[i]; - } -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i; - PQCLEAN_KYBER102490S_AVX2_polyvec_frombytes(pk, packedpk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - seed[i] = packedpk[i + KYBER_POLYVECBYTES]; - } -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key. -* The polynomial coefficients in sk are assumed to -* lie in the invertal [0,q], i.e. sk must be reduced -* by PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(). -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) { - PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) { - PQCLEAN_KYBER102490S_AVX2_polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v. -* The polynomial coefficients in b and v are assumed to -* lie in the invertal [0,q], i.e. b and v must be reduced -* by PQCLEAN_KYBER102490S_AVX2_polyvec_reduce() and PQCLEAN_KYBER102490S_AVX2_poly_reduce(), respectively. -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) { - PQCLEAN_KYBER102490S_AVX2_polyvec_compress(r, b); - PQCLEAN_KYBER102490S_AVX2_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) { - PQCLEAN_KYBER102490S_AVX2_polyvec_decompress(b, c); - PQCLEAN_KYBER102490S_AVX2_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output array -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint16_t val0, val1; - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; - val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF; - pos += 3; - - if (val0 < KYBER_Q) { - r[ctr++] = val0; - } - if (ctr < len && val1 < KYBER_Q) { - r[ctr++] = val1; - } - } - - return ctr; -} - -#define gen_a(A,B) PQCLEAN_KYBER102490S_AVX2_gen_matrix(A,B,0) -#define gen_at(A,B) PQCLEAN_KYBER102490S_AVX2_gen_matrix(A,B,1) - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[32], int transposed) { - unsigned int ctr, i, j, k; - unsigned int buflen, off; - uint64_t nonce = 0; - ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS * AES256CTR_BLOCKBYTES) buf; - aes256ctr_ctx state; - - PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(&state, seed, 0); - - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_K; j++) { - if (transposed) { - nonce = (j << 8) | i; - } else { - nonce = (i << 8) | j; - } - - state.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state); - buflen = REJ_UNIFORM_AVX_NBLOCKS * AES256CTR_BLOCKBYTES; - ctr = PQCLEAN_KYBER102490S_AVX2_rej_uniform_avx(a[i].vec[j].coeffs, buf.coeffs); - - while (ctr < KYBER_N) { - off = buflen % 3; - for (k = 0; k < off; k++) { - buf.coeffs[k] = buf.coeffs[buflen - off + k]; - } - PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(buf.coeffs + off, 1, &state); - buflen = off + AES256CTR_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf.coeffs, buflen); - } - - PQCLEAN_KYBER102490S_AVX2_poly_nttunpack(&a[i].vec[j]); - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i; - uint8_t buf[2 * KYBER_SYMBYTES]; - const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf + KYBER_SYMBYTES; - polyvec a[KYBER_K], e, pkpv, skpv; - - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - -#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */ - uint64_t nonce = 0; - ALIGNED_UINT8(NOISE_NBLOCKS * AES256CTR_BLOCKBYTES + 32) coins; // +32 bytes as required by PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta1 - aes256ctr_ctx state; - PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(&state, noiseseed, nonce++); - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta1(&skpv.vec[i], coins.vec); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta1(&e.vec[i], coins.vec); - } - - PQCLEAN_KYBER102490S_AVX2_polyvec_ntt(&skpv); - PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(&skpv); - PQCLEAN_KYBER102490S_AVX2_polyvec_ntt(&e); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv); - PQCLEAN_KYBER102490S_AVX2_poly_tomont(&pkpv.vec[i]); - } - - PQCLEAN_KYBER102490S_AVX2_polyvec_add(&pkpv, &pkpv, &e); - PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i; - uint8_t seed[KYBER_SYMBYTES]; - polyvec sp, pkpv, ep, at[KYBER_K], b; - poly v, k, epp; - - unpack_pk(&pkpv, seed, pk); - PQCLEAN_KYBER102490S_AVX2_poly_frommsg(&k, m); - gen_at(at, seed); - -#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */ -#define CIPHERTEXTNOISE_NBLOCKS ((KYBER_ETA2*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */ - uint64_t nonce = 0; - ALIGNED_UINT8(NOISE_NBLOCKS * AES256CTR_BLOCKBYTES + 32) buf; /* +32 bytes as required by PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta1 */ - aes256ctr_ctx state; - PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(&state, coins, nonce++); - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, NOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta1(&sp.vec[i], buf.vec); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta2(&ep.vec[i], buf.vec); - } - PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta2(&epp, buf.vec); - - PQCLEAN_KYBER102490S_AVX2_polyvec_ntt(&sp); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp); - } - PQCLEAN_KYBER102490S_AVX2_polyvec_basemul_acc_montgomery(&v, &pkpv, &sp); - - PQCLEAN_KYBER102490S_AVX2_polyvec_invntt_tomont(&b); - PQCLEAN_KYBER102490S_AVX2_poly_invntt_tomont(&v); - - PQCLEAN_KYBER102490S_AVX2_polyvec_add(&b, &b, &ep); - PQCLEAN_KYBER102490S_AVX2_poly_add(&v, &v, &epp); - PQCLEAN_KYBER102490S_AVX2_poly_add(&v, &v, &k); - PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(&b); - PQCLEAN_KYBER102490S_AVX2_poly_reduce(&v); - - pack_ciphertext(c, &b, &v); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - polyvec b, skpv; - poly v, mp; - - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); - - PQCLEAN_KYBER102490S_AVX2_polyvec_ntt(&b); - PQCLEAN_KYBER102490S_AVX2_polyvec_basemul_acc_montgomery(&mp, &skpv, &b); - PQCLEAN_KYBER102490S_AVX2_poly_invntt_tomont(&mp); - - PQCLEAN_KYBER102490S_AVX2_poly_sub(&mp, &v, &mp); - PQCLEAN_KYBER102490S_AVX2_poly_reduce(&mp); - - PQCLEAN_KYBER102490S_AVX2_poly_tomsg(m, &mp); -} diff --git a/crypto_kem/kyber1024-90s/avx2/indcpa.h b/crypto_kem/kyber1024-90s/avx2/indcpa.h deleted file mode 100644 index dfdfd5ab..00000000 --- a/crypto_kem/kyber1024-90s/avx2/indcpa.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_INDCPA_H -#define PQCLEAN_KYBER102490S_AVX2_INDCPA_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_KYBER102490S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -void PQCLEAN_KYBER102490S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -void PQCLEAN_KYBER102490S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER102490S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/invntt.S b/crypto_kem/kyber1024-90s/avx2/invntt.S deleted file mode 100644 index ecd7ed63..00000000 --- a/crypto_kem/kyber1024-90s/avx2/invntt.S +++ /dev/null @@ -1,195 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" -.include "fq.inc" - -.macro butterfly rl0,rl1,rl2,rl3,rh0,rh1,rh2,rh3,zl0=2,zl1=2,zh0=3,zh1=3 -vpsubw %ymm\rl0,%ymm\rh0,%ymm12 -vpaddw %ymm\rh0,%ymm\rl0,%ymm\rl0 -vpsubw %ymm\rl1,%ymm\rh1,%ymm13 - -vpmullw %ymm\zl0,%ymm12,%ymm\rh0 -vpaddw %ymm\rh1,%ymm\rl1,%ymm\rl1 -vpsubw %ymm\rl2,%ymm\rh2,%ymm14 - -vpmullw %ymm\zl0,%ymm13,%ymm\rh1 -vpaddw %ymm\rh2,%ymm\rl2,%ymm\rl2 -vpsubw %ymm\rl3,%ymm\rh3,%ymm15 - -vpmullw %ymm\zl1,%ymm14,%ymm\rh2 -vpaddw %ymm\rh3,%ymm\rl3,%ymm\rl3 -vpmullw %ymm\zl1,%ymm15,%ymm\rh3 - -vpmulhw %ymm\zh0,%ymm12,%ymm12 -vpmulhw %ymm\zh0,%ymm13,%ymm13 - -vpmulhw %ymm\zh1,%ymm14,%ymm14 -vpmulhw %ymm\zh1,%ymm15,%ymm15 - -vpmulhw %ymm0,%ymm\rh0,%ymm\rh0 - -vpmulhw %ymm0,%ymm\rh1,%ymm\rh1 - -vpmulhw %ymm0,%ymm\rh2,%ymm\rh2 -vpmulhw %ymm0,%ymm\rh3,%ymm\rh3 - -# - -# - -vpsubw %ymm\rh0,%ymm12,%ymm\rh0 - -vpsubw %ymm\rh1,%ymm13,%ymm\rh1 - -vpsubw %ymm\rh2,%ymm14,%ymm\rh2 -vpsubw %ymm\rh3,%ymm15,%ymm\rh3 -.endm - -.macro intt_levels0t5 off -/* level 0 */ -vmovdqa _16XFLO*2(%rsi),%ymm2 -vmovdqa _16XFHI*2(%rsi),%ymm3 - -vmovdqa (128*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (128*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (128*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (128*\off+ 48)*2(%rdi),%ymm7 - -fqmulprecomp 2,3,4 -fqmulprecomp 2,3,6 -fqmulprecomp 2,3,5 -fqmulprecomp 2,3,7 - -vmovdqa (128*\off+ 64)*2(%rdi),%ymm8 -vmovdqa (128*\off+ 96)*2(%rdi),%ymm10 -vmovdqa (128*\off+ 80)*2(%rdi),%ymm9 -vmovdqa (128*\off+112)*2(%rdi),%ymm11 - -fqmulprecomp 2,3,8 -fqmulprecomp 2,3,10 -fqmulprecomp 2,3,9 -fqmulprecomp 2,3,11 - -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+208)*2(%rsi),%ymm15 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+176)*2(%rsi),%ymm1 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+224)*2(%rsi),%ymm2 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+192)*2(%rsi),%ymm3 -vmovdqa _REVIDXB*2(%rsi),%ymm12 -vpshufb %ymm12,%ymm15,%ymm15 -vpshufb %ymm12,%ymm1,%ymm1 -vpshufb %ymm12,%ymm2,%ymm2 -vpshufb %ymm12,%ymm3,%ymm3 - -butterfly 4,5,8,9,6,7,10,11,15,1,2,3 - -/* level 1 */ -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+144)*2(%rsi),%ymm2 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+160)*2(%rsi),%ymm3 -vmovdqa _REVIDXB*2(%rsi),%ymm1 -vpshufb %ymm1,%ymm2,%ymm2 -vpshufb %ymm1,%ymm3,%ymm3 - -butterfly 4,5,6,7,8,9,10,11,2,2,3,3 - -shuffle1 4,5,3,5 -shuffle1 6,7,4,7 -shuffle1 8,9,6,9 -shuffle1 10,11,8,11 - -/* level 2 */ -vmovdqa _REVIDXD*2(%rsi),%ymm12 -vpermd (_ZETAS_EXP+(1-\off)*224+112)*2(%rsi),%ymm12,%ymm2 -vpermd (_ZETAS_EXP+(1-\off)*224+128)*2(%rsi),%ymm12,%ymm10 - -butterfly 3,4,6,8,5,7,9,11,2,2,10,10 - -vmovdqa _16XV*2(%rsi),%ymm1 -red16 3 - -shuffle2 3,4,10,4 -shuffle2 6,8,3,8 -shuffle2 5,7,6,7 -shuffle2 9,11,5,11 - -/* level 3 */ -vpermq $0x1B,(_ZETAS_EXP+(1-\off)*224+80)*2(%rsi),%ymm2 -vpermq $0x1B,(_ZETAS_EXP+(1-\off)*224+96)*2(%rsi),%ymm9 - -butterfly 10,3,6,5,4,8,7,11,2,2,9,9 - -shuffle4 10,3,9,3 -shuffle4 6,5,10,5 -shuffle4 4,8,6,8 -shuffle4 7,11,4,11 - -/* level 4 */ -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+48)*2(%rsi),%ymm2 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+64)*2(%rsi),%ymm7 - -butterfly 9,10,6,4,3,5,8,11,2,2,7,7 - -red16 9 - -shuffle8 9,10,7,10 -shuffle8 6,4,9,4 -shuffle8 3,5,6,5 -shuffle8 8,11,3,11 - -/* level5 */ -vmovdqa (_ZETAS_EXP+(1-\off)*224+16)*2(%rsi),%ymm2 -vmovdqa (_ZETAS_EXP+(1-\off)*224+32)*2(%rsi),%ymm8 - -butterfly 7,9,6,3,10,4,5,11,2,2,8,8 - -vmovdqa %ymm7,(128*\off+ 0)*2(%rdi) -vmovdqa %ymm9,(128*\off+ 16)*2(%rdi) -vmovdqa %ymm6,(128*\off+ 32)*2(%rdi) -vmovdqa %ymm3,(128*\off+ 48)*2(%rdi) -vmovdqa %ymm10,(128*\off+ 64)*2(%rdi) -vmovdqa %ymm4,(128*\off+ 80)*2(%rdi) -vmovdqa %ymm5,(128*\off+ 96)*2(%rdi) -vmovdqa %ymm11,(128*\off+112)*2(%rdi) -.endm - -.macro intt_level6 off -/* level 6 */ -vmovdqa (64*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (64*\off+128)*2(%rdi),%ymm8 -vmovdqa (64*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (64*\off+144)*2(%rdi),%ymm9 -vpbroadcastq (_ZETAS_EXP+0)*2(%rsi),%ymm2 - -vmovdqa (64*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (64*\off+160)*2(%rdi),%ymm10 -vmovdqa (64*\off+ 48)*2(%rdi),%ymm7 -vmovdqa (64*\off+176)*2(%rdi),%ymm11 -vpbroadcastq (_ZETAS_EXP+4)*2(%rsi),%ymm3 - -butterfly 4,5,6,7,8,9,10,11 - -.if \off == 0 -red16 4 -.endif - -vmovdqa %ymm4,(64*\off+ 0)*2(%rdi) -vmovdqa %ymm5,(64*\off+ 16)*2(%rdi) -vmovdqa %ymm6,(64*\off+ 32)*2(%rdi) -vmovdqa %ymm7,(64*\off+ 48)*2(%rdi) -vmovdqa %ymm8,(64*\off+128)*2(%rdi) -vmovdqa %ymm9,(64*\off+144)*2(%rdi) -vmovdqa %ymm10,(64*\off+160)*2(%rdi) -vmovdqa %ymm11,(64*\off+176)*2(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_KYBER102490S_AVX2_invntt_avx) -.global _cdecl(PQCLEAN_KYBER102490S_AVX2_invntt_avx) -cdecl(PQCLEAN_KYBER102490S_AVX2_invntt_avx): -_cdecl(PQCLEAN_KYBER102490S_AVX2_invntt_avx): -vmovdqa _16XQ*2(%rsi),%ymm0 - -intt_levels0t5 0 -intt_levels0t5 1 - -intt_level6 0 -intt_level6 1 -ret diff --git a/crypto_kem/kyber1024-90s/avx2/kem.c b/crypto_kem/kyber1024-90s/avx2/kem.c deleted file mode 100644 index eaaf4878..00000000 --- a/crypto_kem/kyber1024-90s/avx2/kem.c +++ /dev/null @@ -1,126 +0,0 @@ -#include "indcpa.h" -#include "kem.h" -#include "params.h" -#include "randombytes.h" -#include "symmetric.h" -#include "verify.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER102490S_AVX2_crypto_kem_keypair(unsigned char pk[KYBER_PUBLICKEYBYTES], - unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - PQCLEAN_KYBER102490S_AVX2_indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - } - hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - /* Value z for pseudo-random output on reject */ - randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER102490S_AVX2_crypto_kem_enc(unsigned char ct[KYBER_CIPHERTEXTBYTES], - unsigned char ss[KYBER_SSBYTES], - const unsigned char pk[KYBER_PUBLICKEYBYTES]) { - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - - randombytes(buf, KYBER_SYMBYTES); - /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); - - /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER102490S_AVX2_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int PQCLEAN_KYBER102490S_AVX2_crypto_kem_dec(unsigned char ss[KYBER_SSBYTES], - const unsigned char ct[KYBER_CIPHERTEXTBYTES], - const unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - int fail; - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - ALIGNED_UINT8(KYBER_CIPHERTEXTBYTES) cmp; - const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; - - PQCLEAN_KYBER102490S_AVX2_indcpa_dec(buf, ct, sk); - - /* Multitarget countermeasure for coins + contributory KEM */ - for (i = 0; i < KYBER_SYMBYTES; i++) { - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; - } - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER102490S_AVX2_indcpa_enc(cmp.coeffs, buf, pk, kr + KYBER_SYMBYTES); - - fail = PQCLEAN_KYBER102490S_AVX2_verify(ct, cmp.coeffs, KYBER_CIPHERTEXTBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - - /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER102490S_AVX2_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); - - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} diff --git a/crypto_kem/kyber1024-90s/avx2/kem.h b/crypto_kem/kyber1024-90s/avx2/kem.h deleted file mode 100644 index 89d200c5..00000000 --- a/crypto_kem/kyber1024-90s/avx2/kem.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_KEM_H -#define PQCLEAN_KYBER102490S_AVX2_KEM_H -#include "params.h" - - -int PQCLEAN_KYBER102490S_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_KYBER102490S_AVX2_crypto_kem_enc(unsigned char *ct, - unsigned char *ss, - const unsigned char *pk); - -int PQCLEAN_KYBER102490S_AVX2_crypto_kem_dec(unsigned char *ss, - const unsigned char *ct, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/ntt.S b/crypto_kem/kyber1024-90s/avx2/ntt.S deleted file mode 100644 index a7abc79d..00000000 --- a/crypto_kem/kyber1024-90s/avx2/ntt.S +++ /dev/null @@ -1,191 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.macro mul rh0,rh1,rh2,rh3,zl0=15,zl1=15,zh0=2,zh1=2 -vpmullw %ymm\zl0,%ymm\rh0,%ymm12 -vpmullw %ymm\zl0,%ymm\rh1,%ymm13 - -vpmullw %ymm\zl1,%ymm\rh2,%ymm14 -vpmullw %ymm\zl1,%ymm\rh3,%ymm15 - -vpmulhw %ymm\zh0,%ymm\rh0,%ymm\rh0 -vpmulhw %ymm\zh0,%ymm\rh1,%ymm\rh1 - -vpmulhw %ymm\zh1,%ymm\rh2,%ymm\rh2 -vpmulhw %ymm\zh1,%ymm\rh3,%ymm\rh3 -.endm - -.macro reduce -vpmulhw %ymm0,%ymm12,%ymm12 -vpmulhw %ymm0,%ymm13,%ymm13 - -vpmulhw %ymm0,%ymm14,%ymm14 -vpmulhw %ymm0,%ymm15,%ymm15 -.endm - -.macro update rln,rl0,rl1,rl2,rl3,rh0,rh1,rh2,rh3 -vpaddw %ymm\rh0,%ymm\rl0,%ymm\rln -vpsubw %ymm\rh0,%ymm\rl0,%ymm\rh0 -vpaddw %ymm\rh1,%ymm\rl1,%ymm\rl0 - -vpsubw %ymm\rh1,%ymm\rl1,%ymm\rh1 -vpaddw %ymm\rh2,%ymm\rl2,%ymm\rl1 -vpsubw %ymm\rh2,%ymm\rl2,%ymm\rh2 - -vpaddw %ymm\rh3,%ymm\rl3,%ymm\rl2 -vpsubw %ymm\rh3,%ymm\rl3,%ymm\rh3 - -vpsubw %ymm12,%ymm\rln,%ymm\rln -vpaddw %ymm12,%ymm\rh0,%ymm\rh0 -vpsubw %ymm13,%ymm\rl0,%ymm\rl0 - -vpaddw %ymm13,%ymm\rh1,%ymm\rh1 -vpsubw %ymm14,%ymm\rl1,%ymm\rl1 -vpaddw %ymm14,%ymm\rh2,%ymm\rh2 - -vpsubw %ymm15,%ymm\rl2,%ymm\rl2 -vpaddw %ymm15,%ymm\rh3,%ymm\rh3 -.endm - -.macro level0 off -vpbroadcastq (_ZETAS_EXP+0)*2(%rsi),%ymm15 -vmovdqa (64*\off+128)*2(%rdi),%ymm8 -vmovdqa (64*\off+144)*2(%rdi),%ymm9 -vmovdqa (64*\off+160)*2(%rdi),%ymm10 -vmovdqa (64*\off+176)*2(%rdi),%ymm11 -vpbroadcastq (_ZETAS_EXP+4)*2(%rsi),%ymm2 - -mul 8,9,10,11 - -vmovdqa (64*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (64*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (64*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (64*\off+ 48)*2(%rdi),%ymm7 - -reduce -update 3,4,5,6,7,8,9,10,11 - -vmovdqa %ymm3,(64*\off+ 0)*2(%rdi) -vmovdqa %ymm4,(64*\off+ 16)*2(%rdi) -vmovdqa %ymm5,(64*\off+ 32)*2(%rdi) -vmovdqa %ymm6,(64*\off+ 48)*2(%rdi) -vmovdqa %ymm8,(64*\off+128)*2(%rdi) -vmovdqa %ymm9,(64*\off+144)*2(%rdi) -vmovdqa %ymm10,(64*\off+160)*2(%rdi) -vmovdqa %ymm11,(64*\off+176)*2(%rdi) -.endm - -.macro levels1t6 off -/* level 1 */ -vmovdqa (_ZETAS_EXP+224*\off+16)*2(%rsi),%ymm15 -vmovdqa (128*\off+ 64)*2(%rdi),%ymm8 -vmovdqa (128*\off+ 80)*2(%rdi),%ymm9 -vmovdqa (128*\off+ 96)*2(%rdi),%ymm10 -vmovdqa (128*\off+112)*2(%rdi),%ymm11 -vmovdqa (_ZETAS_EXP+224*\off+32)*2(%rsi),%ymm2 - -mul 8,9,10,11 - -vmovdqa (128*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (128*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (128*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (128*\off+ 48)*2(%rdi),%ymm7 - -reduce -update 3,4,5,6,7,8,9,10,11 - -/* level 2 */ -shuffle8 5,10,7,10 -shuffle8 6,11,5,11 - -vmovdqa (_ZETAS_EXP+224*\off+48)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+64)*2(%rsi),%ymm2 - -mul 7,10,5,11 - -shuffle8 3,8,6,8 -shuffle8 4,9,3,9 - -reduce -update 4,6,8,3,9,7,10,5,11 - -/* level 3 */ -shuffle4 8,5,9,5 -shuffle4 3,11,8,11 - -vmovdqa (_ZETAS_EXP+224*\off+80)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+96)*2(%rsi),%ymm2 - -mul 9,5,8,11 - -shuffle4 4,7,3,7 -shuffle4 6,10,4,10 - -reduce -update 6,3,7,4,10,9,5,8,11 - -/* level 4 */ -shuffle2 7,8,10,8 -shuffle2 4,11,7,11 - -vmovdqa (_ZETAS_EXP+224*\off+112)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+128)*2(%rsi),%ymm2 - -mul 10,8,7,11 - -shuffle2 6,9,4,9 -shuffle2 3,5,6,5 - -reduce -update 3,4,9,6,5,10,8,7,11 - -/* level 5 */ -shuffle1 9,7,5,7 -shuffle1 6,11,9,11 - -vmovdqa (_ZETAS_EXP+224*\off+144)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+160)*2(%rsi),%ymm2 - -mul 5,7,9,11 - -shuffle1 3,10,6,10 -shuffle1 4,8,3,8 - -reduce -update 4,6,10,3,8,5,7,9,11 - -/* level 6 */ -vmovdqa (_ZETAS_EXP+224*\off+176)*2(%rsi),%ymm14 -vmovdqa (_ZETAS_EXP+224*\off+208)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+192)*2(%rsi),%ymm8 -vmovdqa (_ZETAS_EXP+224*\off+224)*2(%rsi),%ymm2 - -mul 10,3,9,11,14,15,8,2 - -reduce -update 8,4,6,5,7,10,3,9,11 - -vmovdqa %ymm8,(128*\off+ 0)*2(%rdi) -vmovdqa %ymm4,(128*\off+ 16)*2(%rdi) -vmovdqa %ymm10,(128*\off+ 32)*2(%rdi) -vmovdqa %ymm3,(128*\off+ 48)*2(%rdi) -vmovdqa %ymm6,(128*\off+ 64)*2(%rdi) -vmovdqa %ymm5,(128*\off+ 80)*2(%rdi) -vmovdqa %ymm9,(128*\off+ 96)*2(%rdi) -vmovdqa %ymm11,(128*\off+112)*2(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_KYBER102490S_AVX2_ntt_avx) -.global _cdecl(PQCLEAN_KYBER102490S_AVX2_ntt_avx) -cdecl(PQCLEAN_KYBER102490S_AVX2_ntt_avx): -_cdecl(PQCLEAN_KYBER102490S_AVX2_ntt_avx): -vmovdqa _16XQ*2(%rsi),%ymm0 - -level0 0 -level0 1 - -levels1t6 0 -levels1t6 1 - -ret diff --git a/crypto_kem/kyber1024-90s/avx2/ntt.h b/crypto_kem/kyber1024-90s/avx2/ntt.h deleted file mode 100644 index e27fb481..00000000 --- a/crypto_kem/kyber1024-90s/avx2/ntt.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_NTT_H -#define PQCLEAN_KYBER102490S_AVX2_NTT_H - -#include -#include - -void PQCLEAN_KYBER102490S_AVX2_ntt_avx(__m256i *r, const __m256i *PQCLEAN_KYBER102490S_AVX2_qdata); -void PQCLEAN_KYBER102490S_AVX2_invntt_avx(__m256i *r, const __m256i *PQCLEAN_KYBER102490S_AVX2_qdata); - -void PQCLEAN_KYBER102490S_AVX2_nttpack_avx(__m256i *r, const __m256i *PQCLEAN_KYBER102490S_AVX2_qdata); -void PQCLEAN_KYBER102490S_AVX2_nttunpack_avx(__m256i *r, const __m256i *PQCLEAN_KYBER102490S_AVX2_qdata); - -void PQCLEAN_KYBER102490S_AVX2_basemul_avx(__m256i *r, - const __m256i *a, - const __m256i *b, - const __m256i *PQCLEAN_KYBER102490S_AVX2_qdata); - -void PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx(uint8_t *r, const __m256i *a, const __m256i *PQCLEAN_KYBER102490S_AVX2_qdata); -void PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx(__m256i *r, const uint8_t *a, const __m256i *PQCLEAN_KYBER102490S_AVX2_qdata); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/params.h b/crypto_kem/kyber1024-90s/avx2/params.h deleted file mode 100644 index 8de2c883..00000000 --- a/crypto_kem/kyber1024-90s/avx2/params.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_PARAMS_H -#define PQCLEAN_KYBER102490S_AVX2_PARAMS_H - - - - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - -#define KYBER_K 4 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 160 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352) - -#define KYBER_ETA2 2 - -#define KYBER_INDCPA_MSGBYTES KYBER_SYMBYTES -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES \ - + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -/* 32 bytes of additional space to save H(pk) */ -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES \ - + KYBER_INDCPA_PUBLICKEYBYTES \ - + 2*KYBER_SYMBYTES) -#define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/poly.c b/crypto_kem/kyber1024-90s/avx2/poly.c deleted file mode 100644 index af76d233..00000000 --- a/crypto_kem/kyber1024-90s/avx2/poly.c +++ /dev/null @@ -1,367 +0,0 @@ -#include "align.h" -#include "cbd.h" -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "symmetric.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_compress -* -* Description: Compression and subsequent serialization of a polynomial. -* The coefficients of the input polynomial are assumed to -* lie in the invertal [0,q], i.e. the polynomial must be reduced -* by PQCLEAN_KYBER102490S_AVX2_poly_reduce(). -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_compress(uint8_t r[160], const poly *restrict a) { - size_t i; - uint32_t low; - __m256i f0, f1; - __m128i t0, t1; - const __m256i v = _mm256_load_si256(&PQCLEAN_KYBER102490S_AVX2_qdata.vec[_16XV / 16]); - const __m256i shift1 = _mm256_set1_epi16(1 << 10); - const __m256i mask = _mm256_set1_epi16(31); - const __m256i shift2 = _mm256_set1_epi16((32 << 8) + 1); - const __m256i shift3 = _mm256_set1_epi32((1024 << 16) + 1); - const __m256i sllvdidx = _mm256_set1_epi64x(12); - const __m256i shufbidx = _mm256_set_epi8( 8, -1, -1, -1, -1, -1, 4, 3, 2, 1, 0, -1, 12, 11, 10, 9, - -1, 12, 11, 10, 9, 8, -1, -1, -1, -1, -1, 4, 3, 2, 1, 0); - - for (i = 0; i < KYBER_N / 32; i++) { - f0 = _mm256_load_si256(&a->vec[2 * i + 0]); - f1 = _mm256_load_si256(&a->vec[2 * i + 1]); - f0 = _mm256_mulhi_epi16(f0, v); - f1 = _mm256_mulhi_epi16(f1, v); - f0 = _mm256_mulhrs_epi16(f0, shift1); - f1 = _mm256_mulhrs_epi16(f1, shift1); - f0 = _mm256_and_si256(f0, mask); - f1 = _mm256_and_si256(f1, mask); - f0 = _mm256_packus_epi16(f0, f1); - f0 = _mm256_maddubs_epi16(f0, shift2); // a0 a1 a2 a3 b0 b1 b2 b3 a4 a5 a6 a7 b4 b5 b6 b7 - f0 = _mm256_madd_epi16(f0, shift3); // a0 a1 b0 b1 a2 a3 b2 b3 - f0 = _mm256_sllv_epi32(f0, sllvdidx); - f0 = _mm256_srlv_epi64(f0, sllvdidx); - f0 = _mm256_shuffle_epi8(f0, shufbidx); - t0 = _mm256_castsi256_si128(f0); - t1 = _mm256_extracti128_si256(f0, 1); - t0 = _mm_blendv_epi8(t0, t1, _mm256_castsi256_si128(shufbidx)); - _mm_storeu_si128((__m128i *)&r[20 * i + 0], t0); - _mm_store_ss((float *)&low, _mm_castsi128_ps(t1)); - r[20 * i + 16] = (uint8_t)low; - r[20 * i + 17] = (uint8_t)(low >> 0x08); - r[20 * i + 18] = (uint8_t)(low >> 0x10); - r[20 * i + 19] = (uint8_t)(low >> 0x18); - } -} - -void PQCLEAN_KYBER102490S_AVX2_poly_decompress(poly *restrict r, const uint8_t a[160]) { - unsigned int i; - int16_t h; - __m128i t; - __m256i f; - const __m256i q = _mm256_load_si256(&PQCLEAN_KYBER102490S_AVX2_qdata.vec[_16XQ / 16]); - const __m256i shufbidx = _mm256_set_epi8(9, 9, 9, 8, 8, 8, 8, 7, 7, 6, 6, 6, 6, 5, 5, 5, - 4, 4, 4, 3, 3, 3, 3, 2, 2, 1, 1, 1, 1, 0, 0, 0); - const __m256i mask = _mm256_set_epi16(248, 1984, 62, 496, 3968, 124, 992, 31, - 248, 1984, 62, 496, 3968, 124, 992, 31); - const __m256i shift = _mm256_set_epi16(128, 16, 512, 64, 8, 256, 32, 1024, - 128, 16, 512, 64, 8, 256, 32, 1024); - - for (i = 0; i < KYBER_N / 16; i++) { - t = _mm_loadl_epi64((__m128i *)&a[10 * i + 0]); - h = (a[10 * i + 9] << 8) + a[10 * i + 8]; - t = _mm_insert_epi16(t, h, 4); - f = _mm256_broadcastsi128_si256(t); - f = _mm256_shuffle_epi8(f, shufbidx); - f = _mm256_and_si256(f, mask); - f = _mm256_mullo_epi16(f, shift); - f = _mm256_mulhrs_epi16(f, q); - _mm256_store_si256(&r->vec[i], f); - } -} - - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_tobytes -* -* Description: Serialization of a polynomial in NTT representation. -* The coefficients of the input polynomial are assumed to -* lie in the invertal [0,q], i.e. the polynomial must be reduced -* by PQCLEAN_KYBER102490S_AVX2_poly_reduce(). The coefficients are orderd as output by -* PQCLEAN_KYBER102490S_AVX2_poly_ntt(); the serialized output coefficients are in bitreversed -* order. -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { - PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx(r, a->vec, PQCLEAN_KYBER102490S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of PQCLEAN_KYBER102490S_AVX2_poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx(r->vec, a, PQCLEAN_KYBER102490S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_frommsg(poly *restrict r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - __m256i f, g0, g1, g2, g3, h0, h1, h2, h3; - const __m256i shift = _mm256_broadcastsi128_si256(_mm_set_epi32(0, 1, 2, 3)); - const __m256i idx = _mm256_broadcastsi128_si256(_mm_set_epi8(15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0)); - const __m256i hqs = _mm256_set1_epi16((KYBER_Q + 1) / 2); - -#define FROMMSG64(i) \ - g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ - g3 = _mm256_sllv_epi32(g3,shift); \ - g3 = _mm256_shuffle_epi8(g3,idx); \ - g0 = _mm256_slli_epi16(g3,12); \ - g1 = _mm256_slli_epi16(g3,8); \ - g2 = _mm256_slli_epi16(g3,4); \ - g0 = _mm256_srai_epi16(g0,15); \ - g1 = _mm256_srai_epi16(g1,15); \ - g2 = _mm256_srai_epi16(g2,15); \ - g3 = _mm256_srai_epi16(g3,15); \ - g0 = _mm256_and_si256(g0,hqs); /* 19 18 17 16 3 2 1 0 */ \ - g1 = _mm256_and_si256(g1,hqs); /* 23 22 21 20 7 6 5 4 */ \ - g2 = _mm256_and_si256(g2,hqs); /* 27 26 25 24 11 10 9 8 */ \ - g3 = _mm256_and_si256(g3,hqs); /* 31 30 29 28 15 14 13 12 */ \ - h0 = _mm256_unpacklo_epi64(g0,g1); \ - h2 = _mm256_unpackhi_epi64(g0,g1); \ - h1 = _mm256_unpacklo_epi64(g2,g3); \ - h3 = _mm256_unpackhi_epi64(g2,g3); \ - g0 = _mm256_permute2x128_si256(h0,h1,0x20); \ - g2 = _mm256_permute2x128_si256(h0,h1,0x31); \ - g1 = _mm256_permute2x128_si256(h2,h3,0x20); \ - g3 = _mm256_permute2x128_si256(h2,h3,0x31); \ - _mm256_store_si256(&r->vec[0+2*(i)+0],g0); \ - _mm256_store_si256(&r->vec[0+2*(i)+1],g1); \ - _mm256_store_si256(&r->vec[8+2*(i)+0],g2); \ - _mm256_store_si256(&r->vec[8+2*(i)+1],g3) - - f = _mm256_loadu_si256((__m256i *)msg); - FROMMSG64(0); - FROMMSG64(1); - FROMMSG64(2); - FROMMSG64(3); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_tomsg -* -* Description: Convert polynomial to 32-byte message. -* The coefficients of the input polynomial are assumed to -* lie in the invertal [0,q], i.e. the polynomial must be reduced -* by PQCLEAN_KYBER102490S_AVX2_poly_reduce(). -* -* Arguments: - uint8_t *msg: pointer to output message -* - poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *restrict a) { - unsigned int i; - uint32_t small; - __m256i f0, f1, g0, g1; - const __m256i hq = _mm256_set1_epi16((KYBER_Q - 1) / 2); - const __m256i hhq = _mm256_set1_epi16((KYBER_Q - 1) / 4); - - for (i = 0; i < KYBER_N / 32; i++) { - f0 = _mm256_load_si256(&a->vec[2 * i + 0]); - f1 = _mm256_load_si256(&a->vec[2 * i + 1]); - f0 = _mm256_sub_epi16(hq, f0); - f1 = _mm256_sub_epi16(hq, f1); - g0 = _mm256_srai_epi16(f0, 15); - g1 = _mm256_srai_epi16(f1, 15); - f0 = _mm256_xor_si256(f0, g0); - f1 = _mm256_xor_si256(f1, g1); - f0 = _mm256_sub_epi16(f0, hhq); - f1 = _mm256_sub_epi16(f1, hhq); - f0 = _mm256_packs_epi16(f0, f1); - small = _mm256_movemask_epi8(f0); - msg[4 * i + 0] = small; - msg[4 * i + 1] = small >> 16; - msg[4 * i + 2] = small >> 8; - msg[4 * i + 3] = small >> 24; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - ALIGNED_UINT8(KYBER_ETA1 * KYBER_N / 4 + 32) buf; // +32 bytes as required by PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta1 - prf(buf.coeffs, KYBER_ETA1 * KYBER_N / 4, seed, nonce); - PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta1(r, buf.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - ALIGNED_UINT8(KYBER_ETA2 * KYBER_N / 4) buf; - prf(buf.coeffs, KYBER_ETA2 * KYBER_N / 4, seed, nonce); - PQCLEAN_KYBER102490S_AVX2_poly_cbd_eta2(r, buf.vec); -} - - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place. -* Input coefficients assumed to be in normal order, -* output coefficients are in special order that is natural -* for the vectorization. Input coefficients are assumed to be -* bounded by q in absolute value, output coefficients are bounded -* by 16118 in absolute value. -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_ntt(poly *r) { - PQCLEAN_KYBER102490S_AVX2_ntt_avx(r->vec, PQCLEAN_KYBER102490S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* Input coefficients assumed to be in special order from vectorized -* forward ntt, output in normal order. Input coefficients can be -* arbitrary 16-bit integers, output coefficients are bounded by 14870 -* in absolute value. -* -* Arguments: - poly *a: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_invntt_tomont(poly *r) { - PQCLEAN_KYBER102490S_AVX2_invntt_avx(r->vec, PQCLEAN_KYBER102490S_AVX2_qdata.vec); -} - -void PQCLEAN_KYBER102490S_AVX2_poly_nttunpack(poly *r) { - PQCLEAN_KYBER102490S_AVX2_nttunpack_avx(r->vec, PQCLEAN_KYBER102490S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain. -* One of the input polynomials needs to have coefficients -* bounded by q, the other polynomial can have arbitrary -* coefficients. Output coefficients are bounded by 6656. -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - PQCLEAN_KYBER102490S_AVX2_basemul_avx(r->vec, a->vec, b->vec, PQCLEAN_KYBER102490S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_tomont(poly *r) { - PQCLEAN_KYBER102490S_AVX2_tomont_avx(r->vec, PQCLEAN_KYBER102490S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_reduce(poly *r) { - PQCLEAN_KYBER102490S_AVX2_reduce_avx(r->vec, PQCLEAN_KYBER102490S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_add -* -* Description: Add two polynomials. No modular reduction -* is performed. -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i; - __m256i f0, f1; - - for (i = 0; i < KYBER_N / 16; i++) { - f0 = _mm256_load_si256(&a->vec[i]); - f1 = _mm256_load_si256(&b->vec[i]); - f0 = _mm256_add_epi16(f0, f1); - _mm256_store_si256(&r->vec[i], f0); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_poly_sub -* -* Description: Subtract two polynomials. No modular reduction -* is performed. -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i; - __m256i f0, f1; - - for (i = 0; i < KYBER_N / 16; i++) { - f0 = _mm256_load_si256(&a->vec[i]); - f1 = _mm256_load_si256(&b->vec[i]); - f0 = _mm256_sub_epi16(f0, f1); - _mm256_store_si256(&r->vec[i], f0); - } -} diff --git a/crypto_kem/kyber1024-90s/avx2/poly.h b/crypto_kem/kyber1024-90s/avx2/poly.h deleted file mode 100644 index ed37fc21..00000000 --- a/crypto_kem/kyber1024-90s/avx2/poly.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_POLY_H -#define PQCLEAN_KYBER102490S_AVX2_POLY_H -#include "align.h" -#include "params.h" -#include -#include - -typedef ALIGNED_INT16(KYBER_N) poly; - -void PQCLEAN_KYBER102490S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a); -void PQCLEAN_KYBER102490S_AVX2_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - -void PQCLEAN_KYBER102490S_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); -void PQCLEAN_KYBER102490S_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - -void PQCLEAN_KYBER102490S_AVX2_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); -void PQCLEAN_KYBER102490S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - -void PQCLEAN_KYBER102490S_AVX2_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -void PQCLEAN_KYBER102490S_AVX2_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - - - -void PQCLEAN_KYBER102490S_AVX2_poly_ntt(poly *r); -void PQCLEAN_KYBER102490S_AVX2_poly_invntt_tomont(poly *r); -void PQCLEAN_KYBER102490S_AVX2_poly_nttunpack(poly *r); -void PQCLEAN_KYBER102490S_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER102490S_AVX2_poly_tomont(poly *r); - -void PQCLEAN_KYBER102490S_AVX2_poly_reduce(poly *r); - -void PQCLEAN_KYBER102490S_AVX2_poly_add(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER102490S_AVX2_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/polyvec.c b/crypto_kem/kyber1024-90s/avx2/polyvec.c deleted file mode 100644 index 1a1e2788..00000000 --- a/crypto_kem/kyber1024-90s/avx2/polyvec.c +++ /dev/null @@ -1,227 +0,0 @@ -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include -#include - -static void poly_compress11(uint8_t r[352 + 2], const poly *restrict a) { - unsigned int i; - __m256i f0, f1, f2; - __m128i t0, t1; - const __m256i v = _mm256_load_si256(&PQCLEAN_KYBER102490S_AVX2_qdata.vec[_16XV / 16]); - const __m256i v8 = _mm256_slli_epi16(v, 3); - const __m256i off = _mm256_set1_epi16(36); - const __m256i shift1 = _mm256_set1_epi16(1 << 13); - const __m256i mask = _mm256_set1_epi16(2047); - const __m256i shift2 = _mm256_set1_epi64x((2048LL << 48) + (1LL << 32) + (2048 << 16) + 1); - const __m256i sllvdidx = _mm256_set1_epi64x(10); - const __m256i srlvqidx = _mm256_set_epi64x(30, 10, 30, 10); - const __m256i shufbidx = _mm256_set_epi8( 4, 3, 2, 1, 0, 0, -1, -1, -1, -1, 10, 9, 8, 7, 6, 5, - -1, -1, -1, -1, -1, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0); - - for (i = 0; i < KYBER_N / 16; i++) { - f0 = _mm256_load_si256(&a->vec[i]); - f1 = _mm256_mullo_epi16(f0, v8); - f2 = _mm256_add_epi16(f0, off); - f0 = _mm256_slli_epi16(f0, 3); - f0 = _mm256_mulhi_epi16(f0, v); - f2 = _mm256_sub_epi16(f1, f2); - f1 = _mm256_andnot_si256(f1, f2); - f1 = _mm256_srli_epi16(f1, 15); - f0 = _mm256_sub_epi16(f0, f1); - f0 = _mm256_mulhrs_epi16(f0, shift1); - f0 = _mm256_and_si256(f0, mask); - f0 = _mm256_madd_epi16(f0, shift2); - f0 = _mm256_sllv_epi32(f0, sllvdidx); - f1 = _mm256_bsrli_epi128(f0, 8); - f0 = _mm256_srlv_epi64(f0, srlvqidx); - f1 = _mm256_slli_epi64(f1, 34); - f0 = _mm256_add_epi64(f0, f1); - f0 = _mm256_shuffle_epi8(f0, shufbidx); - t0 = _mm256_castsi256_si128(f0); - t1 = _mm256_extracti128_si256(f0, 1); - t0 = _mm_blendv_epi8(t0, t1, _mm256_castsi256_si128(shufbidx)); - _mm_storeu_si128((__m128i *)&r[22 * i + 0], t0); - _mm_storel_epi64((__m128i *)&r[22 * i + 16], t1); - } -} - -static void poly_decompress11(poly *restrict r, const uint8_t a[352 + 10]) { - unsigned int i; - __m256i f; - const __m256i q = _mm256_load_si256(&PQCLEAN_KYBER102490S_AVX2_qdata.vec[_16XQ / 16]); - const __m256i shufbidx = _mm256_set_epi8(13, 12, 12, 11, 10, 9, 9, 8, - 8, 7, 6, 5, 5, 4, 4, 3, - 10, 9, 9, 8, 7, 6, 6, 5, - 5, 4, 3, 2, 2, 1, 1, 0); - const __m256i srlvdidx = _mm256_set_epi32(0, 0, 1, 0, 0, 0, 1, 0); - const __m256i srlvqidx = _mm256_set_epi64x(2, 0, 2, 0); - const __m256i shift = _mm256_set_epi16(4, 32, 1, 8, 32, 1, 4, 32, 4, 32, 1, 8, 32, 1, 4, 32); - const __m256i mask = _mm256_set1_epi16(32752); - - for (i = 0; i < KYBER_N / 16; i++) { - f = _mm256_loadu_si256((__m256i *)&a[22 * i]); - f = _mm256_permute4x64_epi64(f, 0x94); - f = _mm256_shuffle_epi8(f, shufbidx); - f = _mm256_srlv_epi32(f, srlvdidx); - f = _mm256_srlv_epi64(f, srlvqidx); - f = _mm256_mullo_epi16(f, shift); - f = _mm256_srli_epi16(f, 1); - f = _mm256_and_si256(f, mask); - f = _mm256_mulhrs_epi16(f, q); - _mm256_store_si256(&r->vec[i], f); - } -} - - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES + 2], polyvec *a) { - size_t i; - - for (i = 0; i < KYBER_K; i++) { - poly_compress11(&r[352 * i], &a->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of PQCLEAN_KYBER102490S_AVX2_polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES + 12]) { - size_t i; - - for (i = 0; i < KYBER_K; i++) { - poly_decompress11(&r->vec[i], &a[352 * i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_polyvec_ntt(polyvec *r) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_poly_ntt(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_polyvec_invntt_tomont(polyvec *r) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_poly_invntt_tomont(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_polyvec_basemul_acc_montgomery -* -* Description: Multiply elements in a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - size_t i; - poly tmp; - - PQCLEAN_KYBER102490S_AVX2_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for (i = 1; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_poly_basemul_montgomery(&tmp, &a->vec[i], &b->vec[i]); - PQCLEAN_KYBER102490S_AVX2_poly_add(r, r, &tmp); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(polyvec *r) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_poly_reduce(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_AVX2_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); - } -} diff --git a/crypto_kem/kyber1024-90s/avx2/polyvec.h b/crypto_kem/kyber1024-90s/avx2/polyvec.h deleted file mode 100644 index 050a0fde..00000000 --- a/crypto_kem/kyber1024-90s/avx2/polyvec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_POLYVEC_H -#define PQCLEAN_KYBER102490S_AVX2_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -typedef struct { - poly vec[KYBER_K]; -} polyvec; - -void PQCLEAN_KYBER102490S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES + 2], polyvec *a); -void PQCLEAN_KYBER102490S_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES + 12]); - -void PQCLEAN_KYBER102490S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); -void PQCLEAN_KYBER102490S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - -void PQCLEAN_KYBER102490S_AVX2_polyvec_ntt(polyvec *r); -void PQCLEAN_KYBER102490S_AVX2_polyvec_invntt_tomont(polyvec *r); - -void PQCLEAN_KYBER102490S_AVX2_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - -void PQCLEAN_KYBER102490S_AVX2_polyvec_reduce(polyvec *r); - -void PQCLEAN_KYBER102490S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/reduce.h b/crypto_kem/kyber1024-90s/avx2/reduce.h deleted file mode 100644 index 9cb7f3a5..00000000 --- a/crypto_kem/kyber1024-90s/avx2/reduce.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_REDUCE_H -#define PQCLEAN_KYBER102490S_AVX2_REDUCE_H -#include "params.h" -#include - -void PQCLEAN_KYBER102490S_AVX2_reduce_avx(__m256i *r, const __m256i *PQCLEAN_KYBER102490S_AVX2_qdata); -void PQCLEAN_KYBER102490S_AVX2_tomont_avx(__m256i *r, const __m256i *PQCLEAN_KYBER102490S_AVX2_qdata); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/rejsample.c b/crypto_kem/kyber1024-90s/avx2/rejsample.c deleted file mode 100644 index 473473f8..00000000 --- a/crypto_kem/kyber1024-90s/avx2/rejsample.c +++ /dev/null @@ -1,126 +0,0 @@ -#include "align.h" -#include "consts.h" -#include "params.h" -#include "rejsample.h" -#include -#include -#include - -//#define BMI - - -#define _mm256_cmpge_epu16(a, b) _mm256_cmpeq_epi16(_mm256_max_epu16(a, b), a) -#define _mm_cmpge_epu16(a, b) _mm_cmpeq_epi16(_mm_max_epu16(a, b), a) - -unsigned int PQCLEAN_KYBER102490S_AVX2_rej_uniform_avx(int16_t *restrict r, const uint8_t *buf) { - unsigned int ctr, pos; - uint16_t val0, val1; - uint32_t good; - uint64_t idx0, idx1, idx2, idx3; - const __m256i bound = _mm256_load_si256(&PQCLEAN_KYBER102490S_AVX2_qdata.vec[_16XQ / 16]); - const __m256i ones = _mm256_set1_epi8(1); - const __m256i mask = _mm256_set1_epi16(0xFFF); - const __m256i idx8 = _mm256_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, - 9, 8, 8, 7, 6, 5, 5, 4, - 11, 10, 10, 9, 8, 7, 7, 6, - 5, 4, 4, 3, 2, 1, 1, 0); - __m256i f0, f1, g0, g1, g2, g3; - __m128i f, t, pilo, pihi; - - ctr = pos = 0; - while (ctr <= KYBER_N - 32 && pos <= REJ_UNIFORM_AVX_BUFLEN - 48) { - f0 = _mm256_loadu_si256((__m256i *)&buf[pos]); - f1 = _mm256_loadu_si256((__m256i *)&buf[pos + 24]); - f0 = _mm256_permute4x64_epi64(f0, 0x94); - f1 = _mm256_permute4x64_epi64(f1, 0x94); - f0 = _mm256_shuffle_epi8(f0, idx8); - f1 = _mm256_shuffle_epi8(f1, idx8); - g0 = _mm256_srli_epi16(f0, 4); - g1 = _mm256_srli_epi16(f1, 4); - f0 = _mm256_blend_epi16(f0, g0, 0xAA); - f1 = _mm256_blend_epi16(f1, g1, 0xAA); - f0 = _mm256_and_si256(f0, mask); - f1 = _mm256_and_si256(f1, mask); - pos += 48; - - g0 = _mm256_cmpgt_epi16(bound, f0); - g1 = _mm256_cmpgt_epi16(bound, f1); - - g0 = _mm256_packs_epi16(g0, g1); - good = _mm256_movemask_epi8(g0); - - idx0 = _pdep_u64(good >> 0, 0x0101010101010101); - idx1 = _pdep_u64(good >> 8, 0x0101010101010101); - idx2 = _pdep_u64(good >> 16, 0x0101010101010101); - idx3 = _pdep_u64(good >> 24, 0x0101010101010101); - idx0 = (idx0 << 8) - idx0; - idx0 = _pext_u64(0x0E0C0A0806040200, idx0); - idx1 = (idx1 << 8) - idx1; - idx1 = _pext_u64(0x0E0C0A0806040200, idx1); - idx2 = (idx2 << 8) - idx2; - idx2 = _pext_u64(0x0E0C0A0806040200, idx2); - idx3 = (idx3 << 8) - idx3; - idx3 = _pext_u64(0x0E0C0A0806040200, idx3); - - g0 = _mm256_castsi128_si256(_mm_cvtsi64_si128(idx0)); - g1 = _mm256_castsi128_si256(_mm_cvtsi64_si128(idx1)); - g0 = _mm256_inserti128_si256(g0, _mm_cvtsi64_si128(idx2), 1); - g1 = _mm256_inserti128_si256(g1, _mm_cvtsi64_si128(idx3), 1); - - g2 = _mm256_add_epi8(g0, ones); - g3 = _mm256_add_epi8(g1, ones); - g0 = _mm256_unpacklo_epi8(g0, g2); - g1 = _mm256_unpacklo_epi8(g1, g3); - - f0 = _mm256_shuffle_epi8(f0, g0); - f1 = _mm256_shuffle_epi8(f1, g1); - - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_castsi256_si128(f0)); - ctr += _mm_popcnt_u32((good >> 0) & 0xFF); - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_extracti128_si256(f0, 1)); - ctr += _mm_popcnt_u32((good >> 16) & 0xFF); - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_castsi256_si128(f1)); - ctr += _mm_popcnt_u32((good >> 8) & 0xFF); - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_extracti128_si256(f1, 1)); - ctr += _mm_popcnt_u32((good >> 24) & 0xFF); - } - - while (ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 12) { - f = _mm_loadu_si128((__m128i *)&buf[pos]); - f = _mm_shuffle_epi8(f, _mm256_castsi256_si128(idx8)); - t = _mm_srli_epi16(f, 4); - f = _mm_blend_epi16(f, t, 0xAA); - f = _mm_and_si128(f, _mm256_castsi256_si128(mask)); - pos += 12; - - t = _mm_cmpgt_epi16(_mm256_castsi256_si128(bound), f); - good = _mm_movemask_epi8(t); - - good &= 0x5555; - idx0 = _pdep_u64(good, 0x1111111111111111); - idx0 = (idx0 << 8) - idx0; - idx0 = _pext_u64(0x0E0C0A0806040200, idx0); - pilo = _mm_cvtsi64_si128(idx0); - - pihi = _mm_add_epi8(pilo, _mm256_castsi256_si128(ones)); - pilo = _mm_unpacklo_epi8(pilo, pihi); - f = _mm_shuffle_epi8(f, pilo); - _mm_storeu_si128((__m128i *)&r[ctr], f); - ctr += _mm_popcnt_u32(good); - } - - while (ctr < KYBER_N && pos <= REJ_UNIFORM_AVX_BUFLEN - 3) { - val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; - val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)); - pos += 3; - - if (val0 < KYBER_Q) { - r[ctr++] = val0; - } - if (val1 < KYBER_Q && ctr < KYBER_N) { - r[ctr++] = val1; - } - } - - return ctr; -} diff --git a/crypto_kem/kyber1024-90s/avx2/rejsample.h b/crypto_kem/kyber1024-90s/avx2/rejsample.h deleted file mode 100644 index 3283fc1b..00000000 --- a/crypto_kem/kyber1024-90s/avx2/rejsample.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_REJSAMPLE_H -#define PQCLEAN_KYBER102490S_AVX2_REJSAMPLE_H -#include "params.h" -#include "symmetric.h" -#include - -#define REJ_UNIFORM_AVX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) -#define REJ_UNIFORM_AVX_BUFLEN (REJ_UNIFORM_AVX_NBLOCKS*XOF_BLOCKBYTES) - -unsigned int PQCLEAN_KYBER102490S_AVX2_rej_uniform_avx(int16_t *r, const uint8_t *buf); - -#endif diff --git a/crypto_kem/kyber1024-90s/avx2/shuffle.S b/crypto_kem/kyber1024-90s/avx2/shuffle.S deleted file mode 100644 index 0667999f..00000000 --- a/crypto_kem/kyber1024-90s/avx2/shuffle.S +++ /dev/null @@ -1,261 +0,0 @@ -#include "cdecl.h" -.include "fq.inc" -.include "shuffle.inc" - -/* -nttpack_avx: -#load -vmovdqa (%rdi),%ymm4 -vmovdqa 32(%rdi),%ymm5 -vmovdqa 64(%rdi),%ymm6 -vmovdqa 96(%rdi),%ymm7 -vmovdqa 128(%rdi),%ymm8 -vmovdqa 160(%rdi),%ymm9 -vmovdqa 192(%rdi),%ymm10 -vmovdqa 224(%rdi),%ymm11 - -shuffle1 4,5,3,5 -shuffle1 6,7,4,7 -shuffle1 8,9,6,9 -shuffle1 10,11,8,11 - -shuffle2 3,4,10,4 -shuffle2 6,8,3,8 -shuffle2 5,7,6,7 -shuffle2 9,11,5,11 - -shuffle4 10,3,9,3 -shuffle4 6,5,10,5 -shuffle4 4,8,6,8 -shuffle4 7,11,4,11 - -shuffle8 9,10,7,10 -shuffle8 6,4,9,4 -shuffle8 3,5,6,5 -shuffle8 8,11,3,11 - -#store -vmovdqa %ymm7,(%rdi) -vmovdqa %ymm9,32(%rdi) -vmovdqa %ymm6,64(%rdi) -vmovdqa %ymm3,96(%rdi) -vmovdqa %ymm10,128(%rdi) -vmovdqa %ymm4,160(%rdi) -vmovdqa %ymm5,192(%rdi) -vmovdqa %ymm11,224(%rdi) - -ret -*/ - -.text -nttunpack128_avx: -#load -vmovdqa (%rdi),%ymm4 -vmovdqa 32(%rdi),%ymm5 -vmovdqa 64(%rdi),%ymm6 -vmovdqa 96(%rdi),%ymm7 -vmovdqa 128(%rdi),%ymm8 -vmovdqa 160(%rdi),%ymm9 -vmovdqa 192(%rdi),%ymm10 -vmovdqa 224(%rdi),%ymm11 - -shuffle8 4,8,3,8 -shuffle8 5,9,4,9 -shuffle8 6,10,5,10 -shuffle8 7,11,6,11 - -shuffle4 3,5,7,5 -shuffle4 8,10,3,10 -shuffle4 4,6,8,6 -shuffle4 9,11,4,11 - -shuffle2 7,8,9,8 -shuffle2 5,6,7,6 -shuffle2 3,4,5,4 -shuffle2 10,11,3,11 - -shuffle1 9,5,10,5 -shuffle1 8,4,9,4 -shuffle1 7,3,8,3 -shuffle1 6,11,7,11 - -#store -vmovdqa %ymm10,(%rdi) -vmovdqa %ymm5,32(%rdi) -vmovdqa %ymm9,64(%rdi) -vmovdqa %ymm4,96(%rdi) -vmovdqa %ymm8,128(%rdi) -vmovdqa %ymm3,160(%rdi) -vmovdqa %ymm7,192(%rdi) -vmovdqa %ymm11,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER102490S_AVX2_nttunpack_avx) -.global _cdecl(PQCLEAN_KYBER102490S_AVX2_nttunpack_avx) -cdecl(PQCLEAN_KYBER102490S_AVX2_nttunpack_avx): -_cdecl(PQCLEAN_KYBER102490S_AVX2_nttunpack_avx): -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -ret - -ntttobytes128_avx: -#load -vmovdqa (%rsi),%ymm5 -vmovdqa 32(%rsi),%ymm6 -vmovdqa 64(%rsi),%ymm7 -vmovdqa 96(%rsi),%ymm8 -vmovdqa 128(%rsi),%ymm9 -vmovdqa 160(%rsi),%ymm10 -vmovdqa 192(%rsi),%ymm11 -vmovdqa 224(%rsi),%ymm12 - -#csubq -csubq 5,13 -csubq 6,13 -csubq 7,13 -csubq 8,13 -csubq 9,13 -csubq 10,13 -csubq 11,13 -csubq 12,13 - -#bitpack -vpsllw $12,%ymm6,%ymm4 -vpor %ymm4,%ymm5,%ymm4 - -vpsrlw $4,%ymm6,%ymm5 -vpsllw $8,%ymm7,%ymm6 -vpor %ymm5,%ymm6,%ymm5 - -vpsrlw $8,%ymm7,%ymm6 -vpsllw $4,%ymm8,%ymm7 -vpor %ymm6,%ymm7,%ymm6 - -vpsllw $12,%ymm10,%ymm7 -vpor %ymm7,%ymm9,%ymm7 - -vpsrlw $4,%ymm10,%ymm8 -vpsllw $8,%ymm11,%ymm9 -vpor %ymm8,%ymm9,%ymm8 - -vpsrlw $8,%ymm11,%ymm9 -vpsllw $4,%ymm12,%ymm10 -vpor %ymm9,%ymm10,%ymm9 - -shuffle1 4,5,3,5 -shuffle1 6,7,4,7 -shuffle1 8,9,6,9 - -shuffle2 3,4,8,4 -shuffle2 6,5,3,5 -shuffle2 7,9,6,9 - -shuffle4 8,3,7,3 -shuffle4 6,4,8,4 -shuffle4 5,9,6,9 - -shuffle8 7,8,5,8 -shuffle8 6,3,7,3 -shuffle8 4,9,6,9 - -#store -vmovdqu %ymm5,(%rdi) -vmovdqu %ymm7,32(%rdi) -vmovdqu %ymm6,64(%rdi) -vmovdqu %ymm8,96(%rdi) -vmovdqu %ymm3,128(%rdi) -vmovdqu %ymm9,160(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx) -.global _cdecl(PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx) -cdecl(PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx): -_cdecl(PQCLEAN_KYBER102490S_AVX2_ntttobytes_avx): -#consts -vmovdqa _16XQ*2(%rdx),%ymm0 -call ntttobytes128_avx -add $256,%rsi -add $192,%rdi -call ntttobytes128_avx -ret - -nttfrombytes128_avx: -#load -vmovdqu (%rsi),%ymm4 -vmovdqu 32(%rsi),%ymm5 -vmovdqu 64(%rsi),%ymm6 -vmovdqu 96(%rsi),%ymm7 -vmovdqu 128(%rsi),%ymm8 -vmovdqu 160(%rsi),%ymm9 - -shuffle8 4,7,3,7 -shuffle8 5,8,4,8 -shuffle8 6,9,5,9 - -shuffle4 3,8,6,8 -shuffle4 7,5,3,5 -shuffle4 4,9,7,9 - -shuffle2 6,5,4,5 -shuffle2 8,7,6,7 -shuffle2 3,9,8,9 - -shuffle1 4,7,10,7 -shuffle1 5,8,4,8 -shuffle1 6,9,5,9 - -#bitunpack -vpsrlw $12,%ymm10,%ymm11 -vpsllw $4,%ymm7,%ymm12 -vpor %ymm11,%ymm12,%ymm11 -vpand %ymm0,%ymm10,%ymm10 -vpand %ymm0,%ymm11,%ymm11 - -vpsrlw $8,%ymm7,%ymm12 -vpsllw $8,%ymm4,%ymm13 -vpor %ymm12,%ymm13,%ymm12 -vpand %ymm0,%ymm12,%ymm12 - -vpsrlw $4,%ymm4,%ymm13 -vpand %ymm0,%ymm13,%ymm13 - -vpsrlw $12,%ymm8,%ymm14 -vpsllw $4,%ymm5,%ymm15 -vpor %ymm14,%ymm15,%ymm14 -vpand %ymm0,%ymm8,%ymm8 -vpand %ymm0,%ymm14,%ymm14 - -vpsrlw $8,%ymm5,%ymm15 -vpsllw $8,%ymm9,%ymm1 -vpor %ymm15,%ymm1,%ymm15 -vpand %ymm0,%ymm15,%ymm15 - -vpsrlw $4,%ymm9,%ymm1 -vpand %ymm0,%ymm1,%ymm1 - -#store -vmovdqa %ymm10,(%rdi) -vmovdqa %ymm11,32(%rdi) -vmovdqa %ymm12,64(%rdi) -vmovdqa %ymm13,96(%rdi) -vmovdqa %ymm8,128(%rdi) -vmovdqa %ymm14,160(%rdi) -vmovdqa %ymm15,192(%rdi) -vmovdqa %ymm1,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx) -.global _cdecl(PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx) -cdecl(PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx): -_cdecl(PQCLEAN_KYBER102490S_AVX2_nttfrombytes_avx): -#consts -vmovdqa _16XMASK*2(%rdx),%ymm0 -call nttfrombytes128_avx -add $256,%rdi -add $192,%rsi -call nttfrombytes128_avx -ret diff --git a/crypto_kem/kyber1024-90s/avx2/shuffle.inc b/crypto_kem/kyber1024-90s/avx2/shuffle.inc deleted file mode 100644 index 73e9ffe0..00000000 --- a/crypto_kem/kyber1024-90s/avx2/shuffle.inc +++ /dev/null @@ -1,25 +0,0 @@ -.macro shuffle8 r0,r1,r2,r3 -vperm2i128 $0x20,%ymm\r1,%ymm\r0,%ymm\r2 -vperm2i128 $0x31,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle4 r0,r1,r2,r3 -vpunpcklqdq %ymm\r1,%ymm\r0,%ymm\r2 -vpunpckhqdq %ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle2 r0,r1,r2,r3 -#vpsllq $32,%ymm\r1,%ymm\r2 -vmovsldup %ymm\r1,%ymm\r2 -vpblendd $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrlq $32,%ymm\r0,%ymm\r0 -#vmovshdup %ymm\r0,%ymm\r0 -vpblendd $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle1 r0,r1,r2,r3 -vpslld $16,%ymm\r1,%ymm\r2 -vpblendw $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrld $16,%ymm\r0,%ymm\r0 -vpblendw $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm diff --git a/crypto_kem/kyber1024-90s/avx2/symmetric.h b/crypto_kem/kyber1024-90s/avx2/symmetric.h deleted file mode 100644 index e22e10b2..00000000 --- a/crypto_kem/kyber1024-90s/avx2/symmetric.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_SYMMETRIC_H -#define PQCLEAN_KYBER102490S_AVX2_SYMMETRIC_H -#include "aes256ctr.h" -#include "params.h" -#include "sha2.h" -#include -#include - - - -typedef aes256ctr_ctx xof_state; - -#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_absorb(STATE, SEED, X, Y) PQCLEAN_KYBER102490S_AVX2_aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8)) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER102490S_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER102490S_AVX2_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - - -#endif /* SYMMETRIC_H */ diff --git a/crypto_kem/kyber1024-90s/avx2/verify.c b/crypto_kem/kyber1024-90s/avx2/verify.c deleted file mode 100644 index 37b553f4..00000000 --- a/crypto_kem/kyber1024-90s/avx2/verify.c +++ /dev/null @@ -1,73 +0,0 @@ -#include "verify.h" -#include -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_KYBER102490S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i; - uint64_t r; - __m256i f, g, h; - - h = _mm256_setzero_si256(); - for (i = 0; i < len / 32; i++) { - f = _mm256_loadu_si256((__m256i *)&a[32 * i]); - g = _mm256_loadu_si256((__m256i *)&b[32 * i]); - f = _mm256_xor_si256(f, g); - h = _mm256_or_si256(h, f); - } - r = 1 - _mm256_testz_si256(h, h); - - a += 32 * i; - b += 32 * i; - len -= 32 * i; - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-r) >> 63; - return r; -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_AVX2_cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: unsigned char *r: pointer to output byte array -* const unsigned char *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* unsigned char b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_KYBER102490S_AVX2_cmov(uint8_t *restrict r, const uint8_t *x, size_t len, uint8_t b) { - size_t i; - __m256i xvec, rvec, bvec; - - bvec = _mm256_set1_epi64x(-(uint64_t)b); - for (i = 0; i < len / 32; i++) { - rvec = _mm256_loadu_si256((__m256i *)&r[32 * i]); - xvec = _mm256_loadu_si256((__m256i *)&x[32 * i]); - rvec = _mm256_blendv_epi8(rvec, xvec, bvec); - _mm256_storeu_si256((__m256i *)&r[32 * i], rvec); - } - - r += 32 * i; - x += 32 * i; - len -= 32 * i; - for (i = 0; i < len; i++) { - r[i] ^= -b & (x[i] ^ r[i]); - } -} diff --git a/crypto_kem/kyber1024-90s/avx2/verify.h b/crypto_kem/kyber1024-90s/avx2/verify.h deleted file mode 100644 index 70720cbc..00000000 --- a/crypto_kem/kyber1024-90s/avx2/verify.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_AVX2_VERIFY_H -#define PQCLEAN_KYBER102490S_AVX2_VERIFY_H -#include "params.h" -#include -#include - -int PQCLEAN_KYBER102490S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len); - -void PQCLEAN_KYBER102490S_AVX2_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/LICENSE b/crypto_kem/kyber1024-90s/clean/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_kem/kyber1024-90s/clean/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_kem/kyber1024-90s/clean/Makefile.Microsoft_nmake b/crypto_kem/kyber1024-90s/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 24fc3849..00000000 --- a/crypto_kem/kyber1024-90s/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libkyber1024-90s_clean.lib -OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-aes.obj verify.obj - -# Warning C4146 is raised when a unary minus operator is applied to an -# unsigned type; this has nonetheless been standard and portable for as -# long as there has been a C standard, and we need it for constant-time -# computations. Thus, we disable that spurious warning. -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/kyber1024-90s/clean/api.h b/crypto_kem/kyber1024-90s/clean/api.h deleted file mode 100644 index 99545db9..00000000 --- a/crypto_kem/kyber1024-90s/clean/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_API_H -#define PQCLEAN_KYBER102490S_CLEAN_API_H - -#include - -#define PQCLEAN_KYBER102490S_CLEAN_CRYPTO_SECRETKEYBYTES 3168 -#define PQCLEAN_KYBER102490S_CLEAN_CRYPTO_PUBLICKEYBYTES 1568 -#define PQCLEAN_KYBER102490S_CLEAN_CRYPTO_CIPHERTEXTBYTES 1568 -#define PQCLEAN_KYBER102490S_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_KYBER102490S_CLEAN_CRYPTO_ALGNAME "Kyber1024-90s" - -int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/cbd.c b/crypto_kem/kyber1024-90s/clean/cbd.c deleted file mode 100644 index 74d9c81e..00000000 --- a/crypto_kem/kyber1024-90s/clean/cbd.c +++ /dev/null @@ -1,83 +0,0 @@ -#include "cbd.h" -#include "params.h" -#include - -/************************************************* -* Name: load32_littleendian -* -* Description: load 4 bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t x[4]) { - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - r |= (uint32_t)x[3] << 24; - return r; -} - -/************************************************* -* Name: load24_littleendian -* -* Description: load 3 bytes into a 32-bit integer -* in little-endian order. -* This function is only needed for Kyber-512 -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x (most significant byte is zero) -**************************************************/ - - -/************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd2(poly *r, const uint8_t buf[2 * KYBER_N / 4]) { - unsigned int i, j; - uint32_t t, d; - int16_t a, b; - - for (i = 0; i < KYBER_N / 8; i++) { - t = load32_littleendian(buf + 4 * i); - d = t & 0x55555555; - d += (t >> 1) & 0x55555555; - - for (j = 0; j < 8; j++) { - a = (d >> (4 * j + 0)) & 0x3; - b = (d >> (4 * j + 2)) & 0x3; - r->coeffs[8 * i + j] = a - b; - } - } -} - -/************************************************* -* Name: cbd3 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=3. -* This function is only needed for Kyber-512 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ - -void PQCLEAN_KYBER102490S_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]) { - cbd2(r, buf); -} - -void PQCLEAN_KYBER102490S_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]) { - cbd2(r, buf); -} diff --git a/crypto_kem/kyber1024-90s/clean/cbd.h b/crypto_kem/kyber1024-90s/clean/cbd.h deleted file mode 100644 index bbd9ef9d..00000000 --- a/crypto_kem/kyber1024-90s/clean/cbd.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_CBD_H -#define PQCLEAN_KYBER102490S_CLEAN_CBD_H -#include "params.h" -#include "poly.h" -#include - -void PQCLEAN_KYBER102490S_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]); - -void PQCLEAN_KYBER102490S_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/indcpa.c b/crypto_kem/kyber1024-90s/clean/indcpa.c deleted file mode 100644 index 607b6487..00000000 --- a/crypto_kem/kyber1024-90s/clean/indcpa.c +++ /dev/null @@ -1,330 +0,0 @@ -#include "indcpa.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "symmetric.h" -#include -#include - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) { - size_t i; - PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes(r, pk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - r[i + KYBER_POLYVECBYTES] = seed[i]; - } -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i; - PQCLEAN_KYBER102490S_CLEAN_polyvec_frombytes(pk, packedpk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - seed[i] = packedpk[i + KYBER_POLYVECBYTES]; - } -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) { - PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) { - PQCLEAN_KYBER102490S_CLEAN_polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) { - PQCLEAN_KYBER102490S_CLEAN_polyvec_compress(r, b); - PQCLEAN_KYBER102490S_CLEAN_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) { - PQCLEAN_KYBER102490S_CLEAN_polyvec_decompress(b, c); - PQCLEAN_KYBER102490S_CLEAN_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output buffer -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint16_t val0, val1; - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; - val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF; - pos += 3; - - if (val0 < KYBER_Q) { - r[ctr++] = val0; - } - if (ctr < len && val1 < KYBER_Q) { - r[ctr++] = val1; - } - } - - return ctr; -} - -#define gen_a(A,B) PQCLEAN_KYBER102490S_CLEAN_gen_matrix(A,B,0) -#define gen_at(A,B) PQCLEAN_KYBER102490S_CLEAN_gen_matrix(A,B,1) - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) -// Not static for benchmarking -void PQCLEAN_KYBER102490S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr, i, j, k; - unsigned int buflen, off; - uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES + 2]; - xof_state state; - - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_K; j++) { - if (transposed) { - xof_absorb(&state, seed, (uint8_t)i, (uint8_t)j); - } else { - xof_absorb(&state, seed, (uint8_t)j, (uint8_t)i); - } - - xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state); - buflen = GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES; - ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen); - - while (ctr < KYBER_N) { - off = buflen % 3; - for (k = 0; k < off; k++) { - buf[k] = buf[buflen - off + k]; - } - xof_squeezeblocks(buf + off, 1, &state); - buflen = off + XOF_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen); - } - xof_ctx_release(&state); - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i; - uint8_t buf[2 * KYBER_SYMBYTES]; - const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf + KYBER_SYMBYTES; - uint8_t nonce = 0; - polyvec a[KYBER_K], e, pkpv, skpv; - - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta1(&skpv.vec[i], noiseseed, nonce++); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta1(&e.vec[i], noiseseed, nonce++); - } - - PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt(&skpv); - PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt(&e); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv); - PQCLEAN_KYBER102490S_CLEAN_poly_tomont(&pkpv.vec[i]); - } - - PQCLEAN_KYBER102490S_CLEAN_polyvec_add(&pkpv, &pkpv, &e); - PQCLEAN_KYBER102490S_CLEAN_polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i; - uint8_t seed[KYBER_SYMBYTES]; - uint8_t nonce = 0; - polyvec sp, pkpv, ep, at[KYBER_K], b; - poly v, k, epp; - - unpack_pk(&pkpv, seed, pk); - PQCLEAN_KYBER102490S_CLEAN_poly_frommsg(&k, m); - gen_at(at, seed); - - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta1(sp.vec + i, coins, nonce++); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta2(ep.vec + i, coins, nonce++); - } - PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta2(&epp, coins, nonce++); - - PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt(&sp); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp); - } - - PQCLEAN_KYBER102490S_CLEAN_polyvec_basemul_acc_montgomery(&v, &pkpv, &sp); - - PQCLEAN_KYBER102490S_CLEAN_polyvec_invntt_tomont(&b); - PQCLEAN_KYBER102490S_CLEAN_poly_invntt_tomont(&v); - - PQCLEAN_KYBER102490S_CLEAN_polyvec_add(&b, &b, &ep); - PQCLEAN_KYBER102490S_CLEAN_poly_add(&v, &v, &epp); - PQCLEAN_KYBER102490S_CLEAN_poly_add(&v, &v, &k); - PQCLEAN_KYBER102490S_CLEAN_polyvec_reduce(&b); - PQCLEAN_KYBER102490S_CLEAN_poly_reduce(&v); - - pack_ciphertext(c, &b, &v); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - polyvec b, skpv; - poly v, mp; - - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); - - PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt(&b); - PQCLEAN_KYBER102490S_CLEAN_polyvec_basemul_acc_montgomery(&mp, &skpv, &b); - PQCLEAN_KYBER102490S_CLEAN_poly_invntt_tomont(&mp); - - PQCLEAN_KYBER102490S_CLEAN_poly_sub(&mp, &v, &mp); - PQCLEAN_KYBER102490S_CLEAN_poly_reduce(&mp); - - PQCLEAN_KYBER102490S_CLEAN_poly_tomsg(m, &mp); -} diff --git a/crypto_kem/kyber1024-90s/clean/indcpa.h b/crypto_kem/kyber1024-90s/clean/indcpa.h deleted file mode 100644 index 1ecd5131..00000000 --- a/crypto_kem/kyber1024-90s/clean/indcpa.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_INDCPA_H -#define PQCLEAN_KYBER102490S_CLEAN_INDCPA_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_KYBER102490S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -void PQCLEAN_KYBER102490S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -void PQCLEAN_KYBER102490S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER102490S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/kem.c b/crypto_kem/kyber1024-90s/clean/kem.c deleted file mode 100644 index 693111d2..00000000 --- a/crypto_kem/kyber1024-90s/clean/kem.c +++ /dev/null @@ -1,126 +0,0 @@ -#include "indcpa.h" -#include "kem.h" -#include "params.h" -#include "randombytes.h" -#include "symmetric.h" -#include "verify.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_keypair(unsigned char pk[KYBER_PUBLICKEYBYTES], - unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - PQCLEAN_KYBER102490S_CLEAN_indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - } - hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - /* Value z for pseudo-random output on reject */ - randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_enc(unsigned char ct[KYBER_CIPHERTEXTBYTES], - unsigned char ss[KYBER_SSBYTES], - const unsigned char pk[KYBER_PUBLICKEYBYTES]) { - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - - randombytes(buf, KYBER_SYMBYTES); - /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); - - /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER102490S_CLEAN_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_dec(unsigned char ss[KYBER_SSBYTES], - const unsigned char ct[KYBER_CIPHERTEXTBYTES], - const unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - int fail; - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - uint8_t cmp[KYBER_CIPHERTEXTBYTES]; - const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; - - PQCLEAN_KYBER102490S_CLEAN_indcpa_dec(buf, ct, sk); - - /* Multitarget countermeasure for coins + contributory KEM */ - for (i = 0; i < KYBER_SYMBYTES; i++) { - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; - } - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER102490S_CLEAN_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); - - fail = PQCLEAN_KYBER102490S_CLEAN_verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - - /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER102490S_CLEAN_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (uint8_t)fail); - - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} diff --git a/crypto_kem/kyber1024-90s/clean/kem.h b/crypto_kem/kyber1024-90s/clean/kem.h deleted file mode 100644 index 6e554661..00000000 --- a/crypto_kem/kyber1024-90s/clean/kem.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_KEM_H -#define PQCLEAN_KYBER102490S_CLEAN_KEM_H -#include "params.h" - - -int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_enc(unsigned char *ct, - unsigned char *ss, - const unsigned char *pk); - -int PQCLEAN_KYBER102490S_CLEAN_crypto_kem_dec(unsigned char *ss, - const unsigned char *ct, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/ntt.c b/crypto_kem/kyber1024-90s/clean/ntt.c deleted file mode 100644 index f841f1ad..00000000 --- a/crypto_kem/kyber1024-90s/clean/ntt.c +++ /dev/null @@ -1,146 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "reduce.h" -#include - -/* Code to generate PQCLEAN_KYBER102490S_CLEAN_zetas and zetas_inv used in the number-theoretic transform: - -#define KYBER_ROOT_OF_UNITY 17 - -static const uint8_t tree[128] = { - 0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, - 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, - 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, - 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, - 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, - 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, - 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, - 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127 -}; - -void init_ntt() { - unsigned int i; - int16_t tmp[128]; - - tmp[0] = MONT; - for(i=1;i<128;i++) - tmp[i] = fqmul(tmp[i-1],MONT*KYBER_ROOT_OF_UNITY % KYBER_Q); - - for(i=0;i<128;i++) { - PQCLEAN_KYBER102490S_CLEAN_zetas[i] = tmp[tree[i]]; - if(PQCLEAN_KYBER102490S_CLEAN_zetas[i] > KYBER_Q/2) - PQCLEAN_KYBER102490S_CLEAN_zetas[i] -= KYBER_Q; - if(PQCLEAN_KYBER102490S_CLEAN_zetas[i] < -KYBER_Q/2) - PQCLEAN_KYBER102490S_CLEAN_zetas[i] += KYBER_Q; - } -} -*/ - -const int16_t PQCLEAN_KYBER102490S_CLEAN_zetas[128] = { - -1044, -758, -359, -1517, 1493, 1422, 287, 202, - -171, 622, 1577, 182, 962, -1202, -1474, 1468, - 573, -1325, 264, 383, -829, 1458, -1602, -130, - -681, 1017, 732, 608, -1542, 411, -205, -1571, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -1103, 430, 555, 843, -1251, 871, 1550, 105, - 422, 587, 177, -235, -291, -460, 1574, 1653, - -246, 778, 1159, -147, -777, 1483, -602, 1119, - -1590, 644, -872, 349, 418, 329, -156, -75, - 817, 1097, 603, 610, 1322, -1285, -1465, 384, - -1215, -136, 1218, -1335, -874, 220, -1187, -1659, - -1185, -1530, -1278, 794, -1510, -854, -870, 478, - -108, -308, 996, 991, 958, -1460, 1522, 1628 - }; - -/************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ -static int16_t fqmul(int16_t a, int16_t b) { - return PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce((int32_t)a * b); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq. -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_ntt(int16_t r[256]) { - unsigned int len, start, j, k; - int16_t t, zeta; - - k = 1; - for (len = 128; len >= 2; len >>= 1) { - for (start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER102490S_CLEAN_zetas[k++]; - for (j = start; j < start + len; j++) { - t = fqmul(zeta, r[j + len]); - r[j + len] = r[j] - t; - r[j] = r[j] + t; - } - } - } -} - -/************************************************* -* Name: invntt_tomont -* -* Description: Inplace inverse number-theoretic transform in Rq and -* multiplication by Montgomery factor 2^16. -* Input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_invntt(int16_t r[256]) { - unsigned int start, len, j, k; - int16_t t, zeta; - const int16_t f = 1441; // mont^2/128 - - k = 127; - for (len = 2; len <= 128; len <<= 1) { - for (start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER102490S_CLEAN_zetas[k--]; - for (j = start; j < start + len; j++) { - t = r[j]; - r[j] = PQCLEAN_KYBER102490S_CLEAN_barrett_reduce(t + r[j + len]); - r[j + len] = r[j + len] - t; - r[j + len] = fqmul(zeta, r[j + len]); - } - } - } - - for (j = 0; j < 256; j++) { - r[j] = fqmul(r[j], f); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_basemul -* -* Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); - r[0] += fqmul(a[0], b[0]); - r[1] = fqmul(a[0], b[1]); - r[1] += fqmul(a[1], b[0]); -} diff --git a/crypto_kem/kyber1024-90s/clean/ntt.h b/crypto_kem/kyber1024-90s/clean/ntt.h deleted file mode 100644 index 4acc9d65..00000000 --- a/crypto_kem/kyber1024-90s/clean/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_NTT_H -#define PQCLEAN_KYBER102490S_CLEAN_NTT_H -#include "params.h" -#include - -extern const int16_t PQCLEAN_KYBER102490S_CLEAN_zetas[128]; - -void PQCLEAN_KYBER102490S_CLEAN_ntt(int16_t r[256]); - -void PQCLEAN_KYBER102490S_CLEAN_invntt(int16_t r[256]); - -void PQCLEAN_KYBER102490S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/params.h b/crypto_kem/kyber1024-90s/clean/params.h deleted file mode 100644 index 3de69171..00000000 --- a/crypto_kem/kyber1024-90s/clean/params.h +++ /dev/null @@ -1,33 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_PARAMS_H -#define PQCLEAN_KYBER102490S_CLEAN_PARAMS_H - - - - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - -#define KYBER_K 4 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 160 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 352) - -#define KYBER_ETA2 2 - -#define KYBER_INDCPA_MSGBYTES (KYBER_SYMBYTES) -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -/* 32 bytes of additional space to save H(pk) */ -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) -#define KYBER_CIPHERTEXTBYTES (KYBER_INDCPA_BYTES) - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/poly.c b/crypto_kem/kyber1024-90s/clean/poly.c deleted file mode 100644 index 36b16249..00000000 --- a/crypto_kem/kyber1024-90s/clean/poly.c +++ /dev/null @@ -1,300 +0,0 @@ -#include "cbd.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "symmetric.h" -#include - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) { - size_t i, j; - int16_t u; - uint8_t t[8]; - - for (i = 0; i < KYBER_N / 8; i++) { - for (j = 0; j < 8; j++) { - // map to positive standard representatives - u = a->coeffs[8 * i + j]; - u += (u >> 15) & KYBER_Q; - t[j] = ((((uint32_t)u << 5) + KYBER_Q / 2) / KYBER_Q) & 31; - } - - r[0] = (t[0] >> 0) | (t[1] << 5); - r[1] = (t[1] >> 3) | (t[2] << 2) | (t[3] << 7); - r[2] = (t[3] >> 1) | (t[4] << 4); - r[3] = (t[4] >> 4) | (t[5] << 1) | (t[6] << 6); - r[4] = (t[6] >> 2) | (t[7] << 3); - r += 5; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of PQCLEAN_KYBER102490S_CLEAN_poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - size_t i; - - size_t j; - uint8_t t[8]; - for (i = 0; i < KYBER_N / 8; i++) { - t[0] = (a[0] >> 0); - t[1] = (a[0] >> 5) | (a[1] << 3); - t[2] = (a[1] >> 2); - t[3] = (a[1] >> 7) | (a[2] << 1); - t[4] = (a[2] >> 4) | (a[3] << 4); - t[5] = (a[3] >> 1); - t[6] = (a[3] >> 6) | (a[4] << 2); - t[7] = (a[4] >> 3); - a += 5; - - for (j = 0; j < 8; j++) { - r->coeffs[8 * i + j] = ((uint32_t)(t[j] & 31) * KYBER_Q + 16) >> 5; - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) { - size_t i; - uint16_t t0, t1; - - for (i = 0; i < KYBER_N / 2; i++) { - // map to positive standard representatives - t0 = a->coeffs[2 * i]; - t0 += ((int16_t)t0 >> 15) & KYBER_Q; - t1 = a->coeffs[2 * i + 1]; - t1 += ((int16_t)t1 >> 15) & KYBER_Q; - r[3 * i + 0] = (uint8_t)(t0 >> 0); - r[3 * i + 1] = (uint8_t)((t0 >> 8) | (t1 << 4)); - r[3 * i + 2] = (uint8_t)(t1 >> 4); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of PQCLEAN_KYBER102490S_CLEAN_poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - size_t i; - for (i = 0; i < KYBER_N / 2; i++) { - r->coeffs[2 * i] = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; - r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - size_t i, j; - int16_t mask; - - for (i = 0; i < KYBER_N / 8; i++) { - for (j = 0; j < 8; j++) { - mask = -(int16_t)((msg[i] >> j) & 1); - r->coeffs[8 * i + j] = mask & ((KYBER_Q + 1) / 2); - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) { - size_t i, j; - uint16_t t; - - for (i = 0; i < KYBER_N / 8; i++) { - msg[i] = 0; - for (j = 0; j < 8; j++) { - t = a->coeffs[8 * i + j]; - t += ((int16_t)t >> 15) & KYBER_Q; - t = (((t << 1) + KYBER_Q / 2) / KYBER_Q) & 1; - msg[i] |= t << j; - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - uint8_t buf[KYBER_ETA1 * KYBER_N / 4]; - prf(buf, sizeof(buf), seed, nonce); - PQCLEAN_KYBER102490S_CLEAN_poly_cbd_eta1(r, buf); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - uint8_t buf[KYBER_ETA2 * KYBER_N / 4]; - prf(buf, sizeof(buf), seed, nonce); - PQCLEAN_KYBER102490S_CLEAN_poly_cbd_eta2(r, buf); -} - - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_ntt(poly *r) { - PQCLEAN_KYBER102490S_CLEAN_ntt(r->coeffs); - PQCLEAN_KYBER102490S_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_invntt_tomont(poly *r) { - PQCLEAN_KYBER102490S_CLEAN_invntt(r->coeffs); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - size_t i; - for (i = 0; i < KYBER_N / 4; i++) { - PQCLEAN_KYBER102490S_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_KYBER102490S_CLEAN_zetas[64 + i]); - PQCLEAN_KYBER102490S_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], -PQCLEAN_KYBER102490S_CLEAN_zetas[64 + i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_tomont(poly *r) { - size_t i; - const int16_t f = (1ULL << 32) % KYBER_Q; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_reduce(poly *r) { - size_t i; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER102490S_CLEAN_barrett_reduce(r->coeffs[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_add -* -* Description: Add two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - size_t i; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_poly_sub -* -* Description: Subtract two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - size_t i; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; - } -} diff --git a/crypto_kem/kyber1024-90s/clean/poly.h b/crypto_kem/kyber1024-90s/clean/poly.h deleted file mode 100644 index aea1b57a..00000000 --- a/crypto_kem/kyber1024-90s/clean/poly.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_POLY_H -#define PQCLEAN_KYBER102490S_CLEAN_POLY_H -#include "params.h" -#include - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct { - int16_t coeffs[KYBER_N]; -} poly; - -void PQCLEAN_KYBER102490S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a); -void PQCLEAN_KYBER102490S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - -void PQCLEAN_KYBER102490S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a); -void PQCLEAN_KYBER102490S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - -void PQCLEAN_KYBER102490S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); -void PQCLEAN_KYBER102490S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a); - -void PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -void PQCLEAN_KYBER102490S_CLEAN_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -void PQCLEAN_KYBER102490S_CLEAN_poly_ntt(poly *r); -void PQCLEAN_KYBER102490S_CLEAN_poly_invntt_tomont(poly *r); -void PQCLEAN_KYBER102490S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER102490S_CLEAN_poly_tomont(poly *r); - -void PQCLEAN_KYBER102490S_CLEAN_poly_reduce(poly *r); - -void PQCLEAN_KYBER102490S_CLEAN_poly_add(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER102490S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/polyvec.c b/crypto_kem/kyber1024-90s/clean/polyvec.c deleted file mode 100644 index c1589d39..00000000 --- a/crypto_kem/kyber1024-90s/clean/polyvec.c +++ /dev/null @@ -1,191 +0,0 @@ -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) { - unsigned int i, j, k; - - uint16_t t[8]; - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_N / 8; j++) { - for (k = 0; k < 8; k++) { - t[k] = a->vec[i].coeffs[8 * j + k]; - t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; - t[k] = ((((uint32_t)t[k] << 11) + KYBER_Q / 2) / KYBER_Q) & 0x7ff; - } - - r[ 0] = (uint8_t)(t[0] >> 0); - r[ 1] = (uint8_t)((t[0] >> 8) | (t[1] << 3)); - r[ 2] = (uint8_t)((t[1] >> 5) | (t[2] << 6)); - r[ 3] = (uint8_t)(t[2] >> 2); - r[ 4] = (uint8_t)((t[2] >> 10) | (t[3] << 1)); - r[ 5] = (uint8_t)((t[3] >> 7) | (t[4] << 4)); - r[ 6] = (uint8_t)((t[4] >> 4) | (t[5] << 7)); - r[ 7] = (uint8_t)(t[5] >> 1); - r[ 8] = (uint8_t)((t[5] >> 9) | (t[6] << 2)); - r[ 9] = (uint8_t)((t[6] >> 6) | (t[7] << 5)); - r[10] = (uint8_t)(t[7] >> 3); - r += 11; - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of PQCLEAN_KYBER102490S_CLEAN_polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i, j, k; - - uint16_t t[8]; - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_N / 8; j++) { - t[0] = (a[0] >> 0) | ((uint16_t)a[ 1] << 8); - t[1] = (a[1] >> 3) | ((uint16_t)a[ 2] << 5); - t[2] = (a[2] >> 6) | ((uint16_t)a[ 3] << 2) | ((uint16_t)a[4] << 10); - t[3] = (a[4] >> 1) | ((uint16_t)a[ 5] << 7); - t[4] = (a[5] >> 4) | ((uint16_t)a[ 6] << 4); - t[5] = (a[6] >> 7) | ((uint16_t)a[ 7] << 1) | ((uint16_t)a[8] << 9); - t[6] = (a[8] >> 2) | ((uint16_t)a[ 9] << 6); - t[7] = (a[9] >> 5) | ((uint16_t)a[10] << 3); - a += 11; - - for (k = 0; k < 8; k++) { - r->vec[i].coeffs[8 * j + k] = ((uint32_t)(t[k] & 0x7FF) * KYBER_Q + 1024) >> 11; - } - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt(polyvec *r) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_ntt(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_polyvec_invntt_tomont(polyvec *r) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_invntt_tomont(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_polyvec_basemul_acc_montgomery -* -* Description: Multiply elements of a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - unsigned int i; - poly t; - - PQCLEAN_KYBER102490S_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for (i = 1; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_basemul_montgomery(&t, &a->vec[i], &b->vec[i]); - PQCLEAN_KYBER102490S_CLEAN_poly_add(r, r, &t); - } - - PQCLEAN_KYBER102490S_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_polyvec_reduce(polyvec *r) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_reduce(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER102490S_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); - } -} diff --git a/crypto_kem/kyber1024-90s/clean/polyvec.h b/crypto_kem/kyber1024-90s/clean/polyvec.h deleted file mode 100644 index aaccd7f7..00000000 --- a/crypto_kem/kyber1024-90s/clean/polyvec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_POLYVEC_H -#define PQCLEAN_KYBER102490S_CLEAN_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -typedef struct { - poly vec[KYBER_K]; -} polyvec; - -void PQCLEAN_KYBER102490S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a); -void PQCLEAN_KYBER102490S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - -void PQCLEAN_KYBER102490S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a); -void PQCLEAN_KYBER102490S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - -void PQCLEAN_KYBER102490S_CLEAN_polyvec_ntt(polyvec *r); -void PQCLEAN_KYBER102490S_CLEAN_polyvec_invntt_tomont(polyvec *r); - -void PQCLEAN_KYBER102490S_CLEAN_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - -void PQCLEAN_KYBER102490S_CLEAN_polyvec_reduce(polyvec *r); - -void PQCLEAN_KYBER102490S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/reduce.c b/crypto_kem/kyber1024-90s/clean/reduce.c deleted file mode 100644 index 42211d90..00000000 --- a/crypto_kem/kyber1024-90s/clean/reduce.c +++ /dev/null @@ -1,44 +0,0 @@ -#include "params.h" -#include "reduce.h" -#include - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; -* has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce(int32_t a) { - int32_t t; - int16_t u; - - u = (int16_t)(a * (int64_t)QINV); - t = (int32_t)u * KYBER_Q; - t = a - t; - t >>= 16; - return (int16_t)t; -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* centered representative congruent to a mod q in {-(q-1)/2,...,(q-1)/2} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER102490S_CLEAN_barrett_reduce(int16_t a) { - int16_t t; - const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; - - t = ((int32_t)v * a + (1 << 25)) >> 26; - t *= KYBER_Q; - return a - t; -} diff --git a/crypto_kem/kyber1024-90s/clean/reduce.h b/crypto_kem/kyber1024-90s/clean/reduce.h deleted file mode 100644 index f17c04aa..00000000 --- a/crypto_kem/kyber1024-90s/clean/reduce.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_REDUCE_H -#define PQCLEAN_KYBER102490S_CLEAN_REDUCE_H -#include "params.h" -#include - -#define MONT 2285 // 2^16 mod q -#define QINV 62209 // q^-1 mod 2^16 - -int16_t PQCLEAN_KYBER102490S_CLEAN_montgomery_reduce(int32_t a); - -int16_t PQCLEAN_KYBER102490S_CLEAN_barrett_reduce(int16_t a); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/symmetric-aes.c b/crypto_kem/kyber1024-90s/clean/symmetric-aes.c deleted file mode 100644 index 3efdea09..00000000 --- a/crypto_kem/kyber1024-90s/clean/symmetric-aes.c +++ /dev/null @@ -1,100 +0,0 @@ -#include "symmetric-aes.h" -#include "symmetric.h" -#include -#include -#include - - -static inline void br_enc32be(unsigned char *dst, uint32_t x) { - dst[3] = (unsigned char)x; - dst[2] = (unsigned char)(x >> 8); - dst[1] = (unsigned char)(x >> 16); - dst[0] = (unsigned char)(x >> 24); -} - -static void aes256_ctr_xof(unsigned char *out, size_t outlen, const unsigned char *iv, uint32_t ctr, const aes256ctx *ctx) { - uint8_t ivw[16]; - uint8_t buf[AES_BLOCKBYTES]; - size_t i = 0; - - memcpy(ivw, iv, AESCTR_NONCEBYTES); - br_enc32be(ivw + AESCTR_NONCEBYTES, ctr); - - while (outlen > AES_BLOCKBYTES) { - aes256_ecb(out, ivw, 1, ctx); - br_enc32be(ivw + AESCTR_NONCEBYTES, ++ctr); - out += AES_BLOCKBYTES; - outlen -= AES_BLOCKBYTES; - } - if (outlen > 0) { - aes256_ecb(buf, ivw, 1, ctx); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} - -/************************************************* -* Name: aes256_prf -* -* Description: AES256 stream generation in CTR mode using 32-bit counter, -* nonce is zero-padded to 12 bytes, counter starts at zero -* -* Arguments: - uint8_t *output: pointer to output -* - size_t outlen: length of requested output in bytes -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t nonce: 1-byte nonce (will be zero-padded to 12 bytes) -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_aes256ctr_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce) { - uint8_t iv[12]; - for (int i = 1; i < 12; i++) { - iv[i] = 0; - } - iv[0] = nonce; - - aes256ctx ctx; - aes256_ctr_keyexp(&ctx, key); - aes256_ctr(output, outlen, iv, &ctx); - aes256_ctx_release(&ctx); -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* "absorbs" a 32-byte key and two additional bytes that are zero-padded -* to a 12-byte nonce -* -* Arguments: - aes256xof_ctx *s: pointer to state to "absorb" key and IV into -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t x: first additional byte to "absorb" -* - uint8_t y: second additional byte to "absorb" -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y) { - aes256_ecb_keyexp(&s->sk_exp, key); - for (int i = 2; i < 12; i++) { - s->iv[i] = 0; - } - s->iv[0] = x; - s->iv[1] = y; - s->ctr = 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* generates 4 blocks out AES256-CTR output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t nblocks: number of reqested 64-byte output blocks -* - aes256xof_ctx *s: AES "state", i.e. expanded key and IV -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s) { - aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); - s->ctr += (uint32_t) (4 * nblocks); -} - -void PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { - aes256_ctx_release(&s->sk_exp); -} diff --git a/crypto_kem/kyber1024-90s/clean/symmetric-aes.h b/crypto_kem/kyber1024-90s/clean/symmetric-aes.h deleted file mode 100644 index f06a2c38..00000000 --- a/crypto_kem/kyber1024-90s/clean/symmetric-aes.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_SYMMETRIC_AES_H -#define PQCLEAN_KYBER102490S_CLEAN_SYMMETRIC_AES_H -#include "aes.h" -#include -#include - -typedef struct { - aes256ctx sk_exp; - uint8_t iv[12]; - uint32_t ctr; -} aes256xof_ctx; - -void PQCLEAN_KYBER102490S_CLEAN_aes256ctr_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); -void PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); -void PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); -void PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); - -#endif diff --git a/crypto_kem/kyber1024-90s/clean/symmetric.h b/crypto_kem/kyber1024-90s/clean/symmetric.h deleted file mode 100644 index b7f27da6..00000000 --- a/crypto_kem/kyber1024-90s/clean/symmetric.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_SYMMETRIC_H -#define PQCLEAN_KYBER102490S_CLEAN_SYMMETRIC_H -#include "params.h" -#include "sha2.h" -#include "symmetric-aes.h" -#include -#include - - - - -typedef aes256xof_ctx xof_state; - -void PQCLEAN_KYBER102490S_CLEAN_kyber_aes256xof_absorb(aes256xof_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y); - -void PQCLEAN_KYBER102490S_CLEAN_kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce); - -#define XOF_BLOCKBYTES 64 - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_absorb(STATE, SEED, X, Y) PQCLEAN_KYBER102490S_CLEAN_aes256xof_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER102490S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_ctx_release(STATE) PQCLEAN_KYBER102490S_CLEAN_aes256xof_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER102490S_CLEAN_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - - -#endif /* SYMMETRIC_H */ diff --git a/crypto_kem/kyber1024-90s/clean/verify.c b/crypto_kem/kyber1024-90s/clean/verify.c deleted file mode 100644 index 23911d39..00000000 --- a/crypto_kem/kyber1024-90s/clean/verify.c +++ /dev/null @@ -1,47 +0,0 @@ -#include "verify.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_KYBER102490S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i; - uint8_t r = 0; - - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - return (-(uint64_t)r) >> 63; -} - -/************************************************* -* Name: PQCLEAN_KYBER102490S_CLEAN_cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_KYBER102490S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i; - - b = -b; - for (i = 0; i < len; i++) { - r[i] ^= b & (r[i] ^ x[i]); - } -} diff --git a/crypto_kem/kyber1024-90s/clean/verify.h b/crypto_kem/kyber1024-90s/clean/verify.h deleted file mode 100644 index 1d48a111..00000000 --- a/crypto_kem/kyber1024-90s/clean/verify.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_KYBER102490S_CLEAN_VERIFY_H -#define PQCLEAN_KYBER102490S_CLEAN_VERIFY_H -#include "params.h" -#include -#include - -int PQCLEAN_KYBER102490S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - -void PQCLEAN_KYBER102490S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/crypto_kem/kyber512-90s/META.yml b/crypto_kem/kyber512-90s/META.yml deleted file mode 100644 index 14f1639f..00000000 --- a/crypto_kem/kyber512-90s/META.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Kyber512-90s -type: kem -claimed-nist-level: 1 -claimed-security: IND-CCA2 -length-public-key: 800 -length-ciphertext: 768 -length-secret-key: 1632 -length-shared-secret: 32 -nistkat-sha256: 7bfe0653b63b3fac7ee300a6e4801046c1a3d8d445b271633b6c9d81ed125e5b -principal-submitters: - - Peter Schwabe -auxiliary-submitters: - - Roberto Avanzi - - Joppe Bos - - Léo Ducas - - Eike Kiltz - - Tancrède Lepoint - - Vadim Lyubashevsky - - John M. Schanck - - Gregor Seiler - - Damien Stehlé -implementations: - - name: clean - version: https://github.com/pq-crystals/kyber/commit/e7faae9f662f5b92fee4e966f09b2f23e1e91c65 via https://github.com/jschanck/package-pqclean/tree/231c9bec/kyber - - name: avx2 - version: https://github.com/pq-crystals/kyber/commit/e7faae9f662f5b92fee4e966f09b2f23e1e91c65 via https://github.com/jschanck/package-pqclean/tree/231c9bec/kyber - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - aes - - avx2 - - bmi2 - - popcnt diff --git a/crypto_kem/kyber512-90s/avx2/LICENSE b/crypto_kem/kyber512-90s/avx2/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_kem/kyber512-90s/avx2/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_kem/kyber512-90s/avx2/aes256ctr.c b/crypto_kem/kyber512-90s/avx2/aes256ctr.c deleted file mode 100644 index c55c0eb3..00000000 --- a/crypto_kem/kyber512-90s/avx2/aes256ctr.c +++ /dev/null @@ -1,142 +0,0 @@ -#include "aes256ctr.h" -#include -#include -#include -/* Based heavily on public-domain code by Romain Dolbeau - * Different handling of nonce+counter than original version using - * separated 64-bit nonce and internal 64-bit counter, starting from zero - * Public Domain */ - - -static inline void aesni_encrypt4(uint8_t out[64], __m128i *n, const __m128i rkeys[16]) { - __m128i f, f0, f1, f2, f3; - const __m128i idx = _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 7, 6, 5, 4, 3, 2, 1, 0); - - /* Load current counter value */ - f = _mm_load_si128(n); - - /* Increase counter in 4 consecutive blocks */ - f0 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(0, 0)), idx); - f1 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(1, 0)), idx); - f2 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(2, 0)), idx); - f3 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(3, 0)), idx); - - /* Write counter for next iteration, increased by 4 */ - _mm_store_si128(n, _mm_add_epi64(f, _mm_set_epi64x(4, 0))); - - /* Actual AES encryption, 4x interleaved */ - f = _mm_load_si128(&rkeys[0]); - f0 = _mm_xor_si128(f0, f); - f1 = _mm_xor_si128(f1, f); - f2 = _mm_xor_si128(f2, f); - f3 = _mm_xor_si128(f3, f); - - for (int i = 1; i < 14; i++) { - f = _mm_load_si128(&rkeys[i]); - f0 = _mm_aesenc_si128(f0, f); - f1 = _mm_aesenc_si128(f1, f); - f2 = _mm_aesenc_si128(f2, f); - f3 = _mm_aesenc_si128(f3, f); - } - - f = _mm_load_si128(&rkeys[14]); - f0 = _mm_aesenclast_si128(f0, f); - f1 = _mm_aesenclast_si128(f1, f); - f2 = _mm_aesenclast_si128(f2, f); - f3 = _mm_aesenclast_si128(f3, f); - - /* Write results */ - _mm_storeu_si128((__m128i *)(out + 0), f0); - _mm_storeu_si128((__m128i *)(out + 16), f1); - _mm_storeu_si128((__m128i *)(out + 32), f2); - _mm_storeu_si128((__m128i *)(out + 48), f3); -} - -void PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t key[32], uint64_t nonce) { - __m128i key0, key1, temp0, temp1, temp2, temp4; - int idx = 0; - - key0 = _mm_loadu_si128((__m128i *)(key + 0)); - key1 = _mm_loadu_si128((__m128i *)(key + 16)); - state->n = _mm_loadl_epi64((__m128i *)&nonce); - - state->rkeys[idx++] = key0; - temp0 = key0; - temp2 = key1; - temp4 = _mm_setzero_si128(); - -#define BLOCK1(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp2, IMM); \ - state->rkeys[idx++] = temp2; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x10); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x8c); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xff); \ - temp0 = _mm_xor_si128(temp0, temp1) - -#define BLOCK2(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp0, IMM); \ - state->rkeys[idx++] = temp0; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x10); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x8c); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xaa); \ - temp2 = _mm_xor_si128(temp2, temp1) - - BLOCK1(0x01); - BLOCK2(0x01); - - BLOCK1(0x02); - BLOCK2(0x02); - - BLOCK1(0x04); - BLOCK2(0x04); - - BLOCK1(0x08); - BLOCK2(0x08); - - BLOCK1(0x10); - BLOCK2(0x10); - - BLOCK1(0x20); - BLOCK2(0x20); - - BLOCK1(0x40); - state->rkeys[idx++] = temp0; -} - -void PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state) { - size_t i; - for (i = 0; i < nblocks; i++) { - aesni_encrypt4(out, &state->n, state->rkeys); - out += 64; - } -} - -void PQCLEAN_KYBER51290S_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t key[32], - uint64_t nonce) { - unsigned int i; - uint8_t buf[64]; - aes256ctr_ctx state; - - PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(&state, key, nonce); - - while (outlen >= 64) { - aesni_encrypt4(out, &state.n, state.rkeys); - outlen -= 64; - out += 64; - } - - if (outlen) { - aesni_encrypt4(buf, &state.n, state.rkeys); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} diff --git a/crypto_kem/kyber512-90s/avx2/aes256ctr.h b/crypto_kem/kyber512-90s/avx2/aes256ctr.h deleted file mode 100644 index 8e5b1b6c..00000000 --- a/crypto_kem/kyber512-90s/avx2/aes256ctr.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_AES256CTR_H -#define PQCLEAN_KYBER51290S_AVX2_AES256CTR_H - -#include -#include -#include - - -#define AES256CTR_BLOCKBYTES 64 - -typedef struct { - __m128i rkeys[16]; - __m128i n; -} aes256ctr_ctx; - -void PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint64_t nonce); - -void PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state); - -void PQCLEAN_KYBER51290S_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t key[32], - uint64_t nonce); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/align.h b/crypto_kem/kyber512-90s/avx2/align.h deleted file mode 100644 index 94413cc3..00000000 --- a/crypto_kem/kyber512-90s/avx2/align.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_ALIGN_H -#define PQCLEAN_KYBER51290S_AVX2_ALIGN_H - -#include -#include - -#define ALIGNED_UINT8(N) \ - union { \ - uint8_t coeffs[(N)]; \ - __m256i vec[((N)+31)/32]; \ - } - -#define ALIGNED_INT16(N) \ - union { \ - int16_t coeffs[(N)]; \ - __m256i vec[((N)+15)/16]; \ - } - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/api.h b/crypto_kem/kyber512-90s/avx2/api.h deleted file mode 100644 index 2e7ce509..00000000 --- a/crypto_kem/kyber512-90s/avx2/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_API_H -#define PQCLEAN_KYBER51290S_AVX2_API_H - -#include - -#define PQCLEAN_KYBER51290S_AVX2_CRYPTO_SECRETKEYBYTES 1632 -#define PQCLEAN_KYBER51290S_AVX2_CRYPTO_PUBLICKEYBYTES 800 -#define PQCLEAN_KYBER51290S_AVX2_CRYPTO_CIPHERTEXTBYTES 768 -#define PQCLEAN_KYBER51290S_AVX2_CRYPTO_BYTES 32 -#define PQCLEAN_KYBER51290S_AVX2_CRYPTO_ALGNAME "Kyber512-90s" - -int PQCLEAN_KYBER51290S_AVX2_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_KYBER51290S_AVX2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_KYBER51290S_AVX2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/basemul.S b/crypto_kem/kyber512-90s/avx2/basemul.S deleted file mode 100644 index ffd8d413..00000000 --- a/crypto_kem/kyber512-90s/avx2/basemul.S +++ /dev/null @@ -1,107 +0,0 @@ -#include "cdecl.h" - -.macro schoolbook off -vmovdqa _16XQINV*2(%rcx),%ymm0 -vmovdqa (64*\off+ 0)*2(%rsi),%ymm1 # a0 -vmovdqa (64*\off+16)*2(%rsi),%ymm2 # b0 -vmovdqa (64*\off+32)*2(%rsi),%ymm3 # a1 -vmovdqa (64*\off+48)*2(%rsi),%ymm4 # b1 - -vpmullw %ymm0,%ymm1,%ymm9 # a0.lo -vpmullw %ymm0,%ymm2,%ymm10 # b0.lo -vpmullw %ymm0,%ymm3,%ymm11 # a1.lo -vpmullw %ymm0,%ymm4,%ymm12 # b1.lo - -vmovdqa (64*\off+ 0)*2(%rdx),%ymm5 # c0 -vmovdqa (64*\off+16)*2(%rdx),%ymm6 # d0 - -vpmulhw %ymm5,%ymm1,%ymm13 # a0c0.hi -vpmulhw %ymm6,%ymm1,%ymm1 # a0d0.hi -vpmulhw %ymm5,%ymm2,%ymm14 # b0c0.hi -vpmulhw %ymm6,%ymm2,%ymm2 # b0d0.hi - -vmovdqa (64*\off+32)*2(%rdx),%ymm7 # c1 -vmovdqa (64*\off+48)*2(%rdx),%ymm8 # d1 - -vpmulhw %ymm7,%ymm3,%ymm15 # a1c1.hi -vpmulhw %ymm8,%ymm3,%ymm3 # a1d1.hi -vpmulhw %ymm7,%ymm4,%ymm0 # b1c1.hi -vpmulhw %ymm8,%ymm4,%ymm4 # b1d1.hi - -vmovdqa %ymm13,(%rsp) - -vpmullw %ymm5,%ymm9,%ymm13 # a0c0.lo -vpmullw %ymm6,%ymm9,%ymm9 # a0d0.lo -vpmullw %ymm5,%ymm10,%ymm5 # b0c0.lo -vpmullw %ymm6,%ymm10,%ymm10 # b0d0.lo - -vpmullw %ymm7,%ymm11,%ymm6 # a1c1.lo -vpmullw %ymm8,%ymm11,%ymm11 # a1d1.lo -vpmullw %ymm7,%ymm12,%ymm7 # b1c1.lo -vpmullw %ymm8,%ymm12,%ymm12 # b1d1.lo - -vmovdqa _16XQ*2(%rcx),%ymm8 -vpmulhw %ymm8,%ymm13,%ymm13 -vpmulhw %ymm8,%ymm9,%ymm9 -vpmulhw %ymm8,%ymm5,%ymm5 -vpmulhw %ymm8,%ymm10,%ymm10 -vpmulhw %ymm8,%ymm6,%ymm6 -vpmulhw %ymm8,%ymm11,%ymm11 -vpmulhw %ymm8,%ymm7,%ymm7 -vpmulhw %ymm8,%ymm12,%ymm12 - -vpsubw (%rsp),%ymm13,%ymm13 # -a0c0 -vpsubw %ymm9,%ymm1,%ymm9 # a0d0 -vpsubw %ymm5,%ymm14,%ymm5 # b0c0 -vpsubw %ymm10,%ymm2,%ymm10 # b0d0 - -vpsubw %ymm6,%ymm15,%ymm6 # a1c1 -vpsubw %ymm11,%ymm3,%ymm11 # a1d1 -vpsubw %ymm7,%ymm0,%ymm7 # b1c1 -vpsubw %ymm12,%ymm4,%ymm12 # b1d1 - -vmovdqa (%r9),%ymm0 -vmovdqa 32(%r9),%ymm1 -vpmullw %ymm0,%ymm10,%ymm2 -vpmullw %ymm0,%ymm12,%ymm3 -vpmulhw %ymm1,%ymm10,%ymm10 -vpmulhw %ymm1,%ymm12,%ymm12 -vpmulhw %ymm8,%ymm2,%ymm2 -vpmulhw %ymm8,%ymm3,%ymm3 -vpsubw %ymm2,%ymm10,%ymm10 # rb0d0 -vpsubw %ymm3,%ymm12,%ymm12 # rb1d1 - -vpaddw %ymm5,%ymm9,%ymm9 -vpaddw %ymm7,%ymm11,%ymm11 -vpsubw %ymm13,%ymm10,%ymm13 -vpsubw %ymm12,%ymm6,%ymm6 - -vmovdqa %ymm13,(64*\off+ 0)*2(%rdi) -vmovdqa %ymm9,(64*\off+16)*2(%rdi) -vmovdqa %ymm6,(64*\off+32)*2(%rdi) -vmovdqa %ymm11,(64*\off+48)*2(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_avx) -.global _cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_avx) -cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_avx): -_cdecl(PQCLEAN_KYBER51290S_AVX2_basemul_avx): -mov %rsp,%r8 -and $-32,%rsp -sub $32,%rsp - -lea (_ZETAS_EXP+176)*2(%rcx),%r9 -schoolbook 0 - -add $32*2,%r9 -schoolbook 1 - -add $192*2,%r9 -schoolbook 2 - -add $32*2,%r9 -schoolbook 3 - -mov %r8,%rsp -ret diff --git a/crypto_kem/kyber512-90s/avx2/cbd.c b/crypto_kem/kyber512-90s/avx2/cbd.c deleted file mode 100644 index 8898cbe2..00000000 --- a/crypto_kem/kyber512-90s/avx2/cbd.c +++ /dev/null @@ -1,128 +0,0 @@ -#include "cbd.h" -#include "params.h" -#include -#include - -/************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const __m256i *buf: pointer to aligned input byte array -**************************************************/ -static void cbd2(poly *restrict r, const __m256i buf[2 * KYBER_N / 128]) { - unsigned int i; - __m256i f0, f1, f2, f3; - const __m256i mask55 = _mm256_set1_epi32(0x55555555); - const __m256i mask33 = _mm256_set1_epi32(0x33333333); - const __m256i mask03 = _mm256_set1_epi32(0x03030303); - const __m256i mask0F = _mm256_set1_epi32(0x0F0F0F0F); - - for (i = 0; i < KYBER_N / 64; i++) { - f0 = _mm256_load_si256(&buf[i]); - - f1 = _mm256_srli_epi16(f0, 1); - f0 = _mm256_and_si256(mask55, f0); - f1 = _mm256_and_si256(mask55, f1); - f0 = _mm256_add_epi8(f0, f1); - - f1 = _mm256_srli_epi16(f0, 2); - f0 = _mm256_and_si256(mask33, f0); - f1 = _mm256_and_si256(mask33, f1); - f0 = _mm256_add_epi8(f0, mask33); - f0 = _mm256_sub_epi8(f0, f1); - - f1 = _mm256_srli_epi16(f0, 4); - f0 = _mm256_and_si256(mask0F, f0); - f1 = _mm256_and_si256(mask0F, f1); - f0 = _mm256_sub_epi8(f0, mask03); - f1 = _mm256_sub_epi8(f1, mask03); - - f2 = _mm256_unpacklo_epi8(f0, f1); - f3 = _mm256_unpackhi_epi8(f0, f1); - - f0 = _mm256_cvtepi8_epi16(_mm256_castsi256_si128(f2)); - f1 = _mm256_cvtepi8_epi16(_mm256_extracti128_si256(f2, 1)); - f2 = _mm256_cvtepi8_epi16(_mm256_castsi256_si128(f3)); - f3 = _mm256_cvtepi8_epi16(_mm256_extracti128_si256(f3, 1)); - - _mm256_store_si256(&r->vec[4 * i + 0], f0); - _mm256_store_si256(&r->vec[4 * i + 1], f2); - _mm256_store_si256(&r->vec[4 * i + 2], f1); - _mm256_store_si256(&r->vec[4 * i + 3], f3); - } -} - -/************************************************* -* Name: cbd3 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=3 -* This function is only needed for Kyber-512 -* -* Arguments: - poly *r: pointer to output polynomial -* - const __m256i *buf: pointer to aligned input byte array -**************************************************/ -static void cbd3(poly *restrict r, const uint8_t buf[3 * KYBER_N / 4 + 8]) { - unsigned int i; - __m256i f0, f1, f2, f3; - const __m256i mask249 = _mm256_set1_epi32(0x249249); - const __m256i mask6DB = _mm256_set1_epi32(0x6DB6DB); - const __m256i mask07 = _mm256_set1_epi32(7); - const __m256i mask70 = _mm256_set1_epi32(7 << 16); - const __m256i mask3 = _mm256_set1_epi16(3); - const __m256i shufbidx = _mm256_set_epi8(-1, 15, 14, 13, -1, 12, 11, 10, -1, 9, 8, 7, -1, 6, 5, 4, - -1, 11, 10, 9, -1, 8, 7, 6, -1, 5, 4, 3, -1, 2, 1, 0); - - for (i = 0; i < KYBER_N / 32; i++) { - f0 = _mm256_loadu_si256((__m256i *)&buf[24 * i]); - f0 = _mm256_permute4x64_epi64(f0, 0x94); - f0 = _mm256_shuffle_epi8(f0, shufbidx); - - f1 = _mm256_srli_epi32(f0, 1); - f2 = _mm256_srli_epi32(f0, 2); - f0 = _mm256_and_si256(mask249, f0); - f1 = _mm256_and_si256(mask249, f1); - f2 = _mm256_and_si256(mask249, f2); - f0 = _mm256_add_epi32(f0, f1); - f0 = _mm256_add_epi32(f0, f2); - - f1 = _mm256_srli_epi32(f0, 3); - f0 = _mm256_add_epi32(f0, mask6DB); - f0 = _mm256_sub_epi32(f0, f1); - - f1 = _mm256_slli_epi32(f0, 10); - f2 = _mm256_srli_epi32(f0, 12); - f3 = _mm256_srli_epi32(f0, 2); - f0 = _mm256_and_si256(f0, mask07); - f1 = _mm256_and_si256(f1, mask70); - f2 = _mm256_and_si256(f2, mask07); - f3 = _mm256_and_si256(f3, mask70); - f0 = _mm256_add_epi16(f0, f1); - f1 = _mm256_add_epi16(f2, f3); - f0 = _mm256_sub_epi16(f0, mask3); - f1 = _mm256_sub_epi16(f1, mask3); - - f2 = _mm256_unpacklo_epi32(f0, f1); - f3 = _mm256_unpackhi_epi32(f0, f1); - - f0 = _mm256_permute2x128_si256(f2, f3, 0x20); - f1 = _mm256_permute2x128_si256(f2, f3, 0x31); - - _mm256_store_si256(&r->vec[2 * i + 0], f0); - _mm256_store_si256(&r->vec[2 * i + 1], f1); - } -} - -/* buf 32 bytes longer for cbd3 */ -void PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta1(poly *r, const __m256i buf[KYBER_ETA1 * KYBER_N / 128 + 1]) { - cbd3(r, (uint8_t *)buf); -} - -void PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta2(poly *r, const __m256i buf[KYBER_ETA2 * KYBER_N / 128]) { - cbd2(r, buf); -} diff --git a/crypto_kem/kyber512-90s/avx2/cbd.h b/crypto_kem/kyber512-90s/avx2/cbd.h deleted file mode 100644 index 72086475..00000000 --- a/crypto_kem/kyber512-90s/avx2/cbd.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_CBD_H -#define PQCLEAN_KYBER51290S_AVX2_CBD_H -#include "params.h" -#include "poly.h" -#include -#include - -void PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta1(poly *r, const __m256i buf[KYBER_ETA1 * KYBER_N / 128 + 1]); - -void PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta2(poly *r, const __m256i buf[KYBER_ETA2 * KYBER_N / 128]); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/cdecl.h b/crypto_kem/kyber512-90s/avx2/cdecl.h deleted file mode 100644 index 4a2a0a54..00000000 --- a/crypto_kem/kyber512-90s/avx2/cdecl.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_CDECL_H -#define PQCLEAN_KYBER51290S_AVX2_CDECL_H - - - -#define _16XQ 0 -#define _16XQINV 16 -#define _16XV 32 -#define _16XFLO 48 -#define _16XFHI 64 -#define _16XMONTSQLO 80 -#define _16XMONTSQHI 96 -#define _16XMASK 112 -#define _REVIDXB 128 -#define _REVIDXD 144 -#define _ZETAS_EXP 160 -#define _16XSHIFT 624 - -/* The C ABI on MacOS exports all symbols with a leading - * underscore. This means that any symbols we refer to from - * C files (functions) can't be found, and all symbols we - * refer to from ASM also can't be found (nttconsts.c). - * - * This define helps us get around this - */ - -#define _cdecl(s) _##s -#define cdecl(s) s - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/consts.c b/crypto_kem/kyber512-90s/avx2/consts.c deleted file mode 100644 index 77f7ed73..00000000 --- a/crypto_kem/kyber512-90s/avx2/consts.c +++ /dev/null @@ -1,123 +0,0 @@ -#include "align.h" -#include "consts.h" -#include "params.h" - - -#define Q KYBER_Q -#define MONT (-1044) // 2^16 mod q -#define QINV (-3327) // q^-1 mod 2^16 -#define V 20159 // floor(2^26/q + 0.5) -#define FHI 1441 // mont^2/128 -#define FLO (-10079) // qinv*FHI -#define MONTSQHI 1353 // mont^2 -#define MONTSQLO 20553 // qinv*MONTSQHI -#define MASK 4095 -#define SHIFT 32 - -const qdata_t PQCLEAN_KYBER51290S_AVX2_qdata = {.coeffs = { -//#define _16XQ 0 - Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, - -//#define _16XQINV 16 - QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV, - QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV, - -//#define _16XV 32 - V, V, V, V, V, V, V, V, V, V, V, V, V, V, V, V, - -//#define _16XFLO 48 - FLO, FLO, FLO, FLO, FLO, FLO, FLO, FLO, - FLO, FLO, FLO, FLO, FLO, FLO, FLO, FLO, - -//#define _16XFHI 64 - FHI, FHI, FHI, FHI, FHI, FHI, FHI, FHI, - FHI, FHI, FHI, FHI, FHI, FHI, FHI, FHI, - -//#define _16XMONTSQLO 80 - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - -//#define _16XMONTSQHI 96 - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - -//#define _16XMASK 112 - MASK, MASK, MASK, MASK, MASK, MASK, MASK, MASK, - MASK, MASK, MASK, MASK, MASK, MASK, MASK, MASK, - -//#define _REVIDXB 128 - 3854, 3340, 2826, 2312, 1798, 1284, 770, 256, - 3854, 3340, 2826, 2312, 1798, 1284, 770, 256, - -//#define _REVIDXD 144 - 7, 0, 6, 0, 5, 0, 4, 0, 3, 0, 2, 0, 1, 0, 0, 0, - -//#define _ZETAS_EXP 160 - 31498, 31498, 31498, 31498, -758, -758, -758, -758, - 5237, 5237, 5237, 5237, 1397, 1397, 1397, 1397, - 14745, 14745, 14745, 14745, 14745, 14745, 14745, 14745, - 14745, 14745, 14745, 14745, 14745, 14745, 14745, 14745, - -359, -359, -359, -359, -359, -359, -359, -359, - -359, -359, -359, -359, -359, -359, -359, -359, - 13525, 13525, 13525, 13525, 13525, 13525, 13525, 13525, - -12402, -12402, -12402, -12402, -12402, -12402, -12402, -12402, - 1493, 1493, 1493, 1493, 1493, 1493, 1493, 1493, - 1422, 1422, 1422, 1422, 1422, 1422, 1422, 1422, - -20907, -20907, -20907, -20907, 27758, 27758, 27758, 27758, - -3799, -3799, -3799, -3799, -15690, -15690, -15690, -15690, - -171, -171, -171, -171, 622, 622, 622, 622, - 1577, 1577, 1577, 1577, 182, 182, 182, 182, - -5827, -5827, 17363, 17363, -26360, -26360, -29057, -29057, - 5571, 5571, -1102, -1102, 21438, 21438, -26242, -26242, - 573, 573, -1325, -1325, 264, 264, 383, 383, - -829, -829, 1458, 1458, -1602, -1602, -130, -130, - -5689, -6516, 1496, 30967, -23565, 20179, 20710, 25080, - -12796, 26616, 16064, -12442, 9134, -650, -25986, 27837, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -335, -11477, -32227, 20494, -27738, 945, -14883, 6182, - 32010, 10631, 29175, -28762, -18486, 17560, -14430, -5276, - -1103, 555, -1251, 1550, 422, 177, -291, 1574, - -246, 1159, -777, -602, -1590, -872, 418, -156, - 11182, 13387, -14233, -21655, 13131, -4587, 23092, 5493, - -32502, 30317, -18741, 12639, 20100, 18525, 19529, -12619, - 430, 843, 871, 105, 587, -235, -460, 1653, - 778, -147, 1483, 1119, 644, 349, 329, -75, - 787, 787, 787, 787, 787, 787, 787, 787, - 787, 787, 787, 787, 787, 787, 787, 787, - -1517, -1517, -1517, -1517, -1517, -1517, -1517, -1517, - -1517, -1517, -1517, -1517, -1517, -1517, -1517, -1517, - 28191, 28191, 28191, 28191, 28191, 28191, 28191, 28191, - -16694, -16694, -16694, -16694, -16694, -16694, -16694, -16694, - 287, 287, 287, 287, 287, 287, 287, 287, - 202, 202, 202, 202, 202, 202, 202, 202, - 10690, 10690, 10690, 10690, 1358, 1358, 1358, 1358, - -11202, -11202, -11202, -11202, 31164, 31164, 31164, 31164, - 962, 962, 962, 962, -1202, -1202, -1202, -1202, - -1474, -1474, -1474, -1474, 1468, 1468, 1468, 1468, - -28073, -28073, 24313, 24313, -10532, -10532, 8800, 8800, - 18426, 18426, 8859, 8859, 26675, 26675, -16163, -16163, - -681, -681, 1017, 1017, 732, 732, 608, 608, - -1542, -1542, 411, 411, -205, -205, -1571, -1571, - 19883, -28250, -15887, -8898, -28309, 9075, -30199, 18249, - 13426, 14017, -29156, -12757, 16832, 4311, -24155, -17915, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -31183, 25435, -7382, 24391, -20927, 10946, 24214, 16989, - 10335, -7934, -22502, 10906, 31636, 28644, 23998, -17422, - 817, 603, 1322, -1465, -1215, 1218, -874, -1187, - -1185, -1278, -1510, -870, -108, 996, 958, 1522, - 20297, 2146, 15355, -32384, -6280, -14903, -11044, 14469, - -21498, -20198, 23210, -17442, -23860, -20257, 7756, 23132, - 1097, 610, -1285, 384, -136, -1335, 220, -1659, - -1530, 794, -854, 478, -308, 991, -1460, 1628, - -//#define _16XSHIFT 624 - SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, - SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT - } -}; diff --git a/crypto_kem/kyber512-90s/avx2/consts.h b/crypto_kem/kyber512-90s/avx2/consts.h deleted file mode 100644 index c09524cd..00000000 --- a/crypto_kem/kyber512-90s/avx2/consts.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_CONSTS_H -#define PQCLEAN_KYBER51290S_AVX2_CONSTS_H -#include "align.h" -#include "cdecl.h" - - -typedef ALIGNED_INT16(640) qdata_t; -extern const qdata_t PQCLEAN_KYBER51290S_AVX2_qdata; - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/fq.S b/crypto_kem/kyber512-90s/avx2/fq.S deleted file mode 100644 index 7d47f8b8..00000000 --- a/crypto_kem/kyber512-90s/avx2/fq.S +++ /dev/null @@ -1,92 +0,0 @@ -#include "cdecl.h" -.include "fq.inc" - -.text -reduce128_avx: -#load -vmovdqa (%rdi),%ymm2 -vmovdqa 32(%rdi),%ymm3 -vmovdqa 64(%rdi),%ymm4 -vmovdqa 96(%rdi),%ymm5 -vmovdqa 128(%rdi),%ymm6 -vmovdqa 160(%rdi),%ymm7 -vmovdqa 192(%rdi),%ymm8 -vmovdqa 224(%rdi),%ymm9 - -red16 2 -red16 3 -red16 4 -red16 5 -red16 6 -red16 7 -red16 8 -red16 9 - -#store -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm3,32(%rdi) -vmovdqa %ymm4,64(%rdi) -vmovdqa %ymm5,96(%rdi) -vmovdqa %ymm6,128(%rdi) -vmovdqa %ymm7,160(%rdi) -vmovdqa %ymm8,192(%rdi) -vmovdqa %ymm9,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER51290S_AVX2_reduce_avx) -.global _cdecl(PQCLEAN_KYBER51290S_AVX2_reduce_avx) -cdecl(PQCLEAN_KYBER51290S_AVX2_reduce_avx): -_cdecl(PQCLEAN_KYBER51290S_AVX2_reduce_avx): -#consts -vmovdqa _16XQ*2(%rsi),%ymm0 -vmovdqa _16XV*2(%rsi),%ymm1 -call reduce128_avx -add $256,%rdi -call reduce128_avx -ret - -tomont128_avx: -#load -vmovdqa (%rdi),%ymm3 -vmovdqa 32(%rdi),%ymm4 -vmovdqa 64(%rdi),%ymm5 -vmovdqa 96(%rdi),%ymm6 -vmovdqa 128(%rdi),%ymm7 -vmovdqa 160(%rdi),%ymm8 -vmovdqa 192(%rdi),%ymm9 -vmovdqa 224(%rdi),%ymm10 - -fqmulprecomp 1,2,3,11 -fqmulprecomp 1,2,4,12 -fqmulprecomp 1,2,5,13 -fqmulprecomp 1,2,6,14 -fqmulprecomp 1,2,7,15 -fqmulprecomp 1,2,8,11 -fqmulprecomp 1,2,9,12 -fqmulprecomp 1,2,10,13 - -#store -vmovdqa %ymm3,(%rdi) -vmovdqa %ymm4,32(%rdi) -vmovdqa %ymm5,64(%rdi) -vmovdqa %ymm6,96(%rdi) -vmovdqa %ymm7,128(%rdi) -vmovdqa %ymm8,160(%rdi) -vmovdqa %ymm9,192(%rdi) -vmovdqa %ymm10,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER51290S_AVX2_tomont_avx) -.global _cdecl(PQCLEAN_KYBER51290S_AVX2_tomont_avx) -cdecl(PQCLEAN_KYBER51290S_AVX2_tomont_avx): -_cdecl(PQCLEAN_KYBER51290S_AVX2_tomont_avx): -#consts -vmovdqa _16XQ*2(%rsi),%ymm0 -vmovdqa _16XMONTSQLO*2(%rsi),%ymm1 -vmovdqa _16XMONTSQHI*2(%rsi),%ymm2 -call tomont128_avx -add $256,%rdi -call tomont128_avx -ret diff --git a/crypto_kem/kyber512-90s/avx2/fq.inc b/crypto_kem/kyber512-90s/avx2/fq.inc deleted file mode 100644 index 4b7afc31..00000000 --- a/crypto_kem/kyber512-90s/avx2/fq.inc +++ /dev/null @@ -1,30 +0,0 @@ -.macro red16 r,rs=0,x=12 -vpmulhw %ymm1,%ymm\r,%ymm\x -.if \rs -vpmulhrsw %ymm\rs,%ymm\x,%ymm\x -.else -vpsraw $10,%ymm\x,%ymm\x -.endif -vpmullw %ymm0,%ymm\x,%ymm\x -vpsubw %ymm\x,%ymm\r,%ymm\r -.endm - -.macro csubq r,x=12 -vpsubw %ymm0,%ymm\r,%ymm\r -vpsraw $15,%ymm\r,%ymm\x -vpand %ymm0,%ymm\x,%ymm\x -vpaddw %ymm\x,%ymm\r,%ymm\r -.endm - -.macro caddq r,x=12 -vpsraw $15,%ymm\r,%ymm\x -vpand %ymm0,%ymm\x,%ymm\x -vpaddw %ymm\x,%ymm\r,%ymm\r -.endm - -.macro fqmulprecomp al,ah,b,x=12 -vpmullw %ymm\al,%ymm\b,%ymm\x -vpmulhw %ymm\ah,%ymm\b,%ymm\b -vpmulhw %ymm0,%ymm\x,%ymm\x -vpsubw %ymm\x,%ymm\b,%ymm\b -.endm diff --git a/crypto_kem/kyber512-90s/avx2/indcpa.c b/crypto_kem/kyber512-90s/avx2/indcpa.c deleted file mode 100644 index 92490a97..00000000 --- a/crypto_kem/kyber512-90s/avx2/indcpa.c +++ /dev/null @@ -1,370 +0,0 @@ -#include "align.h" -#include "cbd.h" -#include "indcpa.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "rejsample.h" -#include "symmetric.h" -#include -#include -#include - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk and the -* public seed used to generate the matrix A. -* The polynomial coefficients in pk are assumed to -* lie in the invertal [0,q], i.e. pk must be reduced -* by PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(). -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) { - size_t i; - PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes(r, pk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - r[i + KYBER_POLYVECBYTES] = seed[i]; - } -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i; - PQCLEAN_KYBER51290S_AVX2_polyvec_frombytes(pk, packedpk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - seed[i] = packedpk[i + KYBER_POLYVECBYTES]; - } -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key. -* The polynomial coefficients in sk are assumed to -* lie in the invertal [0,q], i.e. sk must be reduced -* by PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(). -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) { - PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) { - PQCLEAN_KYBER51290S_AVX2_polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v. -* The polynomial coefficients in b and v are assumed to -* lie in the invertal [0,q], i.e. b and v must be reduced -* by PQCLEAN_KYBER51290S_AVX2_polyvec_reduce() and PQCLEAN_KYBER51290S_AVX2_poly_reduce(), respectively. -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) { - PQCLEAN_KYBER51290S_AVX2_polyvec_compress(r, b); - PQCLEAN_KYBER51290S_AVX2_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) { - PQCLEAN_KYBER51290S_AVX2_polyvec_decompress(b, c); - PQCLEAN_KYBER51290S_AVX2_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output array -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint16_t val0, val1; - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; - val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF; - pos += 3; - - if (val0 < KYBER_Q) { - r[ctr++] = val0; - } - if (ctr < len && val1 < KYBER_Q) { - r[ctr++] = val1; - } - } - - return ctr; -} - -#define gen_a(A,B) PQCLEAN_KYBER51290S_AVX2_gen_matrix(A,B,0) -#define gen_at(A,B) PQCLEAN_KYBER51290S_AVX2_gen_matrix(A,B,1) - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[32], int transposed) { - unsigned int ctr, i, j, k; - unsigned int buflen, off; - uint64_t nonce = 0; - ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS * AES256CTR_BLOCKBYTES) buf; - aes256ctr_ctx state; - - PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(&state, seed, 0); - - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_K; j++) { - if (transposed) { - nonce = (j << 8) | i; - } else { - nonce = (i << 8) | j; - } - - state.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state); - buflen = REJ_UNIFORM_AVX_NBLOCKS * AES256CTR_BLOCKBYTES; - ctr = PQCLEAN_KYBER51290S_AVX2_rej_uniform_avx(a[i].vec[j].coeffs, buf.coeffs); - - while (ctr < KYBER_N) { - off = buflen % 3; - for (k = 0; k < off; k++) { - buf.coeffs[k] = buf.coeffs[buflen - off + k]; - } - PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(buf.coeffs + off, 1, &state); - buflen = off + AES256CTR_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf.coeffs, buflen); - } - - PQCLEAN_KYBER51290S_AVX2_poly_nttunpack(&a[i].vec[j]); - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i; - uint8_t buf[2 * KYBER_SYMBYTES]; - const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf + KYBER_SYMBYTES; - polyvec a[KYBER_K], e, pkpv, skpv; - - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - -#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */ - uint64_t nonce = 0; - ALIGNED_UINT8(NOISE_NBLOCKS * AES256CTR_BLOCKBYTES + 32) coins; // +32 bytes as required by PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta1 - aes256ctr_ctx state; - PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(&state, noiseseed, nonce++); - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta1(&skpv.vec[i], coins.vec); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta1(&e.vec[i], coins.vec); - } - - PQCLEAN_KYBER51290S_AVX2_polyvec_ntt(&skpv); - PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(&skpv); - PQCLEAN_KYBER51290S_AVX2_polyvec_ntt(&e); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv); - PQCLEAN_KYBER51290S_AVX2_poly_tomont(&pkpv.vec[i]); - } - - PQCLEAN_KYBER51290S_AVX2_polyvec_add(&pkpv, &pkpv, &e); - PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i; - uint8_t seed[KYBER_SYMBYTES]; - polyvec sp, pkpv, ep, at[KYBER_K], b; - poly v, k, epp; - - unpack_pk(&pkpv, seed, pk); - PQCLEAN_KYBER51290S_AVX2_poly_frommsg(&k, m); - gen_at(at, seed); - -#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */ -#define CIPHERTEXTNOISE_NBLOCKS ((KYBER_ETA2*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */ - uint64_t nonce = 0; - ALIGNED_UINT8(NOISE_NBLOCKS * AES256CTR_BLOCKBYTES + 32) buf; /* +32 bytes as required by PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta1 */ - aes256ctr_ctx state; - PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(&state, coins, nonce++); - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, NOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta1(&sp.vec[i], buf.vec); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta2(&ep.vec[i], buf.vec); - } - PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta2(&epp, buf.vec); - - PQCLEAN_KYBER51290S_AVX2_polyvec_ntt(&sp); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp); - } - PQCLEAN_KYBER51290S_AVX2_polyvec_basemul_acc_montgomery(&v, &pkpv, &sp); - - PQCLEAN_KYBER51290S_AVX2_polyvec_invntt_tomont(&b); - PQCLEAN_KYBER51290S_AVX2_poly_invntt_tomont(&v); - - PQCLEAN_KYBER51290S_AVX2_polyvec_add(&b, &b, &ep); - PQCLEAN_KYBER51290S_AVX2_poly_add(&v, &v, &epp); - PQCLEAN_KYBER51290S_AVX2_poly_add(&v, &v, &k); - PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(&b); - PQCLEAN_KYBER51290S_AVX2_poly_reduce(&v); - - pack_ciphertext(c, &b, &v); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - polyvec b, skpv; - poly v, mp; - - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); - - PQCLEAN_KYBER51290S_AVX2_polyvec_ntt(&b); - PQCLEAN_KYBER51290S_AVX2_polyvec_basemul_acc_montgomery(&mp, &skpv, &b); - PQCLEAN_KYBER51290S_AVX2_poly_invntt_tomont(&mp); - - PQCLEAN_KYBER51290S_AVX2_poly_sub(&mp, &v, &mp); - PQCLEAN_KYBER51290S_AVX2_poly_reduce(&mp); - - PQCLEAN_KYBER51290S_AVX2_poly_tomsg(m, &mp); -} diff --git a/crypto_kem/kyber512-90s/avx2/indcpa.h b/crypto_kem/kyber512-90s/avx2/indcpa.h deleted file mode 100644 index f2b8709b..00000000 --- a/crypto_kem/kyber512-90s/avx2/indcpa.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_INDCPA_H -#define PQCLEAN_KYBER51290S_AVX2_INDCPA_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_KYBER51290S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -void PQCLEAN_KYBER51290S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -void PQCLEAN_KYBER51290S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER51290S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/invntt.S b/crypto_kem/kyber512-90s/avx2/invntt.S deleted file mode 100644 index d49bb282..00000000 --- a/crypto_kem/kyber512-90s/avx2/invntt.S +++ /dev/null @@ -1,195 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" -.include "fq.inc" - -.macro butterfly rl0,rl1,rl2,rl3,rh0,rh1,rh2,rh3,zl0=2,zl1=2,zh0=3,zh1=3 -vpsubw %ymm\rl0,%ymm\rh0,%ymm12 -vpaddw %ymm\rh0,%ymm\rl0,%ymm\rl0 -vpsubw %ymm\rl1,%ymm\rh1,%ymm13 - -vpmullw %ymm\zl0,%ymm12,%ymm\rh0 -vpaddw %ymm\rh1,%ymm\rl1,%ymm\rl1 -vpsubw %ymm\rl2,%ymm\rh2,%ymm14 - -vpmullw %ymm\zl0,%ymm13,%ymm\rh1 -vpaddw %ymm\rh2,%ymm\rl2,%ymm\rl2 -vpsubw %ymm\rl3,%ymm\rh3,%ymm15 - -vpmullw %ymm\zl1,%ymm14,%ymm\rh2 -vpaddw %ymm\rh3,%ymm\rl3,%ymm\rl3 -vpmullw %ymm\zl1,%ymm15,%ymm\rh3 - -vpmulhw %ymm\zh0,%ymm12,%ymm12 -vpmulhw %ymm\zh0,%ymm13,%ymm13 - -vpmulhw %ymm\zh1,%ymm14,%ymm14 -vpmulhw %ymm\zh1,%ymm15,%ymm15 - -vpmulhw %ymm0,%ymm\rh0,%ymm\rh0 - -vpmulhw %ymm0,%ymm\rh1,%ymm\rh1 - -vpmulhw %ymm0,%ymm\rh2,%ymm\rh2 -vpmulhw %ymm0,%ymm\rh3,%ymm\rh3 - -# - -# - -vpsubw %ymm\rh0,%ymm12,%ymm\rh0 - -vpsubw %ymm\rh1,%ymm13,%ymm\rh1 - -vpsubw %ymm\rh2,%ymm14,%ymm\rh2 -vpsubw %ymm\rh3,%ymm15,%ymm\rh3 -.endm - -.macro intt_levels0t5 off -/* level 0 */ -vmovdqa _16XFLO*2(%rsi),%ymm2 -vmovdqa _16XFHI*2(%rsi),%ymm3 - -vmovdqa (128*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (128*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (128*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (128*\off+ 48)*2(%rdi),%ymm7 - -fqmulprecomp 2,3,4 -fqmulprecomp 2,3,6 -fqmulprecomp 2,3,5 -fqmulprecomp 2,3,7 - -vmovdqa (128*\off+ 64)*2(%rdi),%ymm8 -vmovdqa (128*\off+ 96)*2(%rdi),%ymm10 -vmovdqa (128*\off+ 80)*2(%rdi),%ymm9 -vmovdqa (128*\off+112)*2(%rdi),%ymm11 - -fqmulprecomp 2,3,8 -fqmulprecomp 2,3,10 -fqmulprecomp 2,3,9 -fqmulprecomp 2,3,11 - -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+208)*2(%rsi),%ymm15 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+176)*2(%rsi),%ymm1 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+224)*2(%rsi),%ymm2 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+192)*2(%rsi),%ymm3 -vmovdqa _REVIDXB*2(%rsi),%ymm12 -vpshufb %ymm12,%ymm15,%ymm15 -vpshufb %ymm12,%ymm1,%ymm1 -vpshufb %ymm12,%ymm2,%ymm2 -vpshufb %ymm12,%ymm3,%ymm3 - -butterfly 4,5,8,9,6,7,10,11,15,1,2,3 - -/* level 1 */ -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+144)*2(%rsi),%ymm2 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+160)*2(%rsi),%ymm3 -vmovdqa _REVIDXB*2(%rsi),%ymm1 -vpshufb %ymm1,%ymm2,%ymm2 -vpshufb %ymm1,%ymm3,%ymm3 - -butterfly 4,5,6,7,8,9,10,11,2,2,3,3 - -shuffle1 4,5,3,5 -shuffle1 6,7,4,7 -shuffle1 8,9,6,9 -shuffle1 10,11,8,11 - -/* level 2 */ -vmovdqa _REVIDXD*2(%rsi),%ymm12 -vpermd (_ZETAS_EXP+(1-\off)*224+112)*2(%rsi),%ymm12,%ymm2 -vpermd (_ZETAS_EXP+(1-\off)*224+128)*2(%rsi),%ymm12,%ymm10 - -butterfly 3,4,6,8,5,7,9,11,2,2,10,10 - -vmovdqa _16XV*2(%rsi),%ymm1 -red16 3 - -shuffle2 3,4,10,4 -shuffle2 6,8,3,8 -shuffle2 5,7,6,7 -shuffle2 9,11,5,11 - -/* level 3 */ -vpermq $0x1B,(_ZETAS_EXP+(1-\off)*224+80)*2(%rsi),%ymm2 -vpermq $0x1B,(_ZETAS_EXP+(1-\off)*224+96)*2(%rsi),%ymm9 - -butterfly 10,3,6,5,4,8,7,11,2,2,9,9 - -shuffle4 10,3,9,3 -shuffle4 6,5,10,5 -shuffle4 4,8,6,8 -shuffle4 7,11,4,11 - -/* level 4 */ -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+48)*2(%rsi),%ymm2 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+64)*2(%rsi),%ymm7 - -butterfly 9,10,6,4,3,5,8,11,2,2,7,7 - -red16 9 - -shuffle8 9,10,7,10 -shuffle8 6,4,9,4 -shuffle8 3,5,6,5 -shuffle8 8,11,3,11 - -/* level5 */ -vmovdqa (_ZETAS_EXP+(1-\off)*224+16)*2(%rsi),%ymm2 -vmovdqa (_ZETAS_EXP+(1-\off)*224+32)*2(%rsi),%ymm8 - -butterfly 7,9,6,3,10,4,5,11,2,2,8,8 - -vmovdqa %ymm7,(128*\off+ 0)*2(%rdi) -vmovdqa %ymm9,(128*\off+ 16)*2(%rdi) -vmovdqa %ymm6,(128*\off+ 32)*2(%rdi) -vmovdqa %ymm3,(128*\off+ 48)*2(%rdi) -vmovdqa %ymm10,(128*\off+ 64)*2(%rdi) -vmovdqa %ymm4,(128*\off+ 80)*2(%rdi) -vmovdqa %ymm5,(128*\off+ 96)*2(%rdi) -vmovdqa %ymm11,(128*\off+112)*2(%rdi) -.endm - -.macro intt_level6 off -/* level 6 */ -vmovdqa (64*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (64*\off+128)*2(%rdi),%ymm8 -vmovdqa (64*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (64*\off+144)*2(%rdi),%ymm9 -vpbroadcastq (_ZETAS_EXP+0)*2(%rsi),%ymm2 - -vmovdqa (64*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (64*\off+160)*2(%rdi),%ymm10 -vmovdqa (64*\off+ 48)*2(%rdi),%ymm7 -vmovdqa (64*\off+176)*2(%rdi),%ymm11 -vpbroadcastq (_ZETAS_EXP+4)*2(%rsi),%ymm3 - -butterfly 4,5,6,7,8,9,10,11 - -.if \off == 0 -red16 4 -.endif - -vmovdqa %ymm4,(64*\off+ 0)*2(%rdi) -vmovdqa %ymm5,(64*\off+ 16)*2(%rdi) -vmovdqa %ymm6,(64*\off+ 32)*2(%rdi) -vmovdqa %ymm7,(64*\off+ 48)*2(%rdi) -vmovdqa %ymm8,(64*\off+128)*2(%rdi) -vmovdqa %ymm9,(64*\off+144)*2(%rdi) -vmovdqa %ymm10,(64*\off+160)*2(%rdi) -vmovdqa %ymm11,(64*\off+176)*2(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_KYBER51290S_AVX2_invntt_avx) -.global _cdecl(PQCLEAN_KYBER51290S_AVX2_invntt_avx) -cdecl(PQCLEAN_KYBER51290S_AVX2_invntt_avx): -_cdecl(PQCLEAN_KYBER51290S_AVX2_invntt_avx): -vmovdqa _16XQ*2(%rsi),%ymm0 - -intt_levels0t5 0 -intt_levels0t5 1 - -intt_level6 0 -intt_level6 1 -ret diff --git a/crypto_kem/kyber512-90s/avx2/kem.c b/crypto_kem/kyber512-90s/avx2/kem.c deleted file mode 100644 index a33b2d33..00000000 --- a/crypto_kem/kyber512-90s/avx2/kem.c +++ /dev/null @@ -1,126 +0,0 @@ -#include "indcpa.h" -#include "kem.h" -#include "params.h" -#include "randombytes.h" -#include "symmetric.h" -#include "verify.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER51290S_AVX2_crypto_kem_keypair(unsigned char pk[KYBER_PUBLICKEYBYTES], - unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - PQCLEAN_KYBER51290S_AVX2_indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - } - hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - /* Value z for pseudo-random output on reject */ - randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER51290S_AVX2_crypto_kem_enc(unsigned char ct[KYBER_CIPHERTEXTBYTES], - unsigned char ss[KYBER_SSBYTES], - const unsigned char pk[KYBER_PUBLICKEYBYTES]) { - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - - randombytes(buf, KYBER_SYMBYTES); - /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); - - /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER51290S_AVX2_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int PQCLEAN_KYBER51290S_AVX2_crypto_kem_dec(unsigned char ss[KYBER_SSBYTES], - const unsigned char ct[KYBER_CIPHERTEXTBYTES], - const unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - int fail; - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - ALIGNED_UINT8(KYBER_CIPHERTEXTBYTES) cmp; - const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; - - PQCLEAN_KYBER51290S_AVX2_indcpa_dec(buf, ct, sk); - - /* Multitarget countermeasure for coins + contributory KEM */ - for (i = 0; i < KYBER_SYMBYTES; i++) { - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; - } - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER51290S_AVX2_indcpa_enc(cmp.coeffs, buf, pk, kr + KYBER_SYMBYTES); - - fail = PQCLEAN_KYBER51290S_AVX2_verify(ct, cmp.coeffs, KYBER_CIPHERTEXTBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - - /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER51290S_AVX2_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); - - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} diff --git a/crypto_kem/kyber512-90s/avx2/kem.h b/crypto_kem/kyber512-90s/avx2/kem.h deleted file mode 100644 index deae78e7..00000000 --- a/crypto_kem/kyber512-90s/avx2/kem.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_KEM_H -#define PQCLEAN_KYBER51290S_AVX2_KEM_H -#include "params.h" - - -int PQCLEAN_KYBER51290S_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_KYBER51290S_AVX2_crypto_kem_enc(unsigned char *ct, - unsigned char *ss, - const unsigned char *pk); - -int PQCLEAN_KYBER51290S_AVX2_crypto_kem_dec(unsigned char *ss, - const unsigned char *ct, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/ntt.S b/crypto_kem/kyber512-90s/avx2/ntt.S deleted file mode 100644 index 1de466bc..00000000 --- a/crypto_kem/kyber512-90s/avx2/ntt.S +++ /dev/null @@ -1,191 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.macro mul rh0,rh1,rh2,rh3,zl0=15,zl1=15,zh0=2,zh1=2 -vpmullw %ymm\zl0,%ymm\rh0,%ymm12 -vpmullw %ymm\zl0,%ymm\rh1,%ymm13 - -vpmullw %ymm\zl1,%ymm\rh2,%ymm14 -vpmullw %ymm\zl1,%ymm\rh3,%ymm15 - -vpmulhw %ymm\zh0,%ymm\rh0,%ymm\rh0 -vpmulhw %ymm\zh0,%ymm\rh1,%ymm\rh1 - -vpmulhw %ymm\zh1,%ymm\rh2,%ymm\rh2 -vpmulhw %ymm\zh1,%ymm\rh3,%ymm\rh3 -.endm - -.macro reduce -vpmulhw %ymm0,%ymm12,%ymm12 -vpmulhw %ymm0,%ymm13,%ymm13 - -vpmulhw %ymm0,%ymm14,%ymm14 -vpmulhw %ymm0,%ymm15,%ymm15 -.endm - -.macro update rln,rl0,rl1,rl2,rl3,rh0,rh1,rh2,rh3 -vpaddw %ymm\rh0,%ymm\rl0,%ymm\rln -vpsubw %ymm\rh0,%ymm\rl0,%ymm\rh0 -vpaddw %ymm\rh1,%ymm\rl1,%ymm\rl0 - -vpsubw %ymm\rh1,%ymm\rl1,%ymm\rh1 -vpaddw %ymm\rh2,%ymm\rl2,%ymm\rl1 -vpsubw %ymm\rh2,%ymm\rl2,%ymm\rh2 - -vpaddw %ymm\rh3,%ymm\rl3,%ymm\rl2 -vpsubw %ymm\rh3,%ymm\rl3,%ymm\rh3 - -vpsubw %ymm12,%ymm\rln,%ymm\rln -vpaddw %ymm12,%ymm\rh0,%ymm\rh0 -vpsubw %ymm13,%ymm\rl0,%ymm\rl0 - -vpaddw %ymm13,%ymm\rh1,%ymm\rh1 -vpsubw %ymm14,%ymm\rl1,%ymm\rl1 -vpaddw %ymm14,%ymm\rh2,%ymm\rh2 - -vpsubw %ymm15,%ymm\rl2,%ymm\rl2 -vpaddw %ymm15,%ymm\rh3,%ymm\rh3 -.endm - -.macro level0 off -vpbroadcastq (_ZETAS_EXP+0)*2(%rsi),%ymm15 -vmovdqa (64*\off+128)*2(%rdi),%ymm8 -vmovdqa (64*\off+144)*2(%rdi),%ymm9 -vmovdqa (64*\off+160)*2(%rdi),%ymm10 -vmovdqa (64*\off+176)*2(%rdi),%ymm11 -vpbroadcastq (_ZETAS_EXP+4)*2(%rsi),%ymm2 - -mul 8,9,10,11 - -vmovdqa (64*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (64*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (64*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (64*\off+ 48)*2(%rdi),%ymm7 - -reduce -update 3,4,5,6,7,8,9,10,11 - -vmovdqa %ymm3,(64*\off+ 0)*2(%rdi) -vmovdqa %ymm4,(64*\off+ 16)*2(%rdi) -vmovdqa %ymm5,(64*\off+ 32)*2(%rdi) -vmovdqa %ymm6,(64*\off+ 48)*2(%rdi) -vmovdqa %ymm8,(64*\off+128)*2(%rdi) -vmovdqa %ymm9,(64*\off+144)*2(%rdi) -vmovdqa %ymm10,(64*\off+160)*2(%rdi) -vmovdqa %ymm11,(64*\off+176)*2(%rdi) -.endm - -.macro levels1t6 off -/* level 1 */ -vmovdqa (_ZETAS_EXP+224*\off+16)*2(%rsi),%ymm15 -vmovdqa (128*\off+ 64)*2(%rdi),%ymm8 -vmovdqa (128*\off+ 80)*2(%rdi),%ymm9 -vmovdqa (128*\off+ 96)*2(%rdi),%ymm10 -vmovdqa (128*\off+112)*2(%rdi),%ymm11 -vmovdqa (_ZETAS_EXP+224*\off+32)*2(%rsi),%ymm2 - -mul 8,9,10,11 - -vmovdqa (128*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (128*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (128*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (128*\off+ 48)*2(%rdi),%ymm7 - -reduce -update 3,4,5,6,7,8,9,10,11 - -/* level 2 */ -shuffle8 5,10,7,10 -shuffle8 6,11,5,11 - -vmovdqa (_ZETAS_EXP+224*\off+48)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+64)*2(%rsi),%ymm2 - -mul 7,10,5,11 - -shuffle8 3,8,6,8 -shuffle8 4,9,3,9 - -reduce -update 4,6,8,3,9,7,10,5,11 - -/* level 3 */ -shuffle4 8,5,9,5 -shuffle4 3,11,8,11 - -vmovdqa (_ZETAS_EXP+224*\off+80)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+96)*2(%rsi),%ymm2 - -mul 9,5,8,11 - -shuffle4 4,7,3,7 -shuffle4 6,10,4,10 - -reduce -update 6,3,7,4,10,9,5,8,11 - -/* level 4 */ -shuffle2 7,8,10,8 -shuffle2 4,11,7,11 - -vmovdqa (_ZETAS_EXP+224*\off+112)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+128)*2(%rsi),%ymm2 - -mul 10,8,7,11 - -shuffle2 6,9,4,9 -shuffle2 3,5,6,5 - -reduce -update 3,4,9,6,5,10,8,7,11 - -/* level 5 */ -shuffle1 9,7,5,7 -shuffle1 6,11,9,11 - -vmovdqa (_ZETAS_EXP+224*\off+144)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+160)*2(%rsi),%ymm2 - -mul 5,7,9,11 - -shuffle1 3,10,6,10 -shuffle1 4,8,3,8 - -reduce -update 4,6,10,3,8,5,7,9,11 - -/* level 6 */ -vmovdqa (_ZETAS_EXP+224*\off+176)*2(%rsi),%ymm14 -vmovdqa (_ZETAS_EXP+224*\off+208)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+192)*2(%rsi),%ymm8 -vmovdqa (_ZETAS_EXP+224*\off+224)*2(%rsi),%ymm2 - -mul 10,3,9,11,14,15,8,2 - -reduce -update 8,4,6,5,7,10,3,9,11 - -vmovdqa %ymm8,(128*\off+ 0)*2(%rdi) -vmovdqa %ymm4,(128*\off+ 16)*2(%rdi) -vmovdqa %ymm10,(128*\off+ 32)*2(%rdi) -vmovdqa %ymm3,(128*\off+ 48)*2(%rdi) -vmovdqa %ymm6,(128*\off+ 64)*2(%rdi) -vmovdqa %ymm5,(128*\off+ 80)*2(%rdi) -vmovdqa %ymm9,(128*\off+ 96)*2(%rdi) -vmovdqa %ymm11,(128*\off+112)*2(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_KYBER51290S_AVX2_ntt_avx) -.global _cdecl(PQCLEAN_KYBER51290S_AVX2_ntt_avx) -cdecl(PQCLEAN_KYBER51290S_AVX2_ntt_avx): -_cdecl(PQCLEAN_KYBER51290S_AVX2_ntt_avx): -vmovdqa _16XQ*2(%rsi),%ymm0 - -level0 0 -level0 1 - -levels1t6 0 -levels1t6 1 - -ret diff --git a/crypto_kem/kyber512-90s/avx2/ntt.h b/crypto_kem/kyber512-90s/avx2/ntt.h deleted file mode 100644 index 90e23376..00000000 --- a/crypto_kem/kyber512-90s/avx2/ntt.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_NTT_H -#define PQCLEAN_KYBER51290S_AVX2_NTT_H - -#include -#include - -void PQCLEAN_KYBER51290S_AVX2_ntt_avx(__m256i *r, const __m256i *PQCLEAN_KYBER51290S_AVX2_qdata); -void PQCLEAN_KYBER51290S_AVX2_invntt_avx(__m256i *r, const __m256i *PQCLEAN_KYBER51290S_AVX2_qdata); - -void PQCLEAN_KYBER51290S_AVX2_nttpack_avx(__m256i *r, const __m256i *PQCLEAN_KYBER51290S_AVX2_qdata); -void PQCLEAN_KYBER51290S_AVX2_nttunpack_avx(__m256i *r, const __m256i *PQCLEAN_KYBER51290S_AVX2_qdata); - -void PQCLEAN_KYBER51290S_AVX2_basemul_avx(__m256i *r, - const __m256i *a, - const __m256i *b, - const __m256i *PQCLEAN_KYBER51290S_AVX2_qdata); - -void PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx(uint8_t *r, const __m256i *a, const __m256i *PQCLEAN_KYBER51290S_AVX2_qdata); -void PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx(__m256i *r, const uint8_t *a, const __m256i *PQCLEAN_KYBER51290S_AVX2_qdata); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/params.h b/crypto_kem/kyber512-90s/avx2/params.h deleted file mode 100644 index 78712efe..00000000 --- a/crypto_kem/kyber512-90s/avx2/params.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_PARAMS_H -#define PQCLEAN_KYBER51290S_AVX2_PARAMS_H - - - - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - -#define KYBER_K 2 -#define KYBER_ETA1 3 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) - -#define KYBER_ETA2 2 - -#define KYBER_INDCPA_MSGBYTES KYBER_SYMBYTES -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES \ - + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -/* 32 bytes of additional space to save H(pk) */ -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES \ - + KYBER_INDCPA_PUBLICKEYBYTES \ - + 2*KYBER_SYMBYTES) -#define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/poly.c b/crypto_kem/kyber512-90s/avx2/poly.c deleted file mode 100644 index ce936add..00000000 --- a/crypto_kem/kyber512-90s/avx2/poly.c +++ /dev/null @@ -1,357 +0,0 @@ -#include "align.h" -#include "cbd.h" -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "symmetric.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_compress -* -* Description: Compression and subsequent serialization of a polynomial. -* The coefficients of the input polynomial are assumed to -* lie in the invertal [0,q], i.e. the polynomial must be reduced -* by PQCLEAN_KYBER51290S_AVX2_poly_reduce(). -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_compress(uint8_t r[128], const poly *restrict a) { - unsigned int i; - __m256i f0, f1, f2, f3; - const __m256i v = _mm256_load_si256(&PQCLEAN_KYBER51290S_AVX2_qdata.vec[_16XV / 16]); - const __m256i shift1 = _mm256_set1_epi16(1 << 9); - const __m256i mask = _mm256_set1_epi16(15); - const __m256i shift2 = _mm256_set1_epi16((16 << 8) + 1); - const __m256i permdidx = _mm256_set_epi32(7, 3, 6, 2, 5, 1, 4, 0); - - for (i = 0; i < KYBER_N / 64; i++) { - f0 = _mm256_load_si256(&a->vec[4 * i + 0]); - f1 = _mm256_load_si256(&a->vec[4 * i + 1]); - f2 = _mm256_load_si256(&a->vec[4 * i + 2]); - f3 = _mm256_load_si256(&a->vec[4 * i + 3]); - f0 = _mm256_mulhi_epi16(f0, v); - f1 = _mm256_mulhi_epi16(f1, v); - f2 = _mm256_mulhi_epi16(f2, v); - f3 = _mm256_mulhi_epi16(f3, v); - f0 = _mm256_mulhrs_epi16(f0, shift1); - f1 = _mm256_mulhrs_epi16(f1, shift1); - f2 = _mm256_mulhrs_epi16(f2, shift1); - f3 = _mm256_mulhrs_epi16(f3, shift1); - f0 = _mm256_and_si256(f0, mask); - f1 = _mm256_and_si256(f1, mask); - f2 = _mm256_and_si256(f2, mask); - f3 = _mm256_and_si256(f3, mask); - f0 = _mm256_packus_epi16(f0, f1); - f2 = _mm256_packus_epi16(f2, f3); - f0 = _mm256_maddubs_epi16(f0, shift2); - f2 = _mm256_maddubs_epi16(f2, shift2); - f0 = _mm256_packus_epi16(f0, f2); - f0 = _mm256_permutevar8x32_epi32(f0, permdidx); - _mm256_storeu_si256((__m256i *)&r[32 * i], f0); - } -} - -void PQCLEAN_KYBER51290S_AVX2_poly_decompress(poly *restrict r, const uint8_t a[128]) { - unsigned int i; - __m128i t; - __m256i f; - const __m256i q = _mm256_load_si256(&PQCLEAN_KYBER51290S_AVX2_qdata.vec[_16XQ / 16]); - const __m256i shufbidx = _mm256_set_epi8(7, 7, 7, 7, 6, 6, 6, 6, 5, 5, 5, 5, 4, 4, 4, 4, - 3, 3, 3, 3, 2, 2, 2, 2, 1, 1, 1, 1, 0, 0, 0, 0); - const __m256i mask = _mm256_set1_epi32(0x00F0000F); - const __m256i shift = _mm256_set1_epi32((128 << 16) + 2048); - - for (i = 0; i < KYBER_N / 16; i++) { - t = _mm_loadl_epi64((__m128i *)&a[8 * i]); - f = _mm256_broadcastsi128_si256(t); - f = _mm256_shuffle_epi8(f, shufbidx); - f = _mm256_and_si256(f, mask); - f = _mm256_mullo_epi16(f, shift); - f = _mm256_mulhrs_epi16(f, q); - _mm256_store_si256(&r->vec[i], f); - } -} - - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_tobytes -* -* Description: Serialization of a polynomial in NTT representation. -* The coefficients of the input polynomial are assumed to -* lie in the invertal [0,q], i.e. the polynomial must be reduced -* by PQCLEAN_KYBER51290S_AVX2_poly_reduce(). The coefficients are orderd as output by -* PQCLEAN_KYBER51290S_AVX2_poly_ntt(); the serialized output coefficients are in bitreversed -* order. -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { - PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx(r, a->vec, PQCLEAN_KYBER51290S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of PQCLEAN_KYBER51290S_AVX2_poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx(r->vec, a, PQCLEAN_KYBER51290S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_frommsg(poly *restrict r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - __m256i f, g0, g1, g2, g3, h0, h1, h2, h3; - const __m256i shift = _mm256_broadcastsi128_si256(_mm_set_epi32(0, 1, 2, 3)); - const __m256i idx = _mm256_broadcastsi128_si256(_mm_set_epi8(15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0)); - const __m256i hqs = _mm256_set1_epi16((KYBER_Q + 1) / 2); - -#define FROMMSG64(i) \ - g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ - g3 = _mm256_sllv_epi32(g3,shift); \ - g3 = _mm256_shuffle_epi8(g3,idx); \ - g0 = _mm256_slli_epi16(g3,12); \ - g1 = _mm256_slli_epi16(g3,8); \ - g2 = _mm256_slli_epi16(g3,4); \ - g0 = _mm256_srai_epi16(g0,15); \ - g1 = _mm256_srai_epi16(g1,15); \ - g2 = _mm256_srai_epi16(g2,15); \ - g3 = _mm256_srai_epi16(g3,15); \ - g0 = _mm256_and_si256(g0,hqs); /* 19 18 17 16 3 2 1 0 */ \ - g1 = _mm256_and_si256(g1,hqs); /* 23 22 21 20 7 6 5 4 */ \ - g2 = _mm256_and_si256(g2,hqs); /* 27 26 25 24 11 10 9 8 */ \ - g3 = _mm256_and_si256(g3,hqs); /* 31 30 29 28 15 14 13 12 */ \ - h0 = _mm256_unpacklo_epi64(g0,g1); \ - h2 = _mm256_unpackhi_epi64(g0,g1); \ - h1 = _mm256_unpacklo_epi64(g2,g3); \ - h3 = _mm256_unpackhi_epi64(g2,g3); \ - g0 = _mm256_permute2x128_si256(h0,h1,0x20); \ - g2 = _mm256_permute2x128_si256(h0,h1,0x31); \ - g1 = _mm256_permute2x128_si256(h2,h3,0x20); \ - g3 = _mm256_permute2x128_si256(h2,h3,0x31); \ - _mm256_store_si256(&r->vec[0+2*(i)+0],g0); \ - _mm256_store_si256(&r->vec[0+2*(i)+1],g1); \ - _mm256_store_si256(&r->vec[8+2*(i)+0],g2); \ - _mm256_store_si256(&r->vec[8+2*(i)+1],g3) - - f = _mm256_loadu_si256((__m256i *)msg); - FROMMSG64(0); - FROMMSG64(1); - FROMMSG64(2); - FROMMSG64(3); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_tomsg -* -* Description: Convert polynomial to 32-byte message. -* The coefficients of the input polynomial are assumed to -* lie in the invertal [0,q], i.e. the polynomial must be reduced -* by PQCLEAN_KYBER51290S_AVX2_poly_reduce(). -* -* Arguments: - uint8_t *msg: pointer to output message -* - poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *restrict a) { - unsigned int i; - uint32_t small; - __m256i f0, f1, g0, g1; - const __m256i hq = _mm256_set1_epi16((KYBER_Q - 1) / 2); - const __m256i hhq = _mm256_set1_epi16((KYBER_Q - 1) / 4); - - for (i = 0; i < KYBER_N / 32; i++) { - f0 = _mm256_load_si256(&a->vec[2 * i + 0]); - f1 = _mm256_load_si256(&a->vec[2 * i + 1]); - f0 = _mm256_sub_epi16(hq, f0); - f1 = _mm256_sub_epi16(hq, f1); - g0 = _mm256_srai_epi16(f0, 15); - g1 = _mm256_srai_epi16(f1, 15); - f0 = _mm256_xor_si256(f0, g0); - f1 = _mm256_xor_si256(f1, g1); - f0 = _mm256_sub_epi16(f0, hhq); - f1 = _mm256_sub_epi16(f1, hhq); - f0 = _mm256_packs_epi16(f0, f1); - small = _mm256_movemask_epi8(f0); - msg[4 * i + 0] = small; - msg[4 * i + 1] = small >> 16; - msg[4 * i + 2] = small >> 8; - msg[4 * i + 3] = small >> 24; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - ALIGNED_UINT8(KYBER_ETA1 * KYBER_N / 4 + 32) buf; // +32 bytes as required by PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta1 - prf(buf.coeffs, KYBER_ETA1 * KYBER_N / 4, seed, nonce); - PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta1(r, buf.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - ALIGNED_UINT8(KYBER_ETA2 * KYBER_N / 4) buf; - prf(buf.coeffs, KYBER_ETA2 * KYBER_N / 4, seed, nonce); - PQCLEAN_KYBER51290S_AVX2_poly_cbd_eta2(r, buf.vec); -} - - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place. -* Input coefficients assumed to be in normal order, -* output coefficients are in special order that is natural -* for the vectorization. Input coefficients are assumed to be -* bounded by q in absolute value, output coefficients are bounded -* by 16118 in absolute value. -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_ntt(poly *r) { - PQCLEAN_KYBER51290S_AVX2_ntt_avx(r->vec, PQCLEAN_KYBER51290S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* Input coefficients assumed to be in special order from vectorized -* forward ntt, output in normal order. Input coefficients can be -* arbitrary 16-bit integers, output coefficients are bounded by 14870 -* in absolute value. -* -* Arguments: - poly *a: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_invntt_tomont(poly *r) { - PQCLEAN_KYBER51290S_AVX2_invntt_avx(r->vec, PQCLEAN_KYBER51290S_AVX2_qdata.vec); -} - -void PQCLEAN_KYBER51290S_AVX2_poly_nttunpack(poly *r) { - PQCLEAN_KYBER51290S_AVX2_nttunpack_avx(r->vec, PQCLEAN_KYBER51290S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain. -* One of the input polynomials needs to have coefficients -* bounded by q, the other polynomial can have arbitrary -* coefficients. Output coefficients are bounded by 6656. -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - PQCLEAN_KYBER51290S_AVX2_basemul_avx(r->vec, a->vec, b->vec, PQCLEAN_KYBER51290S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_tomont(poly *r) { - PQCLEAN_KYBER51290S_AVX2_tomont_avx(r->vec, PQCLEAN_KYBER51290S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_reduce(poly *r) { - PQCLEAN_KYBER51290S_AVX2_reduce_avx(r->vec, PQCLEAN_KYBER51290S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_add -* -* Description: Add two polynomials. No modular reduction -* is performed. -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i; - __m256i f0, f1; - - for (i = 0; i < KYBER_N / 16; i++) { - f0 = _mm256_load_si256(&a->vec[i]); - f1 = _mm256_load_si256(&b->vec[i]); - f0 = _mm256_add_epi16(f0, f1); - _mm256_store_si256(&r->vec[i], f0); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_poly_sub -* -* Description: Subtract two polynomials. No modular reduction -* is performed. -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i; - __m256i f0, f1; - - for (i = 0; i < KYBER_N / 16; i++) { - f0 = _mm256_load_si256(&a->vec[i]); - f1 = _mm256_load_si256(&b->vec[i]); - f0 = _mm256_sub_epi16(f0, f1); - _mm256_store_si256(&r->vec[i], f0); - } -} diff --git a/crypto_kem/kyber512-90s/avx2/poly.h b/crypto_kem/kyber512-90s/avx2/poly.h deleted file mode 100644 index 152e6644..00000000 --- a/crypto_kem/kyber512-90s/avx2/poly.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_POLY_H -#define PQCLEAN_KYBER51290S_AVX2_POLY_H -#include "align.h" -#include "params.h" -#include -#include - -typedef ALIGNED_INT16(KYBER_N) poly; - -void PQCLEAN_KYBER51290S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a); -void PQCLEAN_KYBER51290S_AVX2_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - -void PQCLEAN_KYBER51290S_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); -void PQCLEAN_KYBER51290S_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - -void PQCLEAN_KYBER51290S_AVX2_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); -void PQCLEAN_KYBER51290S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - -void PQCLEAN_KYBER51290S_AVX2_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -void PQCLEAN_KYBER51290S_AVX2_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - - - -void PQCLEAN_KYBER51290S_AVX2_poly_ntt(poly *r); -void PQCLEAN_KYBER51290S_AVX2_poly_invntt_tomont(poly *r); -void PQCLEAN_KYBER51290S_AVX2_poly_nttunpack(poly *r); -void PQCLEAN_KYBER51290S_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER51290S_AVX2_poly_tomont(poly *r); - -void PQCLEAN_KYBER51290S_AVX2_poly_reduce(poly *r); - -void PQCLEAN_KYBER51290S_AVX2_poly_add(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER51290S_AVX2_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/polyvec.c b/crypto_kem/kyber512-90s/avx2/polyvec.c deleted file mode 100644 index d3a369e8..00000000 --- a/crypto_kem/kyber512-90s/avx2/polyvec.c +++ /dev/null @@ -1,224 +0,0 @@ -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include -#include - -static void poly_compress10(uint8_t r[320], const poly *restrict a) { - size_t i; - uint32_t low; - __m256i f0, f1, f2; - __m128i t0, t1; - const __m256i v = _mm256_load_si256(&PQCLEAN_KYBER51290S_AVX2_qdata.vec[_16XV / 16]); - const __m256i v8 = _mm256_slli_epi16(v, 3); - const __m256i off = _mm256_set1_epi16(15); - const __m256i shift1 = _mm256_set1_epi16(1 << 12); - const __m256i mask = _mm256_set1_epi16(1023); - const __m256i shift2 = _mm256_set1_epi64x((1024LL << 48) + (1LL << 32) + (1024 << 16) + 1); - const __m256i sllvdidx = _mm256_set1_epi64x(12); - const __m256i shufbidx = _mm256_set_epi8( 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, - -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0); - - for (i = 0; i < KYBER_N / 16; i++) { - f0 = _mm256_load_si256(&a->vec[i]); - f1 = _mm256_mullo_epi16(f0, v8); - f2 = _mm256_add_epi16(f0, off); - f0 = _mm256_slli_epi16(f0, 3); - f0 = _mm256_mulhi_epi16(f0, v); - f2 = _mm256_sub_epi16(f1, f2); - f1 = _mm256_andnot_si256(f1, f2); - f1 = _mm256_srli_epi16(f1, 15); - f0 = _mm256_sub_epi16(f0, f1); - f0 = _mm256_mulhrs_epi16(f0, shift1); - f0 = _mm256_and_si256(f0, mask); - f0 = _mm256_madd_epi16(f0, shift2); - f0 = _mm256_sllv_epi32(f0, sllvdidx); - f0 = _mm256_srli_epi64(f0, 12); - f0 = _mm256_shuffle_epi8(f0, shufbidx); - t0 = _mm256_castsi256_si128(f0); - t1 = _mm256_extracti128_si256(f0, 1); - t0 = _mm_blend_epi16(t0, t1, 0xE0); - _mm_storeu_si128((__m128i *)&r[20 * i + 0], t0); - _mm_store_ss((float *)&low, _mm_castsi128_ps(t1)); - r[20 * i + 16] = (uint8_t)low; - r[20 * i + 17] = (uint8_t)(low >> 0x08); - r[20 * i + 18] = (uint8_t)(low >> 0x10); - r[20 * i + 19] = (uint8_t)(low >> 0x18); - } -} - -static void poly_decompress10(poly *restrict r, const uint8_t a[320 + 12]) { - size_t i; - __m256i f; - const __m256i q = _mm256_set1_epi32((KYBER_Q << 16) + 4 * KYBER_Q); - const __m256i shufbidx = _mm256_set_epi8(11, 10, 10, 9, 9, 8, 8, 7, - 6, 5, 5, 4, 4, 3, 3, 2, - 9, 8, 8, 7, 7, 6, 6, 5, - 4, 3, 3, 2, 2, 1, 1, 0); - const __m256i sllvdidx = _mm256_set1_epi64x(4); - const __m256i mask = _mm256_set1_epi32((32736 << 16) + 8184); - - for (i = 0; i < KYBER_N / 16; i++) { - f = _mm256_loadu_si256((__m256i *)&a[20 * i]); - f = _mm256_permute4x64_epi64(f, 0x94); - f = _mm256_shuffle_epi8(f, shufbidx); - f = _mm256_sllv_epi32(f, sllvdidx); - f = _mm256_srli_epi16(f, 1); - f = _mm256_and_si256(f, mask); - f = _mm256_mulhrs_epi16(f, q); - _mm256_store_si256(&r->vec[i], f); - } -} - - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES + 2], polyvec *a) { - size_t i; - - for (i = 0; i < KYBER_K; i++) { - poly_compress10(&r[320 * i], &a->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of PQCLEAN_KYBER51290S_AVX2_polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES + 12]) { - size_t i; - - for (i = 0; i < KYBER_K; i++) { - poly_decompress10(&r->vec[i], &a[320 * i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_polyvec_ntt(polyvec *r) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_poly_ntt(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_polyvec_invntt_tomont(polyvec *r) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_poly_invntt_tomont(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_polyvec_basemul_acc_montgomery -* -* Description: Multiply elements in a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - size_t i; - poly tmp; - - PQCLEAN_KYBER51290S_AVX2_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for (i = 1; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_poly_basemul_montgomery(&tmp, &a->vec[i], &b->vec[i]); - PQCLEAN_KYBER51290S_AVX2_poly_add(r, r, &tmp); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(polyvec *r) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_poly_reduce(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_AVX2_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); - } -} diff --git a/crypto_kem/kyber512-90s/avx2/polyvec.h b/crypto_kem/kyber512-90s/avx2/polyvec.h deleted file mode 100644 index 404e6e8f..00000000 --- a/crypto_kem/kyber512-90s/avx2/polyvec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_POLYVEC_H -#define PQCLEAN_KYBER51290S_AVX2_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -typedef struct { - poly vec[KYBER_K]; -} polyvec; - -void PQCLEAN_KYBER51290S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES + 2], polyvec *a); -void PQCLEAN_KYBER51290S_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES + 12]); - -void PQCLEAN_KYBER51290S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); -void PQCLEAN_KYBER51290S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - -void PQCLEAN_KYBER51290S_AVX2_polyvec_ntt(polyvec *r); -void PQCLEAN_KYBER51290S_AVX2_polyvec_invntt_tomont(polyvec *r); - -void PQCLEAN_KYBER51290S_AVX2_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - -void PQCLEAN_KYBER51290S_AVX2_polyvec_reduce(polyvec *r); - -void PQCLEAN_KYBER51290S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/reduce.h b/crypto_kem/kyber512-90s/avx2/reduce.h deleted file mode 100644 index 38bcb00e..00000000 --- a/crypto_kem/kyber512-90s/avx2/reduce.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_REDUCE_H -#define PQCLEAN_KYBER51290S_AVX2_REDUCE_H -#include "params.h" -#include - -void PQCLEAN_KYBER51290S_AVX2_reduce_avx(__m256i *r, const __m256i *PQCLEAN_KYBER51290S_AVX2_qdata); -void PQCLEAN_KYBER51290S_AVX2_tomont_avx(__m256i *r, const __m256i *PQCLEAN_KYBER51290S_AVX2_qdata); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/rejsample.c b/crypto_kem/kyber512-90s/avx2/rejsample.c deleted file mode 100644 index f5cd0d0e..00000000 --- a/crypto_kem/kyber512-90s/avx2/rejsample.c +++ /dev/null @@ -1,126 +0,0 @@ -#include "align.h" -#include "consts.h" -#include "params.h" -#include "rejsample.h" -#include -#include -#include - -//#define BMI - - -#define _mm256_cmpge_epu16(a, b) _mm256_cmpeq_epi16(_mm256_max_epu16(a, b), a) -#define _mm_cmpge_epu16(a, b) _mm_cmpeq_epi16(_mm_max_epu16(a, b), a) - -unsigned int PQCLEAN_KYBER51290S_AVX2_rej_uniform_avx(int16_t *restrict r, const uint8_t *buf) { - unsigned int ctr, pos; - uint16_t val0, val1; - uint32_t good; - uint64_t idx0, idx1, idx2, idx3; - const __m256i bound = _mm256_load_si256(&PQCLEAN_KYBER51290S_AVX2_qdata.vec[_16XQ / 16]); - const __m256i ones = _mm256_set1_epi8(1); - const __m256i mask = _mm256_set1_epi16(0xFFF); - const __m256i idx8 = _mm256_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, - 9, 8, 8, 7, 6, 5, 5, 4, - 11, 10, 10, 9, 8, 7, 7, 6, - 5, 4, 4, 3, 2, 1, 1, 0); - __m256i f0, f1, g0, g1, g2, g3; - __m128i f, t, pilo, pihi; - - ctr = pos = 0; - while (ctr <= KYBER_N - 32 && pos <= REJ_UNIFORM_AVX_BUFLEN - 48) { - f0 = _mm256_loadu_si256((__m256i *)&buf[pos]); - f1 = _mm256_loadu_si256((__m256i *)&buf[pos + 24]); - f0 = _mm256_permute4x64_epi64(f0, 0x94); - f1 = _mm256_permute4x64_epi64(f1, 0x94); - f0 = _mm256_shuffle_epi8(f0, idx8); - f1 = _mm256_shuffle_epi8(f1, idx8); - g0 = _mm256_srli_epi16(f0, 4); - g1 = _mm256_srli_epi16(f1, 4); - f0 = _mm256_blend_epi16(f0, g0, 0xAA); - f1 = _mm256_blend_epi16(f1, g1, 0xAA); - f0 = _mm256_and_si256(f0, mask); - f1 = _mm256_and_si256(f1, mask); - pos += 48; - - g0 = _mm256_cmpgt_epi16(bound, f0); - g1 = _mm256_cmpgt_epi16(bound, f1); - - g0 = _mm256_packs_epi16(g0, g1); - good = _mm256_movemask_epi8(g0); - - idx0 = _pdep_u64(good >> 0, 0x0101010101010101); - idx1 = _pdep_u64(good >> 8, 0x0101010101010101); - idx2 = _pdep_u64(good >> 16, 0x0101010101010101); - idx3 = _pdep_u64(good >> 24, 0x0101010101010101); - idx0 = (idx0 << 8) - idx0; - idx0 = _pext_u64(0x0E0C0A0806040200, idx0); - idx1 = (idx1 << 8) - idx1; - idx1 = _pext_u64(0x0E0C0A0806040200, idx1); - idx2 = (idx2 << 8) - idx2; - idx2 = _pext_u64(0x0E0C0A0806040200, idx2); - idx3 = (idx3 << 8) - idx3; - idx3 = _pext_u64(0x0E0C0A0806040200, idx3); - - g0 = _mm256_castsi128_si256(_mm_cvtsi64_si128(idx0)); - g1 = _mm256_castsi128_si256(_mm_cvtsi64_si128(idx1)); - g0 = _mm256_inserti128_si256(g0, _mm_cvtsi64_si128(idx2), 1); - g1 = _mm256_inserti128_si256(g1, _mm_cvtsi64_si128(idx3), 1); - - g2 = _mm256_add_epi8(g0, ones); - g3 = _mm256_add_epi8(g1, ones); - g0 = _mm256_unpacklo_epi8(g0, g2); - g1 = _mm256_unpacklo_epi8(g1, g3); - - f0 = _mm256_shuffle_epi8(f0, g0); - f1 = _mm256_shuffle_epi8(f1, g1); - - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_castsi256_si128(f0)); - ctr += _mm_popcnt_u32((good >> 0) & 0xFF); - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_extracti128_si256(f0, 1)); - ctr += _mm_popcnt_u32((good >> 16) & 0xFF); - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_castsi256_si128(f1)); - ctr += _mm_popcnt_u32((good >> 8) & 0xFF); - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_extracti128_si256(f1, 1)); - ctr += _mm_popcnt_u32((good >> 24) & 0xFF); - } - - while (ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 12) { - f = _mm_loadu_si128((__m128i *)&buf[pos]); - f = _mm_shuffle_epi8(f, _mm256_castsi256_si128(idx8)); - t = _mm_srli_epi16(f, 4); - f = _mm_blend_epi16(f, t, 0xAA); - f = _mm_and_si128(f, _mm256_castsi256_si128(mask)); - pos += 12; - - t = _mm_cmpgt_epi16(_mm256_castsi256_si128(bound), f); - good = _mm_movemask_epi8(t); - - good &= 0x5555; - idx0 = _pdep_u64(good, 0x1111111111111111); - idx0 = (idx0 << 8) - idx0; - idx0 = _pext_u64(0x0E0C0A0806040200, idx0); - pilo = _mm_cvtsi64_si128(idx0); - - pihi = _mm_add_epi8(pilo, _mm256_castsi256_si128(ones)); - pilo = _mm_unpacklo_epi8(pilo, pihi); - f = _mm_shuffle_epi8(f, pilo); - _mm_storeu_si128((__m128i *)&r[ctr], f); - ctr += _mm_popcnt_u32(good); - } - - while (ctr < KYBER_N && pos <= REJ_UNIFORM_AVX_BUFLEN - 3) { - val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; - val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)); - pos += 3; - - if (val0 < KYBER_Q) { - r[ctr++] = val0; - } - if (val1 < KYBER_Q && ctr < KYBER_N) { - r[ctr++] = val1; - } - } - - return ctr; -} diff --git a/crypto_kem/kyber512-90s/avx2/rejsample.h b/crypto_kem/kyber512-90s/avx2/rejsample.h deleted file mode 100644 index 972fbe27..00000000 --- a/crypto_kem/kyber512-90s/avx2/rejsample.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_REJSAMPLE_H -#define PQCLEAN_KYBER51290S_AVX2_REJSAMPLE_H -#include "params.h" -#include "symmetric.h" -#include - -#define REJ_UNIFORM_AVX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) -#define REJ_UNIFORM_AVX_BUFLEN (REJ_UNIFORM_AVX_NBLOCKS*XOF_BLOCKBYTES) - -unsigned int PQCLEAN_KYBER51290S_AVX2_rej_uniform_avx(int16_t *r, const uint8_t *buf); - -#endif diff --git a/crypto_kem/kyber512-90s/avx2/shuffle.S b/crypto_kem/kyber512-90s/avx2/shuffle.S deleted file mode 100644 index 4385e096..00000000 --- a/crypto_kem/kyber512-90s/avx2/shuffle.S +++ /dev/null @@ -1,261 +0,0 @@ -#include "cdecl.h" -.include "fq.inc" -.include "shuffle.inc" - -/* -nttpack_avx: -#load -vmovdqa (%rdi),%ymm4 -vmovdqa 32(%rdi),%ymm5 -vmovdqa 64(%rdi),%ymm6 -vmovdqa 96(%rdi),%ymm7 -vmovdqa 128(%rdi),%ymm8 -vmovdqa 160(%rdi),%ymm9 -vmovdqa 192(%rdi),%ymm10 -vmovdqa 224(%rdi),%ymm11 - -shuffle1 4,5,3,5 -shuffle1 6,7,4,7 -shuffle1 8,9,6,9 -shuffle1 10,11,8,11 - -shuffle2 3,4,10,4 -shuffle2 6,8,3,8 -shuffle2 5,7,6,7 -shuffle2 9,11,5,11 - -shuffle4 10,3,9,3 -shuffle4 6,5,10,5 -shuffle4 4,8,6,8 -shuffle4 7,11,4,11 - -shuffle8 9,10,7,10 -shuffle8 6,4,9,4 -shuffle8 3,5,6,5 -shuffle8 8,11,3,11 - -#store -vmovdqa %ymm7,(%rdi) -vmovdqa %ymm9,32(%rdi) -vmovdqa %ymm6,64(%rdi) -vmovdqa %ymm3,96(%rdi) -vmovdqa %ymm10,128(%rdi) -vmovdqa %ymm4,160(%rdi) -vmovdqa %ymm5,192(%rdi) -vmovdqa %ymm11,224(%rdi) - -ret -*/ - -.text -nttunpack128_avx: -#load -vmovdqa (%rdi),%ymm4 -vmovdqa 32(%rdi),%ymm5 -vmovdqa 64(%rdi),%ymm6 -vmovdqa 96(%rdi),%ymm7 -vmovdqa 128(%rdi),%ymm8 -vmovdqa 160(%rdi),%ymm9 -vmovdqa 192(%rdi),%ymm10 -vmovdqa 224(%rdi),%ymm11 - -shuffle8 4,8,3,8 -shuffle8 5,9,4,9 -shuffle8 6,10,5,10 -shuffle8 7,11,6,11 - -shuffle4 3,5,7,5 -shuffle4 8,10,3,10 -shuffle4 4,6,8,6 -shuffle4 9,11,4,11 - -shuffle2 7,8,9,8 -shuffle2 5,6,7,6 -shuffle2 3,4,5,4 -shuffle2 10,11,3,11 - -shuffle1 9,5,10,5 -shuffle1 8,4,9,4 -shuffle1 7,3,8,3 -shuffle1 6,11,7,11 - -#store -vmovdqa %ymm10,(%rdi) -vmovdqa %ymm5,32(%rdi) -vmovdqa %ymm9,64(%rdi) -vmovdqa %ymm4,96(%rdi) -vmovdqa %ymm8,128(%rdi) -vmovdqa %ymm3,160(%rdi) -vmovdqa %ymm7,192(%rdi) -vmovdqa %ymm11,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER51290S_AVX2_nttunpack_avx) -.global _cdecl(PQCLEAN_KYBER51290S_AVX2_nttunpack_avx) -cdecl(PQCLEAN_KYBER51290S_AVX2_nttunpack_avx): -_cdecl(PQCLEAN_KYBER51290S_AVX2_nttunpack_avx): -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -ret - -ntttobytes128_avx: -#load -vmovdqa (%rsi),%ymm5 -vmovdqa 32(%rsi),%ymm6 -vmovdqa 64(%rsi),%ymm7 -vmovdqa 96(%rsi),%ymm8 -vmovdqa 128(%rsi),%ymm9 -vmovdqa 160(%rsi),%ymm10 -vmovdqa 192(%rsi),%ymm11 -vmovdqa 224(%rsi),%ymm12 - -#csubq -csubq 5,13 -csubq 6,13 -csubq 7,13 -csubq 8,13 -csubq 9,13 -csubq 10,13 -csubq 11,13 -csubq 12,13 - -#bitpack -vpsllw $12,%ymm6,%ymm4 -vpor %ymm4,%ymm5,%ymm4 - -vpsrlw $4,%ymm6,%ymm5 -vpsllw $8,%ymm7,%ymm6 -vpor %ymm5,%ymm6,%ymm5 - -vpsrlw $8,%ymm7,%ymm6 -vpsllw $4,%ymm8,%ymm7 -vpor %ymm6,%ymm7,%ymm6 - -vpsllw $12,%ymm10,%ymm7 -vpor %ymm7,%ymm9,%ymm7 - -vpsrlw $4,%ymm10,%ymm8 -vpsllw $8,%ymm11,%ymm9 -vpor %ymm8,%ymm9,%ymm8 - -vpsrlw $8,%ymm11,%ymm9 -vpsllw $4,%ymm12,%ymm10 -vpor %ymm9,%ymm10,%ymm9 - -shuffle1 4,5,3,5 -shuffle1 6,7,4,7 -shuffle1 8,9,6,9 - -shuffle2 3,4,8,4 -shuffle2 6,5,3,5 -shuffle2 7,9,6,9 - -shuffle4 8,3,7,3 -shuffle4 6,4,8,4 -shuffle4 5,9,6,9 - -shuffle8 7,8,5,8 -shuffle8 6,3,7,3 -shuffle8 4,9,6,9 - -#store -vmovdqu %ymm5,(%rdi) -vmovdqu %ymm7,32(%rdi) -vmovdqu %ymm6,64(%rdi) -vmovdqu %ymm8,96(%rdi) -vmovdqu %ymm3,128(%rdi) -vmovdqu %ymm9,160(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx) -.global _cdecl(PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx) -cdecl(PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx): -_cdecl(PQCLEAN_KYBER51290S_AVX2_ntttobytes_avx): -#consts -vmovdqa _16XQ*2(%rdx),%ymm0 -call ntttobytes128_avx -add $256,%rsi -add $192,%rdi -call ntttobytes128_avx -ret - -nttfrombytes128_avx: -#load -vmovdqu (%rsi),%ymm4 -vmovdqu 32(%rsi),%ymm5 -vmovdqu 64(%rsi),%ymm6 -vmovdqu 96(%rsi),%ymm7 -vmovdqu 128(%rsi),%ymm8 -vmovdqu 160(%rsi),%ymm9 - -shuffle8 4,7,3,7 -shuffle8 5,8,4,8 -shuffle8 6,9,5,9 - -shuffle4 3,8,6,8 -shuffle4 7,5,3,5 -shuffle4 4,9,7,9 - -shuffle2 6,5,4,5 -shuffle2 8,7,6,7 -shuffle2 3,9,8,9 - -shuffle1 4,7,10,7 -shuffle1 5,8,4,8 -shuffle1 6,9,5,9 - -#bitunpack -vpsrlw $12,%ymm10,%ymm11 -vpsllw $4,%ymm7,%ymm12 -vpor %ymm11,%ymm12,%ymm11 -vpand %ymm0,%ymm10,%ymm10 -vpand %ymm0,%ymm11,%ymm11 - -vpsrlw $8,%ymm7,%ymm12 -vpsllw $8,%ymm4,%ymm13 -vpor %ymm12,%ymm13,%ymm12 -vpand %ymm0,%ymm12,%ymm12 - -vpsrlw $4,%ymm4,%ymm13 -vpand %ymm0,%ymm13,%ymm13 - -vpsrlw $12,%ymm8,%ymm14 -vpsllw $4,%ymm5,%ymm15 -vpor %ymm14,%ymm15,%ymm14 -vpand %ymm0,%ymm8,%ymm8 -vpand %ymm0,%ymm14,%ymm14 - -vpsrlw $8,%ymm5,%ymm15 -vpsllw $8,%ymm9,%ymm1 -vpor %ymm15,%ymm1,%ymm15 -vpand %ymm0,%ymm15,%ymm15 - -vpsrlw $4,%ymm9,%ymm1 -vpand %ymm0,%ymm1,%ymm1 - -#store -vmovdqa %ymm10,(%rdi) -vmovdqa %ymm11,32(%rdi) -vmovdqa %ymm12,64(%rdi) -vmovdqa %ymm13,96(%rdi) -vmovdqa %ymm8,128(%rdi) -vmovdqa %ymm14,160(%rdi) -vmovdqa %ymm15,192(%rdi) -vmovdqa %ymm1,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx) -.global _cdecl(PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx) -cdecl(PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx): -_cdecl(PQCLEAN_KYBER51290S_AVX2_nttfrombytes_avx): -#consts -vmovdqa _16XMASK*2(%rdx),%ymm0 -call nttfrombytes128_avx -add $256,%rdi -add $192,%rsi -call nttfrombytes128_avx -ret diff --git a/crypto_kem/kyber512-90s/avx2/shuffle.inc b/crypto_kem/kyber512-90s/avx2/shuffle.inc deleted file mode 100644 index 73e9ffe0..00000000 --- a/crypto_kem/kyber512-90s/avx2/shuffle.inc +++ /dev/null @@ -1,25 +0,0 @@ -.macro shuffle8 r0,r1,r2,r3 -vperm2i128 $0x20,%ymm\r1,%ymm\r0,%ymm\r2 -vperm2i128 $0x31,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle4 r0,r1,r2,r3 -vpunpcklqdq %ymm\r1,%ymm\r0,%ymm\r2 -vpunpckhqdq %ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle2 r0,r1,r2,r3 -#vpsllq $32,%ymm\r1,%ymm\r2 -vmovsldup %ymm\r1,%ymm\r2 -vpblendd $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrlq $32,%ymm\r0,%ymm\r0 -#vmovshdup %ymm\r0,%ymm\r0 -vpblendd $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle1 r0,r1,r2,r3 -vpslld $16,%ymm\r1,%ymm\r2 -vpblendw $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrld $16,%ymm\r0,%ymm\r0 -vpblendw $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm diff --git a/crypto_kem/kyber512-90s/avx2/symmetric.h b/crypto_kem/kyber512-90s/avx2/symmetric.h deleted file mode 100644 index 2cae9245..00000000 --- a/crypto_kem/kyber512-90s/avx2/symmetric.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_SYMMETRIC_H -#define PQCLEAN_KYBER51290S_AVX2_SYMMETRIC_H -#include "aes256ctr.h" -#include "params.h" -#include "sha2.h" -#include -#include - - - -typedef aes256ctr_ctx xof_state; - -#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_absorb(STATE, SEED, X, Y) PQCLEAN_KYBER51290S_AVX2_aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8)) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER51290S_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER51290S_AVX2_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - - -#endif /* SYMMETRIC_H */ diff --git a/crypto_kem/kyber512-90s/avx2/verify.c b/crypto_kem/kyber512-90s/avx2/verify.c deleted file mode 100644 index 2673d8e8..00000000 --- a/crypto_kem/kyber512-90s/avx2/verify.c +++ /dev/null @@ -1,73 +0,0 @@ -#include "verify.h" -#include -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_KYBER51290S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i; - uint64_t r; - __m256i f, g, h; - - h = _mm256_setzero_si256(); - for (i = 0; i < len / 32; i++) { - f = _mm256_loadu_si256((__m256i *)&a[32 * i]); - g = _mm256_loadu_si256((__m256i *)&b[32 * i]); - f = _mm256_xor_si256(f, g); - h = _mm256_or_si256(h, f); - } - r = 1 - _mm256_testz_si256(h, h); - - a += 32 * i; - b += 32 * i; - len -= 32 * i; - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-r) >> 63; - return r; -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_AVX2_cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: unsigned char *r: pointer to output byte array -* const unsigned char *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* unsigned char b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_KYBER51290S_AVX2_cmov(uint8_t *restrict r, const uint8_t *x, size_t len, uint8_t b) { - size_t i; - __m256i xvec, rvec, bvec; - - bvec = _mm256_set1_epi64x(-(uint64_t)b); - for (i = 0; i < len / 32; i++) { - rvec = _mm256_loadu_si256((__m256i *)&r[32 * i]); - xvec = _mm256_loadu_si256((__m256i *)&x[32 * i]); - rvec = _mm256_blendv_epi8(rvec, xvec, bvec); - _mm256_storeu_si256((__m256i *)&r[32 * i], rvec); - } - - r += 32 * i; - x += 32 * i; - len -= 32 * i; - for (i = 0; i < len; i++) { - r[i] ^= -b & (x[i] ^ r[i]); - } -} diff --git a/crypto_kem/kyber512-90s/avx2/verify.h b/crypto_kem/kyber512-90s/avx2/verify.h deleted file mode 100644 index 493c5b50..00000000 --- a/crypto_kem/kyber512-90s/avx2/verify.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_AVX2_VERIFY_H -#define PQCLEAN_KYBER51290S_AVX2_VERIFY_H -#include "params.h" -#include -#include - -int PQCLEAN_KYBER51290S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len); - -void PQCLEAN_KYBER51290S_AVX2_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/LICENSE b/crypto_kem/kyber512-90s/clean/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_kem/kyber512-90s/clean/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_kem/kyber512-90s/clean/Makefile.Microsoft_nmake b/crypto_kem/kyber512-90s/clean/Makefile.Microsoft_nmake deleted file mode 100644 index c2ecfa3f..00000000 --- a/crypto_kem/kyber512-90s/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libkyber512-90s_clean.lib -OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-aes.obj verify.obj - -# Warning C4146 is raised when a unary minus operator is applied to an -# unsigned type; this has nonetheless been standard and portable for as -# long as there has been a C standard, and we need it for constant-time -# computations. Thus, we disable that spurious warning. -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/kyber512-90s/clean/api.h b/crypto_kem/kyber512-90s/clean/api.h deleted file mode 100644 index 20e169c6..00000000 --- a/crypto_kem/kyber512-90s/clean/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_API_H -#define PQCLEAN_KYBER51290S_CLEAN_API_H - -#include - -#define PQCLEAN_KYBER51290S_CLEAN_CRYPTO_SECRETKEYBYTES 1632 -#define PQCLEAN_KYBER51290S_CLEAN_CRYPTO_PUBLICKEYBYTES 800 -#define PQCLEAN_KYBER51290S_CLEAN_CRYPTO_CIPHERTEXTBYTES 768 -#define PQCLEAN_KYBER51290S_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_KYBER51290S_CLEAN_CRYPTO_ALGNAME "Kyber512-90s" - -int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/cbd.c b/crypto_kem/kyber512-90s/clean/cbd.c deleted file mode 100644 index 08cee4a6..00000000 --- a/crypto_kem/kyber512-90s/clean/cbd.c +++ /dev/null @@ -1,108 +0,0 @@ -#include "cbd.h" -#include "params.h" -#include - -/************************************************* -* Name: load32_littleendian -* -* Description: load 4 bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t x[4]) { - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - r |= (uint32_t)x[3] << 24; - return r; -} - -/************************************************* -* Name: load24_littleendian -* -* Description: load 3 bytes into a 32-bit integer -* in little-endian order. -* This function is only needed for Kyber-512 -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x (most significant byte is zero) -**************************************************/ -static uint32_t load24_littleendian(const uint8_t x[3]) { - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - return r; -} - - -/************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd2(poly *r, const uint8_t buf[2 * KYBER_N / 4]) { - unsigned int i, j; - uint32_t t, d; - int16_t a, b; - - for (i = 0; i < KYBER_N / 8; i++) { - t = load32_littleendian(buf + 4 * i); - d = t & 0x55555555; - d += (t >> 1) & 0x55555555; - - for (j = 0; j < 8; j++) { - a = (d >> (4 * j + 0)) & 0x3; - b = (d >> (4 * j + 2)) & 0x3; - r->coeffs[8 * i + j] = a - b; - } - } -} - -/************************************************* -* Name: cbd3 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=3. -* This function is only needed for Kyber-512 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd3(poly *r, const uint8_t buf[3 * KYBER_N / 4]) { - unsigned int i, j; - uint32_t t, d; - int16_t a, b; - - for (i = 0; i < KYBER_N / 4; i++) { - t = load24_littleendian(buf + 3 * i); - d = t & 0x00249249; - d += (t >> 1) & 0x00249249; - d += (t >> 2) & 0x00249249; - - for (j = 0; j < 4; j++) { - a = (d >> (6 * j + 0)) & 0x7; - b = (d >> (6 * j + 3)) & 0x7; - r->coeffs[4 * i + j] = a - b; - } - } -} - -void PQCLEAN_KYBER51290S_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]) { - cbd3(r, buf); -} - -void PQCLEAN_KYBER51290S_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]) { - cbd2(r, buf); -} diff --git a/crypto_kem/kyber512-90s/clean/cbd.h b/crypto_kem/kyber512-90s/clean/cbd.h deleted file mode 100644 index d33d61f9..00000000 --- a/crypto_kem/kyber512-90s/clean/cbd.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_CBD_H -#define PQCLEAN_KYBER51290S_CLEAN_CBD_H -#include "params.h" -#include "poly.h" -#include - -void PQCLEAN_KYBER51290S_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]); - -void PQCLEAN_KYBER51290S_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/indcpa.c b/crypto_kem/kyber512-90s/clean/indcpa.c deleted file mode 100644 index 7dd2457f..00000000 --- a/crypto_kem/kyber512-90s/clean/indcpa.c +++ /dev/null @@ -1,330 +0,0 @@ -#include "indcpa.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "symmetric.h" -#include -#include - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) { - size_t i; - PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(r, pk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - r[i + KYBER_POLYVECBYTES] = seed[i]; - } -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i; - PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(pk, packedpk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - seed[i] = packedpk[i + KYBER_POLYVECBYTES]; - } -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(r, b); - PQCLEAN_KYBER51290S_CLEAN_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress(b, c); - PQCLEAN_KYBER51290S_CLEAN_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output buffer -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint16_t val0, val1; - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; - val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF; - pos += 3; - - if (val0 < KYBER_Q) { - r[ctr++] = val0; - } - if (ctr < len && val1 < KYBER_Q) { - r[ctr++] = val1; - } - } - - return ctr; -} - -#define gen_a(A,B) PQCLEAN_KYBER51290S_CLEAN_gen_matrix(A,B,0) -#define gen_at(A,B) PQCLEAN_KYBER51290S_CLEAN_gen_matrix(A,B,1) - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) -// Not static for benchmarking -void PQCLEAN_KYBER51290S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr, i, j, k; - unsigned int buflen, off; - uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES + 2]; - xof_state state; - - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_K; j++) { - if (transposed) { - xof_absorb(&state, seed, (uint8_t)i, (uint8_t)j); - } else { - xof_absorb(&state, seed, (uint8_t)j, (uint8_t)i); - } - - xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state); - buflen = GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES; - ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen); - - while (ctr < KYBER_N) { - off = buflen % 3; - for (k = 0; k < off; k++) { - buf[k] = buf[buflen - off + k]; - } - xof_squeezeblocks(buf + off, 1, &state); - buflen = off + XOF_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen); - } - xof_ctx_release(&state); - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i; - uint8_t buf[2 * KYBER_SYMBYTES]; - const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf + KYBER_SYMBYTES; - uint8_t nonce = 0; - polyvec a[KYBER_K], e, pkpv, skpv; - - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta1(&skpv.vec[i], noiseseed, nonce++); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta1(&e.vec[i], noiseseed, nonce++); - } - - PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(&skpv); - PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(&e); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv); - PQCLEAN_KYBER51290S_CLEAN_poly_tomont(&pkpv.vec[i]); - } - - PQCLEAN_KYBER51290S_CLEAN_polyvec_add(&pkpv, &pkpv, &e); - PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i; - uint8_t seed[KYBER_SYMBYTES]; - uint8_t nonce = 0; - polyvec sp, pkpv, ep, at[KYBER_K], b; - poly v, k, epp; - - unpack_pk(&pkpv, seed, pk); - PQCLEAN_KYBER51290S_CLEAN_poly_frommsg(&k, m); - gen_at(at, seed); - - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta1(sp.vec + i, coins, nonce++); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta2(ep.vec + i, coins, nonce++); - } - PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta2(&epp, coins, nonce++); - - PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(&sp); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp); - } - - PQCLEAN_KYBER51290S_CLEAN_polyvec_basemul_acc_montgomery(&v, &pkpv, &sp); - - PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt_tomont(&b); - PQCLEAN_KYBER51290S_CLEAN_poly_invntt_tomont(&v); - - PQCLEAN_KYBER51290S_CLEAN_polyvec_add(&b, &b, &ep); - PQCLEAN_KYBER51290S_CLEAN_poly_add(&v, &v, &epp); - PQCLEAN_KYBER51290S_CLEAN_poly_add(&v, &v, &k); - PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(&b); - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(&v); - - pack_ciphertext(c, &b, &v); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - polyvec b, skpv; - poly v, mp; - - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); - - PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(&b); - PQCLEAN_KYBER51290S_CLEAN_polyvec_basemul_acc_montgomery(&mp, &skpv, &b); - PQCLEAN_KYBER51290S_CLEAN_poly_invntt_tomont(&mp); - - PQCLEAN_KYBER51290S_CLEAN_poly_sub(&mp, &v, &mp); - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(&mp); - - PQCLEAN_KYBER51290S_CLEAN_poly_tomsg(m, &mp); -} diff --git a/crypto_kem/kyber512-90s/clean/indcpa.h b/crypto_kem/kyber512-90s/clean/indcpa.h deleted file mode 100644 index 9f56d841..00000000 --- a/crypto_kem/kyber512-90s/clean/indcpa.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_INDCPA_H -#define PQCLEAN_KYBER51290S_CLEAN_INDCPA_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_KYBER51290S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -void PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -void PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER51290S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/kem.c b/crypto_kem/kyber512-90s/clean/kem.c deleted file mode 100644 index 39510438..00000000 --- a/crypto_kem/kyber512-90s/clean/kem.c +++ /dev/null @@ -1,126 +0,0 @@ -#include "indcpa.h" -#include "kem.h" -#include "params.h" -#include "randombytes.h" -#include "symmetric.h" -#include "verify.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_keypair(unsigned char pk[KYBER_PUBLICKEYBYTES], - unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - PQCLEAN_KYBER51290S_CLEAN_indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - } - hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - /* Value z for pseudo-random output on reject */ - randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_enc(unsigned char ct[KYBER_CIPHERTEXTBYTES], - unsigned char ss[KYBER_SSBYTES], - const unsigned char pk[KYBER_PUBLICKEYBYTES]) { - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - - randombytes(buf, KYBER_SYMBYTES); - /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); - - /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_dec(unsigned char ss[KYBER_SSBYTES], - const unsigned char ct[KYBER_CIPHERTEXTBYTES], - const unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - int fail; - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - uint8_t cmp[KYBER_CIPHERTEXTBYTES]; - const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; - - PQCLEAN_KYBER51290S_CLEAN_indcpa_dec(buf, ct, sk); - - /* Multitarget countermeasure for coins + contributory KEM */ - for (i = 0; i < KYBER_SYMBYTES; i++) { - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; - } - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER51290S_CLEAN_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); - - fail = PQCLEAN_KYBER51290S_CLEAN_verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - - /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER51290S_CLEAN_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (uint8_t)fail); - - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} diff --git a/crypto_kem/kyber512-90s/clean/kem.h b/crypto_kem/kyber512-90s/clean/kem.h deleted file mode 100644 index e2ce0069..00000000 --- a/crypto_kem/kyber512-90s/clean/kem.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_KEM_H -#define PQCLEAN_KYBER51290S_CLEAN_KEM_H -#include "params.h" - - -int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_enc(unsigned char *ct, - unsigned char *ss, - const unsigned char *pk); - -int PQCLEAN_KYBER51290S_CLEAN_crypto_kem_dec(unsigned char *ss, - const unsigned char *ct, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/ntt.c b/crypto_kem/kyber512-90s/clean/ntt.c deleted file mode 100644 index 52b92a2f..00000000 --- a/crypto_kem/kyber512-90s/clean/ntt.c +++ /dev/null @@ -1,146 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "reduce.h" -#include - -/* Code to generate PQCLEAN_KYBER51290S_CLEAN_zetas and zetas_inv used in the number-theoretic transform: - -#define KYBER_ROOT_OF_UNITY 17 - -static const uint8_t tree[128] = { - 0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, - 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, - 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, - 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, - 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, - 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, - 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, - 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127 -}; - -void init_ntt() { - unsigned int i; - int16_t tmp[128]; - - tmp[0] = MONT; - for(i=1;i<128;i++) - tmp[i] = fqmul(tmp[i-1],MONT*KYBER_ROOT_OF_UNITY % KYBER_Q); - - for(i=0;i<128;i++) { - PQCLEAN_KYBER51290S_CLEAN_zetas[i] = tmp[tree[i]]; - if(PQCLEAN_KYBER51290S_CLEAN_zetas[i] > KYBER_Q/2) - PQCLEAN_KYBER51290S_CLEAN_zetas[i] -= KYBER_Q; - if(PQCLEAN_KYBER51290S_CLEAN_zetas[i] < -KYBER_Q/2) - PQCLEAN_KYBER51290S_CLEAN_zetas[i] += KYBER_Q; - } -} -*/ - -const int16_t PQCLEAN_KYBER51290S_CLEAN_zetas[128] = { - -1044, -758, -359, -1517, 1493, 1422, 287, 202, - -171, 622, 1577, 182, 962, -1202, -1474, 1468, - 573, -1325, 264, 383, -829, 1458, -1602, -130, - -681, 1017, 732, 608, -1542, 411, -205, -1571, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -1103, 430, 555, 843, -1251, 871, 1550, 105, - 422, 587, 177, -235, -291, -460, 1574, 1653, - -246, 778, 1159, -147, -777, 1483, -602, 1119, - -1590, 644, -872, 349, 418, 329, -156, -75, - 817, 1097, 603, 610, 1322, -1285, -1465, 384, - -1215, -136, 1218, -1335, -874, 220, -1187, -1659, - -1185, -1530, -1278, 794, -1510, -854, -870, 478, - -108, -308, 996, 991, 958, -1460, 1522, 1628 - }; - -/************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ -static int16_t fqmul(int16_t a, int16_t b) { - return PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce((int32_t)a * b); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq. -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_ntt(int16_t r[256]) { - unsigned int len, start, j, k; - int16_t t, zeta; - - k = 1; - for (len = 128; len >= 2; len >>= 1) { - for (start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER51290S_CLEAN_zetas[k++]; - for (j = start; j < start + len; j++) { - t = fqmul(zeta, r[j + len]); - r[j + len] = r[j] - t; - r[j] = r[j] + t; - } - } - } -} - -/************************************************* -* Name: invntt_tomont -* -* Description: Inplace inverse number-theoretic transform in Rq and -* multiplication by Montgomery factor 2^16. -* Input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_invntt(int16_t r[256]) { - unsigned int start, len, j, k; - int16_t t, zeta; - const int16_t f = 1441; // mont^2/128 - - k = 127; - for (len = 2; len <= 128; len <<= 1) { - for (start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER51290S_CLEAN_zetas[k--]; - for (j = start; j < start + len; j++) { - t = r[j]; - r[j] = PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(t + r[j + len]); - r[j + len] = r[j + len] - t; - r[j + len] = fqmul(zeta, r[j + len]); - } - } - } - - for (j = 0; j < 256; j++) { - r[j] = fqmul(r[j], f); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_basemul -* -* Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); - r[0] += fqmul(a[0], b[0]); - r[1] = fqmul(a[0], b[1]); - r[1] += fqmul(a[1], b[0]); -} diff --git a/crypto_kem/kyber512-90s/clean/ntt.h b/crypto_kem/kyber512-90s/clean/ntt.h deleted file mode 100644 index 263f42bd..00000000 --- a/crypto_kem/kyber512-90s/clean/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_NTT_H -#define PQCLEAN_KYBER51290S_CLEAN_NTT_H -#include "params.h" -#include - -extern const int16_t PQCLEAN_KYBER51290S_CLEAN_zetas[128]; - -void PQCLEAN_KYBER51290S_CLEAN_ntt(int16_t r[256]); - -void PQCLEAN_KYBER51290S_CLEAN_invntt(int16_t r[256]); - -void PQCLEAN_KYBER51290S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/params.h b/crypto_kem/kyber512-90s/clean/params.h deleted file mode 100644 index 07c3ed78..00000000 --- a/crypto_kem/kyber512-90s/clean/params.h +++ /dev/null @@ -1,33 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_PARAMS_H -#define PQCLEAN_KYBER51290S_CLEAN_PARAMS_H - - - - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - -#define KYBER_K 2 -#define KYBER_ETA1 3 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) - -#define KYBER_ETA2 2 - -#define KYBER_INDCPA_MSGBYTES (KYBER_SYMBYTES) -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -/* 32 bytes of additional space to save H(pk) */ -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) -#define KYBER_CIPHERTEXTBYTES (KYBER_INDCPA_BYTES) - -#endif diff --git a/crypto_kem/kyber512-90s/clean/poly.c b/crypto_kem/kyber512-90s/clean/poly.c deleted file mode 100644 index c2fbf557..00000000 --- a/crypto_kem/kyber512-90s/clean/poly.c +++ /dev/null @@ -1,287 +0,0 @@ -#include "cbd.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "symmetric.h" -#include - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) { - size_t i, j; - int16_t u; - uint8_t t[8]; - - for (i = 0; i < KYBER_N / 8; i++) { - for (j = 0; j < 8; j++) { - // map to positive standard representatives - u = a->coeffs[8 * i + j]; - u += (u >> 15) & KYBER_Q; - t[j] = ((((uint16_t)u << 4) + KYBER_Q / 2) / KYBER_Q) & 15; - } - - r[0] = t[0] | (t[1] << 4); - r[1] = t[2] | (t[3] << 4); - r[2] = t[4] | (t[5] << 4); - r[3] = t[6] | (t[7] << 4); - r += 4; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of PQCLEAN_KYBER51290S_CLEAN_poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - size_t i; - - for (i = 0; i < KYBER_N / 2; i++) { - r->coeffs[2 * i + 0] = (((uint16_t)(a[0] & 15) * KYBER_Q) + 8) >> 4; - r->coeffs[2 * i + 1] = (((uint16_t)(a[0] >> 4) * KYBER_Q) + 8) >> 4; - a += 1; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) { - size_t i; - uint16_t t0, t1; - - for (i = 0; i < KYBER_N / 2; i++) { - // map to positive standard representatives - t0 = a->coeffs[2 * i]; - t0 += ((int16_t)t0 >> 15) & KYBER_Q; - t1 = a->coeffs[2 * i + 1]; - t1 += ((int16_t)t1 >> 15) & KYBER_Q; - r[3 * i + 0] = (uint8_t)(t0 >> 0); - r[3 * i + 1] = (uint8_t)((t0 >> 8) | (t1 << 4)); - r[3 * i + 2] = (uint8_t)(t1 >> 4); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of PQCLEAN_KYBER51290S_CLEAN_poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - size_t i; - for (i = 0; i < KYBER_N / 2; i++) { - r->coeffs[2 * i] = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; - r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - size_t i, j; - int16_t mask; - - for (i = 0; i < KYBER_N / 8; i++) { - for (j = 0; j < 8; j++) { - mask = -(int16_t)((msg[i] >> j) & 1); - r->coeffs[8 * i + j] = mask & ((KYBER_Q + 1) / 2); - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) { - size_t i, j; - uint16_t t; - - for (i = 0; i < KYBER_N / 8; i++) { - msg[i] = 0; - for (j = 0; j < 8; j++) { - t = a->coeffs[8 * i + j]; - t += ((int16_t)t >> 15) & KYBER_Q; - t = (((t << 1) + KYBER_Q / 2) / KYBER_Q) & 1; - msg[i] |= t << j; - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - uint8_t buf[KYBER_ETA1 * KYBER_N / 4]; - prf(buf, sizeof(buf), seed, nonce); - PQCLEAN_KYBER51290S_CLEAN_poly_cbd_eta1(r, buf); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - uint8_t buf[KYBER_ETA2 * KYBER_N / 4]; - prf(buf, sizeof(buf), seed, nonce); - PQCLEAN_KYBER51290S_CLEAN_poly_cbd_eta2(r, buf); -} - - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_ntt(poly *r) { - PQCLEAN_KYBER51290S_CLEAN_ntt(r->coeffs); - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_invntt_tomont(poly *r) { - PQCLEAN_KYBER51290S_CLEAN_invntt(r->coeffs); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - size_t i; - for (i = 0; i < KYBER_N / 4; i++) { - PQCLEAN_KYBER51290S_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_KYBER51290S_CLEAN_zetas[64 + i]); - PQCLEAN_KYBER51290S_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], -PQCLEAN_KYBER51290S_CLEAN_zetas[64 + i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_tomont(poly *r) { - size_t i; - const int16_t f = (1ULL << 32) % KYBER_Q; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_reduce(poly *r) { - size_t i; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(r->coeffs[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_add -* -* Description: Add two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - size_t i; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_poly_sub -* -* Description: Subtract two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - size_t i; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; - } -} diff --git a/crypto_kem/kyber512-90s/clean/poly.h b/crypto_kem/kyber512-90s/clean/poly.h deleted file mode 100644 index 256bea74..00000000 --- a/crypto_kem/kyber512-90s/clean/poly.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_POLY_H -#define PQCLEAN_KYBER51290S_CLEAN_POLY_H -#include "params.h" -#include - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct { - int16_t coeffs[KYBER_N]; -} poly; - -void PQCLEAN_KYBER51290S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a); -void PQCLEAN_KYBER51290S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - -void PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a); -void PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - -void PQCLEAN_KYBER51290S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); -void PQCLEAN_KYBER51290S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a); - -void PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -void PQCLEAN_KYBER51290S_CLEAN_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -void PQCLEAN_KYBER51290S_CLEAN_poly_ntt(poly *r); -void PQCLEAN_KYBER51290S_CLEAN_poly_invntt_tomont(poly *r); -void PQCLEAN_KYBER51290S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER51290S_CLEAN_poly_tomont(poly *r); - -void PQCLEAN_KYBER51290S_CLEAN_poly_reduce(poly *r); - -void PQCLEAN_KYBER51290S_CLEAN_poly_add(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER51290S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/polyvec.c b/crypto_kem/kyber512-90s/clean/polyvec.c deleted file mode 100644 index 26a65e50..00000000 --- a/crypto_kem/kyber512-90s/clean/polyvec.c +++ /dev/null @@ -1,181 +0,0 @@ -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) { - unsigned int i, j, k; - - uint16_t t[4]; - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) { - t[k] = a->vec[i].coeffs[4 * j + k]; - t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; - t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; - } - - r[0] = (uint8_t)(t[0] >> 0); - r[1] = (uint8_t)((t[0] >> 8) | (t[1] << 2)); - r[2] = (uint8_t)((t[1] >> 6) | (t[2] << 4)); - r[3] = (uint8_t)((t[2] >> 4) | (t[3] << 6)); - r[4] = (uint8_t)(t[3] >> 2); - r += 5; - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of PQCLEAN_KYBER51290S_CLEAN_polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i, j, k; - - uint16_t t[4]; - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_N / 4; j++) { - t[0] = (a[0] >> 0) | ((uint16_t)a[1] << 8); - t[1] = (a[1] >> 2) | ((uint16_t)a[2] << 6); - t[2] = (a[2] >> 4) | ((uint16_t)a[3] << 4); - t[3] = (a[3] >> 6) | ((uint16_t)a[4] << 2); - a += 5; - - for (k = 0; k < 4; k++) { - r->vec[i].coeffs[4 * j + k] = ((uint32_t)(t[k] & 0x3FF) * KYBER_Q + 512) >> 10; - } - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(polyvec *r) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_ntt(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt_tomont(polyvec *r) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_invntt_tomont(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_polyvec_basemul_acc_montgomery -* -* Description: Multiply elements of a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - unsigned int i; - poly t; - - PQCLEAN_KYBER51290S_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for (i = 1; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_basemul_montgomery(&t, &a->vec[i], &b->vec[i]); - PQCLEAN_KYBER51290S_CLEAN_poly_add(r, r, &t); - } - - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(polyvec *r) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_reduce(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER51290S_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); - } -} diff --git a/crypto_kem/kyber512-90s/clean/polyvec.h b/crypto_kem/kyber512-90s/clean/polyvec.h deleted file mode 100644 index b2d1a11b..00000000 --- a/crypto_kem/kyber512-90s/clean/polyvec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_POLYVEC_H -#define PQCLEAN_KYBER51290S_CLEAN_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -typedef struct { - poly vec[KYBER_K]; -} polyvec; - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a); -void PQCLEAN_KYBER51290S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a); -void PQCLEAN_KYBER51290S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_ntt(polyvec *r); -void PQCLEAN_KYBER51290S_CLEAN_polyvec_invntt_tomont(polyvec *r); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_reduce(polyvec *r); - -void PQCLEAN_KYBER51290S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/reduce.c b/crypto_kem/kyber512-90s/clean/reduce.c deleted file mode 100644 index ac98f020..00000000 --- a/crypto_kem/kyber512-90s/clean/reduce.c +++ /dev/null @@ -1,44 +0,0 @@ -#include "params.h" -#include "reduce.h" -#include - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; -* has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce(int32_t a) { - int32_t t; - int16_t u; - - u = (int16_t)(a * (int64_t)QINV); - t = (int32_t)u * KYBER_Q; - t = a - t; - t >>= 16; - return (int16_t)t; -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* centered representative congruent to a mod q in {-(q-1)/2,...,(q-1)/2} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(int16_t a) { - int16_t t; - const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; - - t = ((int32_t)v * a + (1 << 25)) >> 26; - t *= KYBER_Q; - return a - t; -} diff --git a/crypto_kem/kyber512-90s/clean/reduce.h b/crypto_kem/kyber512-90s/clean/reduce.h deleted file mode 100644 index b2b0790d..00000000 --- a/crypto_kem/kyber512-90s/clean/reduce.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_REDUCE_H -#define PQCLEAN_KYBER51290S_CLEAN_REDUCE_H -#include "params.h" -#include - -#define MONT 2285 // 2^16 mod q -#define QINV 62209 // q^-1 mod 2^16 - -int16_t PQCLEAN_KYBER51290S_CLEAN_montgomery_reduce(int32_t a); - -int16_t PQCLEAN_KYBER51290S_CLEAN_barrett_reduce(int16_t a); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/symmetric-aes.c b/crypto_kem/kyber512-90s/clean/symmetric-aes.c deleted file mode 100644 index 26ca9c24..00000000 --- a/crypto_kem/kyber512-90s/clean/symmetric-aes.c +++ /dev/null @@ -1,100 +0,0 @@ -#include "symmetric-aes.h" -#include "symmetric.h" -#include -#include -#include - - -static inline void br_enc32be(unsigned char *dst, uint32_t x) { - dst[3] = (unsigned char)x; - dst[2] = (unsigned char)(x >> 8); - dst[1] = (unsigned char)(x >> 16); - dst[0] = (unsigned char)(x >> 24); -} - -static void aes256_ctr_xof(unsigned char *out, size_t outlen, const unsigned char *iv, uint32_t ctr, const aes256ctx *ctx) { - uint8_t ivw[16]; - uint8_t buf[AES_BLOCKBYTES]; - size_t i = 0; - - memcpy(ivw, iv, AESCTR_NONCEBYTES); - br_enc32be(ivw + AESCTR_NONCEBYTES, ctr); - - while (outlen > AES_BLOCKBYTES) { - aes256_ecb(out, ivw, 1, ctx); - br_enc32be(ivw + AESCTR_NONCEBYTES, ++ctr); - out += AES_BLOCKBYTES; - outlen -= AES_BLOCKBYTES; - } - if (outlen > 0) { - aes256_ecb(buf, ivw, 1, ctx); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} - -/************************************************* -* Name: aes256_prf -* -* Description: AES256 stream generation in CTR mode using 32-bit counter, -* nonce is zero-padded to 12 bytes, counter starts at zero -* -* Arguments: - uint8_t *output: pointer to output -* - size_t outlen: length of requested output in bytes -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t nonce: 1-byte nonce (will be zero-padded to 12 bytes) -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_aes256ctr_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce) { - uint8_t iv[12]; - for (int i = 1; i < 12; i++) { - iv[i] = 0; - } - iv[0] = nonce; - - aes256ctx ctx; - aes256_ctr_keyexp(&ctx, key); - aes256_ctr(output, outlen, iv, &ctx); - aes256_ctx_release(&ctx); -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* "absorbs" a 32-byte key and two additional bytes that are zero-padded -* to a 12-byte nonce -* -* Arguments: - aes256xof_ctx *s: pointer to state to "absorb" key and IV into -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t x: first additional byte to "absorb" -* - uint8_t y: second additional byte to "absorb" -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y) { - aes256_ecb_keyexp(&s->sk_exp, key); - for (int i = 2; i < 12; i++) { - s->iv[i] = 0; - } - s->iv[0] = x; - s->iv[1] = y; - s->ctr = 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* generates 4 blocks out AES256-CTR output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t nblocks: number of reqested 64-byte output blocks -* - aes256xof_ctx *s: AES "state", i.e. expanded key and IV -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s) { - aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); - s->ctr += (uint32_t) (4 * nblocks); -} - -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { - aes256_ctx_release(&s->sk_exp); -} diff --git a/crypto_kem/kyber512-90s/clean/symmetric-aes.h b/crypto_kem/kyber512-90s/clean/symmetric-aes.h deleted file mode 100644 index 0385a6e0..00000000 --- a/crypto_kem/kyber512-90s/clean/symmetric-aes.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_SYMMETRIC_AES_H -#define PQCLEAN_KYBER51290S_CLEAN_SYMMETRIC_AES_H -#include "aes.h" -#include -#include - -typedef struct { - aes256ctx sk_exp; - uint8_t iv[12]; - uint32_t ctr; -} aes256xof_ctx; - -void PQCLEAN_KYBER51290S_CLEAN_aes256ctr_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); -void PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); - -#endif diff --git a/crypto_kem/kyber512-90s/clean/symmetric.h b/crypto_kem/kyber512-90s/clean/symmetric.h deleted file mode 100644 index 6dcfdf81..00000000 --- a/crypto_kem/kyber512-90s/clean/symmetric.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_SYMMETRIC_H -#define PQCLEAN_KYBER51290S_CLEAN_SYMMETRIC_H -#include "params.h" -#include "sha2.h" -#include "symmetric-aes.h" -#include -#include - - - - -typedef aes256xof_ctx xof_state; - -void PQCLEAN_KYBER51290S_CLEAN_kyber_aes256xof_absorb(aes256xof_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y); - -void PQCLEAN_KYBER51290S_CLEAN_kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce); - -#define XOF_BLOCKBYTES 64 - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_absorb(STATE, SEED, X, Y) PQCLEAN_KYBER51290S_CLEAN_aes256xof_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_ctx_release(STATE) PQCLEAN_KYBER51290S_CLEAN_aes256xof_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER51290S_CLEAN_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - - -#endif /* SYMMETRIC_H */ diff --git a/crypto_kem/kyber512-90s/clean/verify.c b/crypto_kem/kyber512-90s/clean/verify.c deleted file mode 100644 index 837325e2..00000000 --- a/crypto_kem/kyber512-90s/clean/verify.c +++ /dev/null @@ -1,47 +0,0 @@ -#include "verify.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_KYBER51290S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i; - uint8_t r = 0; - - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - return (-(uint64_t)r) >> 63; -} - -/************************************************* -* Name: PQCLEAN_KYBER51290S_CLEAN_cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_KYBER51290S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i; - - b = -b; - for (i = 0; i < len; i++) { - r[i] ^= b & (r[i] ^ x[i]); - } -} diff --git a/crypto_kem/kyber512-90s/clean/verify.h b/crypto_kem/kyber512-90s/clean/verify.h deleted file mode 100644 index 02c90dfd..00000000 --- a/crypto_kem/kyber512-90s/clean/verify.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_KYBER51290S_CLEAN_VERIFY_H -#define PQCLEAN_KYBER51290S_CLEAN_VERIFY_H -#include "params.h" -#include -#include - -int PQCLEAN_KYBER51290S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - -void PQCLEAN_KYBER51290S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/crypto_kem/kyber768-90s/META.yml b/crypto_kem/kyber768-90s/META.yml deleted file mode 100644 index bc6d2775..00000000 --- a/crypto_kem/kyber768-90s/META.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Kyber768-90s -type: kem -claimed-nist-level: 3 -claimed-security: IND-CCA2 -length-public-key: 1184 -length-ciphertext: 1088 -length-secret-key: 2400 -length-shared-secret: 32 -nistkat-sha256: 68bf2e3914c0b4e053cefc67dd9f10f567946da5720f0b453b347610c3cc2c0a -principal-submitters: - - Peter Schwabe -auxiliary-submitters: - - Roberto Avanzi - - Joppe Bos - - Léo Ducas - - Eike Kiltz - - Tancrède Lepoint - - Vadim Lyubashevsky - - John M. Schanck - - Gregor Seiler - - Damien Stehlé -implementations: - - name: clean - version: https://github.com/pq-crystals/kyber/commit/e7faae9f662f5b92fee4e966f09b2f23e1e91c65 via https://github.com/jschanck/package-pqclean/tree/231c9bec/kyber - - name: avx2 - version: https://github.com/pq-crystals/kyber/commit/e7faae9f662f5b92fee4e966f09b2f23e1e91c65 via https://github.com/jschanck/package-pqclean/tree/231c9bec/kyber - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - aes - - avx2 - - bmi2 - - popcnt diff --git a/crypto_kem/kyber768-90s/avx2/LICENSE b/crypto_kem/kyber768-90s/avx2/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_kem/kyber768-90s/avx2/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_kem/kyber768-90s/avx2/aes256ctr.c b/crypto_kem/kyber768-90s/avx2/aes256ctr.c deleted file mode 100644 index 957f1440..00000000 --- a/crypto_kem/kyber768-90s/avx2/aes256ctr.c +++ /dev/null @@ -1,142 +0,0 @@ -#include "aes256ctr.h" -#include -#include -#include -/* Based heavily on public-domain code by Romain Dolbeau - * Different handling of nonce+counter than original version using - * separated 64-bit nonce and internal 64-bit counter, starting from zero - * Public Domain */ - - -static inline void aesni_encrypt4(uint8_t out[64], __m128i *n, const __m128i rkeys[16]) { - __m128i f, f0, f1, f2, f3; - const __m128i idx = _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 7, 6, 5, 4, 3, 2, 1, 0); - - /* Load current counter value */ - f = _mm_load_si128(n); - - /* Increase counter in 4 consecutive blocks */ - f0 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(0, 0)), idx); - f1 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(1, 0)), idx); - f2 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(2, 0)), idx); - f3 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(3, 0)), idx); - - /* Write counter for next iteration, increased by 4 */ - _mm_store_si128(n, _mm_add_epi64(f, _mm_set_epi64x(4, 0))); - - /* Actual AES encryption, 4x interleaved */ - f = _mm_load_si128(&rkeys[0]); - f0 = _mm_xor_si128(f0, f); - f1 = _mm_xor_si128(f1, f); - f2 = _mm_xor_si128(f2, f); - f3 = _mm_xor_si128(f3, f); - - for (int i = 1; i < 14; i++) { - f = _mm_load_si128(&rkeys[i]); - f0 = _mm_aesenc_si128(f0, f); - f1 = _mm_aesenc_si128(f1, f); - f2 = _mm_aesenc_si128(f2, f); - f3 = _mm_aesenc_si128(f3, f); - } - - f = _mm_load_si128(&rkeys[14]); - f0 = _mm_aesenclast_si128(f0, f); - f1 = _mm_aesenclast_si128(f1, f); - f2 = _mm_aesenclast_si128(f2, f); - f3 = _mm_aesenclast_si128(f3, f); - - /* Write results */ - _mm_storeu_si128((__m128i *)(out + 0), f0); - _mm_storeu_si128((__m128i *)(out + 16), f1); - _mm_storeu_si128((__m128i *)(out + 32), f2); - _mm_storeu_si128((__m128i *)(out + 48), f3); -} - -void PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t key[32], uint64_t nonce) { - __m128i key0, key1, temp0, temp1, temp2, temp4; - int idx = 0; - - key0 = _mm_loadu_si128((__m128i *)(key + 0)); - key1 = _mm_loadu_si128((__m128i *)(key + 16)); - state->n = _mm_loadl_epi64((__m128i *)&nonce); - - state->rkeys[idx++] = key0; - temp0 = key0; - temp2 = key1; - temp4 = _mm_setzero_si128(); - -#define BLOCK1(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp2, IMM); \ - state->rkeys[idx++] = temp2; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x10); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x8c); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xff); \ - temp0 = _mm_xor_si128(temp0, temp1) - -#define BLOCK2(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp0, IMM); \ - state->rkeys[idx++] = temp0; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x10); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x8c); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xaa); \ - temp2 = _mm_xor_si128(temp2, temp1) - - BLOCK1(0x01); - BLOCK2(0x01); - - BLOCK1(0x02); - BLOCK2(0x02); - - BLOCK1(0x04); - BLOCK2(0x04); - - BLOCK1(0x08); - BLOCK2(0x08); - - BLOCK1(0x10); - BLOCK2(0x10); - - BLOCK1(0x20); - BLOCK2(0x20); - - BLOCK1(0x40); - state->rkeys[idx++] = temp0; -} - -void PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state) { - size_t i; - for (i = 0; i < nblocks; i++) { - aesni_encrypt4(out, &state->n, state->rkeys); - out += 64; - } -} - -void PQCLEAN_KYBER76890S_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t key[32], - uint64_t nonce) { - unsigned int i; - uint8_t buf[64]; - aes256ctr_ctx state; - - PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(&state, key, nonce); - - while (outlen >= 64) { - aesni_encrypt4(out, &state.n, state.rkeys); - outlen -= 64; - out += 64; - } - - if (outlen) { - aesni_encrypt4(buf, &state.n, state.rkeys); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} diff --git a/crypto_kem/kyber768-90s/avx2/aes256ctr.h b/crypto_kem/kyber768-90s/avx2/aes256ctr.h deleted file mode 100644 index 74d928d6..00000000 --- a/crypto_kem/kyber768-90s/avx2/aes256ctr.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_AES256CTR_H -#define PQCLEAN_KYBER76890S_AVX2_AES256CTR_H - -#include -#include -#include - - -#define AES256CTR_BLOCKBYTES 64 - -typedef struct { - __m128i rkeys[16]; - __m128i n; -} aes256ctr_ctx; - -void PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint64_t nonce); - -void PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state); - -void PQCLEAN_KYBER76890S_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t key[32], - uint64_t nonce); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/align.h b/crypto_kem/kyber768-90s/avx2/align.h deleted file mode 100644 index 3a74f591..00000000 --- a/crypto_kem/kyber768-90s/avx2/align.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_ALIGN_H -#define PQCLEAN_KYBER76890S_AVX2_ALIGN_H - -#include -#include - -#define ALIGNED_UINT8(N) \ - union { \ - uint8_t coeffs[(N)]; \ - __m256i vec[((N)+31)/32]; \ - } - -#define ALIGNED_INT16(N) \ - union { \ - int16_t coeffs[(N)]; \ - __m256i vec[((N)+15)/16]; \ - } - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/api.h b/crypto_kem/kyber768-90s/avx2/api.h deleted file mode 100644 index 5966b442..00000000 --- a/crypto_kem/kyber768-90s/avx2/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_API_H -#define PQCLEAN_KYBER76890S_AVX2_API_H - -#include - -#define PQCLEAN_KYBER76890S_AVX2_CRYPTO_SECRETKEYBYTES 2400 -#define PQCLEAN_KYBER76890S_AVX2_CRYPTO_PUBLICKEYBYTES 1184 -#define PQCLEAN_KYBER76890S_AVX2_CRYPTO_CIPHERTEXTBYTES 1088 -#define PQCLEAN_KYBER76890S_AVX2_CRYPTO_BYTES 32 -#define PQCLEAN_KYBER76890S_AVX2_CRYPTO_ALGNAME "Kyber768-90s" - -int PQCLEAN_KYBER76890S_AVX2_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_KYBER76890S_AVX2_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_KYBER76890S_AVX2_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/basemul.S b/crypto_kem/kyber768-90s/avx2/basemul.S deleted file mode 100644 index 7cbff8a8..00000000 --- a/crypto_kem/kyber768-90s/avx2/basemul.S +++ /dev/null @@ -1,107 +0,0 @@ -#include "cdecl.h" - -.macro schoolbook off -vmovdqa _16XQINV*2(%rcx),%ymm0 -vmovdqa (64*\off+ 0)*2(%rsi),%ymm1 # a0 -vmovdqa (64*\off+16)*2(%rsi),%ymm2 # b0 -vmovdqa (64*\off+32)*2(%rsi),%ymm3 # a1 -vmovdqa (64*\off+48)*2(%rsi),%ymm4 # b1 - -vpmullw %ymm0,%ymm1,%ymm9 # a0.lo -vpmullw %ymm0,%ymm2,%ymm10 # b0.lo -vpmullw %ymm0,%ymm3,%ymm11 # a1.lo -vpmullw %ymm0,%ymm4,%ymm12 # b1.lo - -vmovdqa (64*\off+ 0)*2(%rdx),%ymm5 # c0 -vmovdqa (64*\off+16)*2(%rdx),%ymm6 # d0 - -vpmulhw %ymm5,%ymm1,%ymm13 # a0c0.hi -vpmulhw %ymm6,%ymm1,%ymm1 # a0d0.hi -vpmulhw %ymm5,%ymm2,%ymm14 # b0c0.hi -vpmulhw %ymm6,%ymm2,%ymm2 # b0d0.hi - -vmovdqa (64*\off+32)*2(%rdx),%ymm7 # c1 -vmovdqa (64*\off+48)*2(%rdx),%ymm8 # d1 - -vpmulhw %ymm7,%ymm3,%ymm15 # a1c1.hi -vpmulhw %ymm8,%ymm3,%ymm3 # a1d1.hi -vpmulhw %ymm7,%ymm4,%ymm0 # b1c1.hi -vpmulhw %ymm8,%ymm4,%ymm4 # b1d1.hi - -vmovdqa %ymm13,(%rsp) - -vpmullw %ymm5,%ymm9,%ymm13 # a0c0.lo -vpmullw %ymm6,%ymm9,%ymm9 # a0d0.lo -vpmullw %ymm5,%ymm10,%ymm5 # b0c0.lo -vpmullw %ymm6,%ymm10,%ymm10 # b0d0.lo - -vpmullw %ymm7,%ymm11,%ymm6 # a1c1.lo -vpmullw %ymm8,%ymm11,%ymm11 # a1d1.lo -vpmullw %ymm7,%ymm12,%ymm7 # b1c1.lo -vpmullw %ymm8,%ymm12,%ymm12 # b1d1.lo - -vmovdqa _16XQ*2(%rcx),%ymm8 -vpmulhw %ymm8,%ymm13,%ymm13 -vpmulhw %ymm8,%ymm9,%ymm9 -vpmulhw %ymm8,%ymm5,%ymm5 -vpmulhw %ymm8,%ymm10,%ymm10 -vpmulhw %ymm8,%ymm6,%ymm6 -vpmulhw %ymm8,%ymm11,%ymm11 -vpmulhw %ymm8,%ymm7,%ymm7 -vpmulhw %ymm8,%ymm12,%ymm12 - -vpsubw (%rsp),%ymm13,%ymm13 # -a0c0 -vpsubw %ymm9,%ymm1,%ymm9 # a0d0 -vpsubw %ymm5,%ymm14,%ymm5 # b0c0 -vpsubw %ymm10,%ymm2,%ymm10 # b0d0 - -vpsubw %ymm6,%ymm15,%ymm6 # a1c1 -vpsubw %ymm11,%ymm3,%ymm11 # a1d1 -vpsubw %ymm7,%ymm0,%ymm7 # b1c1 -vpsubw %ymm12,%ymm4,%ymm12 # b1d1 - -vmovdqa (%r9),%ymm0 -vmovdqa 32(%r9),%ymm1 -vpmullw %ymm0,%ymm10,%ymm2 -vpmullw %ymm0,%ymm12,%ymm3 -vpmulhw %ymm1,%ymm10,%ymm10 -vpmulhw %ymm1,%ymm12,%ymm12 -vpmulhw %ymm8,%ymm2,%ymm2 -vpmulhw %ymm8,%ymm3,%ymm3 -vpsubw %ymm2,%ymm10,%ymm10 # rb0d0 -vpsubw %ymm3,%ymm12,%ymm12 # rb1d1 - -vpaddw %ymm5,%ymm9,%ymm9 -vpaddw %ymm7,%ymm11,%ymm11 -vpsubw %ymm13,%ymm10,%ymm13 -vpsubw %ymm12,%ymm6,%ymm6 - -vmovdqa %ymm13,(64*\off+ 0)*2(%rdi) -vmovdqa %ymm9,(64*\off+16)*2(%rdi) -vmovdqa %ymm6,(64*\off+32)*2(%rdi) -vmovdqa %ymm11,(64*\off+48)*2(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_avx) -.global _cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_avx) -cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_avx): -_cdecl(PQCLEAN_KYBER76890S_AVX2_basemul_avx): -mov %rsp,%r8 -and $-32,%rsp -sub $32,%rsp - -lea (_ZETAS_EXP+176)*2(%rcx),%r9 -schoolbook 0 - -add $32*2,%r9 -schoolbook 1 - -add $192*2,%r9 -schoolbook 2 - -add $32*2,%r9 -schoolbook 3 - -mov %r8,%rsp -ret diff --git a/crypto_kem/kyber768-90s/avx2/cbd.c b/crypto_kem/kyber768-90s/avx2/cbd.c deleted file mode 100644 index 09b47b24..00000000 --- a/crypto_kem/kyber768-90s/avx2/cbd.c +++ /dev/null @@ -1,67 +0,0 @@ -#include "cbd.h" -#include "params.h" -#include -#include - -/************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const __m256i *buf: pointer to aligned input byte array -**************************************************/ -static void cbd2(poly *restrict r, const __m256i buf[2 * KYBER_N / 128]) { - unsigned int i; - __m256i f0, f1, f2, f3; - const __m256i mask55 = _mm256_set1_epi32(0x55555555); - const __m256i mask33 = _mm256_set1_epi32(0x33333333); - const __m256i mask03 = _mm256_set1_epi32(0x03030303); - const __m256i mask0F = _mm256_set1_epi32(0x0F0F0F0F); - - for (i = 0; i < KYBER_N / 64; i++) { - f0 = _mm256_load_si256(&buf[i]); - - f1 = _mm256_srli_epi16(f0, 1); - f0 = _mm256_and_si256(mask55, f0); - f1 = _mm256_and_si256(mask55, f1); - f0 = _mm256_add_epi8(f0, f1); - - f1 = _mm256_srli_epi16(f0, 2); - f0 = _mm256_and_si256(mask33, f0); - f1 = _mm256_and_si256(mask33, f1); - f0 = _mm256_add_epi8(f0, mask33); - f0 = _mm256_sub_epi8(f0, f1); - - f1 = _mm256_srli_epi16(f0, 4); - f0 = _mm256_and_si256(mask0F, f0); - f1 = _mm256_and_si256(mask0F, f1); - f0 = _mm256_sub_epi8(f0, mask03); - f1 = _mm256_sub_epi8(f1, mask03); - - f2 = _mm256_unpacklo_epi8(f0, f1); - f3 = _mm256_unpackhi_epi8(f0, f1); - - f0 = _mm256_cvtepi8_epi16(_mm256_castsi256_si128(f2)); - f1 = _mm256_cvtepi8_epi16(_mm256_extracti128_si256(f2, 1)); - f2 = _mm256_cvtepi8_epi16(_mm256_castsi256_si128(f3)); - f3 = _mm256_cvtepi8_epi16(_mm256_extracti128_si256(f3, 1)); - - _mm256_store_si256(&r->vec[4 * i + 0], f0); - _mm256_store_si256(&r->vec[4 * i + 1], f2); - _mm256_store_si256(&r->vec[4 * i + 2], f1); - _mm256_store_si256(&r->vec[4 * i + 3], f3); - } -} - - -/* buf 32 bytes longer for cbd3 */ -void PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta1(poly *r, const __m256i buf[KYBER_ETA1 * KYBER_N / 128 + 1]) { - cbd2(r, buf); -} - -void PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta2(poly *r, const __m256i buf[KYBER_ETA2 * KYBER_N / 128]) { - cbd2(r, buf); -} diff --git a/crypto_kem/kyber768-90s/avx2/cbd.h b/crypto_kem/kyber768-90s/avx2/cbd.h deleted file mode 100644 index 806b6177..00000000 --- a/crypto_kem/kyber768-90s/avx2/cbd.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_CBD_H -#define PQCLEAN_KYBER76890S_AVX2_CBD_H -#include "params.h" -#include "poly.h" -#include -#include - -void PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta1(poly *r, const __m256i buf[KYBER_ETA1 * KYBER_N / 128 + 1]); - -void PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta2(poly *r, const __m256i buf[KYBER_ETA2 * KYBER_N / 128]); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/cdecl.h b/crypto_kem/kyber768-90s/avx2/cdecl.h deleted file mode 100644 index bebb78c3..00000000 --- a/crypto_kem/kyber768-90s/avx2/cdecl.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_CDECL_H -#define PQCLEAN_KYBER76890S_AVX2_CDECL_H - - - -#define _16XQ 0 -#define _16XQINV 16 -#define _16XV 32 -#define _16XFLO 48 -#define _16XFHI 64 -#define _16XMONTSQLO 80 -#define _16XMONTSQHI 96 -#define _16XMASK 112 -#define _REVIDXB 128 -#define _REVIDXD 144 -#define _ZETAS_EXP 160 -#define _16XSHIFT 624 - -/* The C ABI on MacOS exports all symbols with a leading - * underscore. This means that any symbols we refer to from - * C files (functions) can't be found, and all symbols we - * refer to from ASM also can't be found (nttconsts.c). - * - * This define helps us get around this - */ - -#define _cdecl(s) _##s -#define cdecl(s) s - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/consts.c b/crypto_kem/kyber768-90s/avx2/consts.c deleted file mode 100644 index 167cff84..00000000 --- a/crypto_kem/kyber768-90s/avx2/consts.c +++ /dev/null @@ -1,123 +0,0 @@ -#include "align.h" -#include "consts.h" -#include "params.h" - - -#define Q KYBER_Q -#define MONT (-1044) // 2^16 mod q -#define QINV (-3327) // q^-1 mod 2^16 -#define V 20159 // floor(2^26/q + 0.5) -#define FHI 1441 // mont^2/128 -#define FLO (-10079) // qinv*FHI -#define MONTSQHI 1353 // mont^2 -#define MONTSQLO 20553 // qinv*MONTSQHI -#define MASK 4095 -#define SHIFT 32 - -const qdata_t PQCLEAN_KYBER76890S_AVX2_qdata = {.coeffs = { -//#define _16XQ 0 - Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, Q, - -//#define _16XQINV 16 - QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV, - QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV, - -//#define _16XV 32 - V, V, V, V, V, V, V, V, V, V, V, V, V, V, V, V, - -//#define _16XFLO 48 - FLO, FLO, FLO, FLO, FLO, FLO, FLO, FLO, - FLO, FLO, FLO, FLO, FLO, FLO, FLO, FLO, - -//#define _16XFHI 64 - FHI, FHI, FHI, FHI, FHI, FHI, FHI, FHI, - FHI, FHI, FHI, FHI, FHI, FHI, FHI, FHI, - -//#define _16XMONTSQLO 80 - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - MONTSQLO, MONTSQLO, MONTSQLO, MONTSQLO, - -//#define _16XMONTSQHI 96 - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - MONTSQHI, MONTSQHI, MONTSQHI, MONTSQHI, - -//#define _16XMASK 112 - MASK, MASK, MASK, MASK, MASK, MASK, MASK, MASK, - MASK, MASK, MASK, MASK, MASK, MASK, MASK, MASK, - -//#define _REVIDXB 128 - 3854, 3340, 2826, 2312, 1798, 1284, 770, 256, - 3854, 3340, 2826, 2312, 1798, 1284, 770, 256, - -//#define _REVIDXD 144 - 7, 0, 6, 0, 5, 0, 4, 0, 3, 0, 2, 0, 1, 0, 0, 0, - -//#define _ZETAS_EXP 160 - 31498, 31498, 31498, 31498, -758, -758, -758, -758, - 5237, 5237, 5237, 5237, 1397, 1397, 1397, 1397, - 14745, 14745, 14745, 14745, 14745, 14745, 14745, 14745, - 14745, 14745, 14745, 14745, 14745, 14745, 14745, 14745, - -359, -359, -359, -359, -359, -359, -359, -359, - -359, -359, -359, -359, -359, -359, -359, -359, - 13525, 13525, 13525, 13525, 13525, 13525, 13525, 13525, - -12402, -12402, -12402, -12402, -12402, -12402, -12402, -12402, - 1493, 1493, 1493, 1493, 1493, 1493, 1493, 1493, - 1422, 1422, 1422, 1422, 1422, 1422, 1422, 1422, - -20907, -20907, -20907, -20907, 27758, 27758, 27758, 27758, - -3799, -3799, -3799, -3799, -15690, -15690, -15690, -15690, - -171, -171, -171, -171, 622, 622, 622, 622, - 1577, 1577, 1577, 1577, 182, 182, 182, 182, - -5827, -5827, 17363, 17363, -26360, -26360, -29057, -29057, - 5571, 5571, -1102, -1102, 21438, 21438, -26242, -26242, - 573, 573, -1325, -1325, 264, 264, 383, 383, - -829, -829, 1458, 1458, -1602, -1602, -130, -130, - -5689, -6516, 1496, 30967, -23565, 20179, 20710, 25080, - -12796, 26616, 16064, -12442, 9134, -650, -25986, 27837, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -335, -11477, -32227, 20494, -27738, 945, -14883, 6182, - 32010, 10631, 29175, -28762, -18486, 17560, -14430, -5276, - -1103, 555, -1251, 1550, 422, 177, -291, 1574, - -246, 1159, -777, -602, -1590, -872, 418, -156, - 11182, 13387, -14233, -21655, 13131, -4587, 23092, 5493, - -32502, 30317, -18741, 12639, 20100, 18525, 19529, -12619, - 430, 843, 871, 105, 587, -235, -460, 1653, - 778, -147, 1483, 1119, 644, 349, 329, -75, - 787, 787, 787, 787, 787, 787, 787, 787, - 787, 787, 787, 787, 787, 787, 787, 787, - -1517, -1517, -1517, -1517, -1517, -1517, -1517, -1517, - -1517, -1517, -1517, -1517, -1517, -1517, -1517, -1517, - 28191, 28191, 28191, 28191, 28191, 28191, 28191, 28191, - -16694, -16694, -16694, -16694, -16694, -16694, -16694, -16694, - 287, 287, 287, 287, 287, 287, 287, 287, - 202, 202, 202, 202, 202, 202, 202, 202, - 10690, 10690, 10690, 10690, 1358, 1358, 1358, 1358, - -11202, -11202, -11202, -11202, 31164, 31164, 31164, 31164, - 962, 962, 962, 962, -1202, -1202, -1202, -1202, - -1474, -1474, -1474, -1474, 1468, 1468, 1468, 1468, - -28073, -28073, 24313, 24313, -10532, -10532, 8800, 8800, - 18426, 18426, 8859, 8859, 26675, 26675, -16163, -16163, - -681, -681, 1017, 1017, 732, 732, 608, 608, - -1542, -1542, 411, 411, -205, -205, -1571, -1571, - 19883, -28250, -15887, -8898, -28309, 9075, -30199, 18249, - 13426, 14017, -29156, -12757, 16832, 4311, -24155, -17915, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -31183, 25435, -7382, 24391, -20927, 10946, 24214, 16989, - 10335, -7934, -22502, 10906, 31636, 28644, 23998, -17422, - 817, 603, 1322, -1465, -1215, 1218, -874, -1187, - -1185, -1278, -1510, -870, -108, 996, 958, 1522, - 20297, 2146, 15355, -32384, -6280, -14903, -11044, 14469, - -21498, -20198, 23210, -17442, -23860, -20257, 7756, 23132, - 1097, 610, -1285, 384, -136, -1335, 220, -1659, - -1530, 794, -854, 478, -308, 991, -1460, 1628, - -//#define _16XSHIFT 624 - SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, - SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT, SHIFT - } -}; diff --git a/crypto_kem/kyber768-90s/avx2/consts.h b/crypto_kem/kyber768-90s/avx2/consts.h deleted file mode 100644 index 9f415363..00000000 --- a/crypto_kem/kyber768-90s/avx2/consts.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_CONSTS_H -#define PQCLEAN_KYBER76890S_AVX2_CONSTS_H -#include "align.h" -#include "cdecl.h" - - -typedef ALIGNED_INT16(640) qdata_t; -extern const qdata_t PQCLEAN_KYBER76890S_AVX2_qdata; - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/fq.S b/crypto_kem/kyber768-90s/avx2/fq.S deleted file mode 100644 index 55789344..00000000 --- a/crypto_kem/kyber768-90s/avx2/fq.S +++ /dev/null @@ -1,92 +0,0 @@ -#include "cdecl.h" -.include "fq.inc" - -.text -reduce128_avx: -#load -vmovdqa (%rdi),%ymm2 -vmovdqa 32(%rdi),%ymm3 -vmovdqa 64(%rdi),%ymm4 -vmovdqa 96(%rdi),%ymm5 -vmovdqa 128(%rdi),%ymm6 -vmovdqa 160(%rdi),%ymm7 -vmovdqa 192(%rdi),%ymm8 -vmovdqa 224(%rdi),%ymm9 - -red16 2 -red16 3 -red16 4 -red16 5 -red16 6 -red16 7 -red16 8 -red16 9 - -#store -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm3,32(%rdi) -vmovdqa %ymm4,64(%rdi) -vmovdqa %ymm5,96(%rdi) -vmovdqa %ymm6,128(%rdi) -vmovdqa %ymm7,160(%rdi) -vmovdqa %ymm8,192(%rdi) -vmovdqa %ymm9,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER76890S_AVX2_reduce_avx) -.global _cdecl(PQCLEAN_KYBER76890S_AVX2_reduce_avx) -cdecl(PQCLEAN_KYBER76890S_AVX2_reduce_avx): -_cdecl(PQCLEAN_KYBER76890S_AVX2_reduce_avx): -#consts -vmovdqa _16XQ*2(%rsi),%ymm0 -vmovdqa _16XV*2(%rsi),%ymm1 -call reduce128_avx -add $256,%rdi -call reduce128_avx -ret - -tomont128_avx: -#load -vmovdqa (%rdi),%ymm3 -vmovdqa 32(%rdi),%ymm4 -vmovdqa 64(%rdi),%ymm5 -vmovdqa 96(%rdi),%ymm6 -vmovdqa 128(%rdi),%ymm7 -vmovdqa 160(%rdi),%ymm8 -vmovdqa 192(%rdi),%ymm9 -vmovdqa 224(%rdi),%ymm10 - -fqmulprecomp 1,2,3,11 -fqmulprecomp 1,2,4,12 -fqmulprecomp 1,2,5,13 -fqmulprecomp 1,2,6,14 -fqmulprecomp 1,2,7,15 -fqmulprecomp 1,2,8,11 -fqmulprecomp 1,2,9,12 -fqmulprecomp 1,2,10,13 - -#store -vmovdqa %ymm3,(%rdi) -vmovdqa %ymm4,32(%rdi) -vmovdqa %ymm5,64(%rdi) -vmovdqa %ymm6,96(%rdi) -vmovdqa %ymm7,128(%rdi) -vmovdqa %ymm8,160(%rdi) -vmovdqa %ymm9,192(%rdi) -vmovdqa %ymm10,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER76890S_AVX2_tomont_avx) -.global _cdecl(PQCLEAN_KYBER76890S_AVX2_tomont_avx) -cdecl(PQCLEAN_KYBER76890S_AVX2_tomont_avx): -_cdecl(PQCLEAN_KYBER76890S_AVX2_tomont_avx): -#consts -vmovdqa _16XQ*2(%rsi),%ymm0 -vmovdqa _16XMONTSQLO*2(%rsi),%ymm1 -vmovdqa _16XMONTSQHI*2(%rsi),%ymm2 -call tomont128_avx -add $256,%rdi -call tomont128_avx -ret diff --git a/crypto_kem/kyber768-90s/avx2/fq.inc b/crypto_kem/kyber768-90s/avx2/fq.inc deleted file mode 100644 index 4b7afc31..00000000 --- a/crypto_kem/kyber768-90s/avx2/fq.inc +++ /dev/null @@ -1,30 +0,0 @@ -.macro red16 r,rs=0,x=12 -vpmulhw %ymm1,%ymm\r,%ymm\x -.if \rs -vpmulhrsw %ymm\rs,%ymm\x,%ymm\x -.else -vpsraw $10,%ymm\x,%ymm\x -.endif -vpmullw %ymm0,%ymm\x,%ymm\x -vpsubw %ymm\x,%ymm\r,%ymm\r -.endm - -.macro csubq r,x=12 -vpsubw %ymm0,%ymm\r,%ymm\r -vpsraw $15,%ymm\r,%ymm\x -vpand %ymm0,%ymm\x,%ymm\x -vpaddw %ymm\x,%ymm\r,%ymm\r -.endm - -.macro caddq r,x=12 -vpsraw $15,%ymm\r,%ymm\x -vpand %ymm0,%ymm\x,%ymm\x -vpaddw %ymm\x,%ymm\r,%ymm\r -.endm - -.macro fqmulprecomp al,ah,b,x=12 -vpmullw %ymm\al,%ymm\b,%ymm\x -vpmulhw %ymm\ah,%ymm\b,%ymm\b -vpmulhw %ymm0,%ymm\x,%ymm\x -vpsubw %ymm\x,%ymm\b,%ymm\b -.endm diff --git a/crypto_kem/kyber768-90s/avx2/indcpa.c b/crypto_kem/kyber768-90s/avx2/indcpa.c deleted file mode 100644 index 317c6635..00000000 --- a/crypto_kem/kyber768-90s/avx2/indcpa.c +++ /dev/null @@ -1,370 +0,0 @@ -#include "align.h" -#include "cbd.h" -#include "indcpa.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "rejsample.h" -#include "symmetric.h" -#include -#include -#include - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk and the -* public seed used to generate the matrix A. -* The polynomial coefficients in pk are assumed to -* lie in the invertal [0,q], i.e. pk must be reduced -* by PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(). -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) { - size_t i; - PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes(r, pk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - r[i + KYBER_POLYVECBYTES] = seed[i]; - } -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i; - PQCLEAN_KYBER76890S_AVX2_polyvec_frombytes(pk, packedpk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - seed[i] = packedpk[i + KYBER_POLYVECBYTES]; - } -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key. -* The polynomial coefficients in sk are assumed to -* lie in the invertal [0,q], i.e. sk must be reduced -* by PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(). -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) { - PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) { - PQCLEAN_KYBER76890S_AVX2_polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v. -* The polynomial coefficients in b and v are assumed to -* lie in the invertal [0,q], i.e. b and v must be reduced -* by PQCLEAN_KYBER76890S_AVX2_polyvec_reduce() and PQCLEAN_KYBER76890S_AVX2_poly_reduce(), respectively. -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) { - PQCLEAN_KYBER76890S_AVX2_polyvec_compress(r, b); - PQCLEAN_KYBER76890S_AVX2_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) { - PQCLEAN_KYBER76890S_AVX2_polyvec_decompress(b, c); - PQCLEAN_KYBER76890S_AVX2_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output array -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint16_t val0, val1; - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; - val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF; - pos += 3; - - if (val0 < KYBER_Q) { - r[ctr++] = val0; - } - if (ctr < len && val1 < KYBER_Q) { - r[ctr++] = val1; - } - } - - return ctr; -} - -#define gen_a(A,B) PQCLEAN_KYBER76890S_AVX2_gen_matrix(A,B,0) -#define gen_at(A,B) PQCLEAN_KYBER76890S_AVX2_gen_matrix(A,B,1) - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[32], int transposed) { - unsigned int ctr, i, j, k; - unsigned int buflen, off; - uint64_t nonce = 0; - ALIGNED_UINT8(REJ_UNIFORM_AVX_NBLOCKS * AES256CTR_BLOCKBYTES) buf; - aes256ctr_ctx state; - - PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(&state, seed, 0); - - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_K; j++) { - if (transposed) { - nonce = (j << 8) | i; - } else { - nonce = (i << 8) | j; - } - - state.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, REJ_UNIFORM_AVX_NBLOCKS, &state); - buflen = REJ_UNIFORM_AVX_NBLOCKS * AES256CTR_BLOCKBYTES; - ctr = PQCLEAN_KYBER76890S_AVX2_rej_uniform_avx(a[i].vec[j].coeffs, buf.coeffs); - - while (ctr < KYBER_N) { - off = buflen % 3; - for (k = 0; k < off; k++) { - buf.coeffs[k] = buf.coeffs[buflen - off + k]; - } - PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(buf.coeffs + off, 1, &state); - buflen = off + AES256CTR_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf.coeffs, buflen); - } - - PQCLEAN_KYBER76890S_AVX2_poly_nttunpack(&a[i].vec[j]); - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i; - uint8_t buf[2 * KYBER_SYMBYTES]; - const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf + KYBER_SYMBYTES; - polyvec a[KYBER_K], e, pkpv, skpv; - - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - -#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */ - uint64_t nonce = 0; - ALIGNED_UINT8(NOISE_NBLOCKS * AES256CTR_BLOCKBYTES + 32) coins; // +32 bytes as required by PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta1 - aes256ctr_ctx state; - PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(&state, noiseseed, nonce++); - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta1(&skpv.vec[i], coins.vec); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(coins.coeffs, NOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta1(&e.vec[i], coins.vec); - } - - PQCLEAN_KYBER76890S_AVX2_polyvec_ntt(&skpv); - PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(&skpv); - PQCLEAN_KYBER76890S_AVX2_polyvec_ntt(&e); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv); - PQCLEAN_KYBER76890S_AVX2_poly_tomont(&pkpv.vec[i]); - } - - PQCLEAN_KYBER76890S_AVX2_polyvec_add(&pkpv, &pkpv, &e); - PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i; - uint8_t seed[KYBER_SYMBYTES]; - polyvec sp, pkpv, ep, at[KYBER_K], b; - poly v, k, epp; - - unpack_pk(&pkpv, seed, pk); - PQCLEAN_KYBER76890S_AVX2_poly_frommsg(&k, m); - gen_at(at, seed); - -#define NOISE_NBLOCKS ((KYBER_ETA1*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */ -#define CIPHERTEXTNOISE_NBLOCKS ((KYBER_ETA2*KYBER_N/4)/AES256CTR_BLOCKBYTES) /* Assumes divisibility */ - uint64_t nonce = 0; - ALIGNED_UINT8(NOISE_NBLOCKS * AES256CTR_BLOCKBYTES + 32) buf; /* +32 bytes as required by PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta1 */ - aes256ctr_ctx state; - PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(&state, coins, nonce++); - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, NOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta1(&sp.vec[i], buf.vec); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta2(&ep.vec[i], buf.vec); - } - PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(buf.coeffs, CIPHERTEXTNOISE_NBLOCKS, &state); - state.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce += 1; - PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta2(&epp, buf.vec); - - PQCLEAN_KYBER76890S_AVX2_polyvec_ntt(&sp); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp); - } - PQCLEAN_KYBER76890S_AVX2_polyvec_basemul_acc_montgomery(&v, &pkpv, &sp); - - PQCLEAN_KYBER76890S_AVX2_polyvec_invntt_tomont(&b); - PQCLEAN_KYBER76890S_AVX2_poly_invntt_tomont(&v); - - PQCLEAN_KYBER76890S_AVX2_polyvec_add(&b, &b, &ep); - PQCLEAN_KYBER76890S_AVX2_poly_add(&v, &v, &epp); - PQCLEAN_KYBER76890S_AVX2_poly_add(&v, &v, &k); - PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(&b); - PQCLEAN_KYBER76890S_AVX2_poly_reduce(&v); - - pack_ciphertext(c, &b, &v); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - polyvec b, skpv; - poly v, mp; - - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); - - PQCLEAN_KYBER76890S_AVX2_polyvec_ntt(&b); - PQCLEAN_KYBER76890S_AVX2_polyvec_basemul_acc_montgomery(&mp, &skpv, &b); - PQCLEAN_KYBER76890S_AVX2_poly_invntt_tomont(&mp); - - PQCLEAN_KYBER76890S_AVX2_poly_sub(&mp, &v, &mp); - PQCLEAN_KYBER76890S_AVX2_poly_reduce(&mp); - - PQCLEAN_KYBER76890S_AVX2_poly_tomsg(m, &mp); -} diff --git a/crypto_kem/kyber768-90s/avx2/indcpa.h b/crypto_kem/kyber768-90s/avx2/indcpa.h deleted file mode 100644 index 5f37f2ed..00000000 --- a/crypto_kem/kyber768-90s/avx2/indcpa.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_INDCPA_H -#define PQCLEAN_KYBER76890S_AVX2_INDCPA_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_KYBER76890S_AVX2_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -void PQCLEAN_KYBER76890S_AVX2_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -void PQCLEAN_KYBER76890S_AVX2_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER76890S_AVX2_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/invntt.S b/crypto_kem/kyber768-90s/avx2/invntt.S deleted file mode 100644 index 53e2d8dd..00000000 --- a/crypto_kem/kyber768-90s/avx2/invntt.S +++ /dev/null @@ -1,195 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" -.include "fq.inc" - -.macro butterfly rl0,rl1,rl2,rl3,rh0,rh1,rh2,rh3,zl0=2,zl1=2,zh0=3,zh1=3 -vpsubw %ymm\rl0,%ymm\rh0,%ymm12 -vpaddw %ymm\rh0,%ymm\rl0,%ymm\rl0 -vpsubw %ymm\rl1,%ymm\rh1,%ymm13 - -vpmullw %ymm\zl0,%ymm12,%ymm\rh0 -vpaddw %ymm\rh1,%ymm\rl1,%ymm\rl1 -vpsubw %ymm\rl2,%ymm\rh2,%ymm14 - -vpmullw %ymm\zl0,%ymm13,%ymm\rh1 -vpaddw %ymm\rh2,%ymm\rl2,%ymm\rl2 -vpsubw %ymm\rl3,%ymm\rh3,%ymm15 - -vpmullw %ymm\zl1,%ymm14,%ymm\rh2 -vpaddw %ymm\rh3,%ymm\rl3,%ymm\rl3 -vpmullw %ymm\zl1,%ymm15,%ymm\rh3 - -vpmulhw %ymm\zh0,%ymm12,%ymm12 -vpmulhw %ymm\zh0,%ymm13,%ymm13 - -vpmulhw %ymm\zh1,%ymm14,%ymm14 -vpmulhw %ymm\zh1,%ymm15,%ymm15 - -vpmulhw %ymm0,%ymm\rh0,%ymm\rh0 - -vpmulhw %ymm0,%ymm\rh1,%ymm\rh1 - -vpmulhw %ymm0,%ymm\rh2,%ymm\rh2 -vpmulhw %ymm0,%ymm\rh3,%ymm\rh3 - -# - -# - -vpsubw %ymm\rh0,%ymm12,%ymm\rh0 - -vpsubw %ymm\rh1,%ymm13,%ymm\rh1 - -vpsubw %ymm\rh2,%ymm14,%ymm\rh2 -vpsubw %ymm\rh3,%ymm15,%ymm\rh3 -.endm - -.macro intt_levels0t5 off -/* level 0 */ -vmovdqa _16XFLO*2(%rsi),%ymm2 -vmovdqa _16XFHI*2(%rsi),%ymm3 - -vmovdqa (128*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (128*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (128*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (128*\off+ 48)*2(%rdi),%ymm7 - -fqmulprecomp 2,3,4 -fqmulprecomp 2,3,6 -fqmulprecomp 2,3,5 -fqmulprecomp 2,3,7 - -vmovdqa (128*\off+ 64)*2(%rdi),%ymm8 -vmovdqa (128*\off+ 96)*2(%rdi),%ymm10 -vmovdqa (128*\off+ 80)*2(%rdi),%ymm9 -vmovdqa (128*\off+112)*2(%rdi),%ymm11 - -fqmulprecomp 2,3,8 -fqmulprecomp 2,3,10 -fqmulprecomp 2,3,9 -fqmulprecomp 2,3,11 - -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+208)*2(%rsi),%ymm15 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+176)*2(%rsi),%ymm1 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+224)*2(%rsi),%ymm2 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+192)*2(%rsi),%ymm3 -vmovdqa _REVIDXB*2(%rsi),%ymm12 -vpshufb %ymm12,%ymm15,%ymm15 -vpshufb %ymm12,%ymm1,%ymm1 -vpshufb %ymm12,%ymm2,%ymm2 -vpshufb %ymm12,%ymm3,%ymm3 - -butterfly 4,5,8,9,6,7,10,11,15,1,2,3 - -/* level 1 */ -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+144)*2(%rsi),%ymm2 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+160)*2(%rsi),%ymm3 -vmovdqa _REVIDXB*2(%rsi),%ymm1 -vpshufb %ymm1,%ymm2,%ymm2 -vpshufb %ymm1,%ymm3,%ymm3 - -butterfly 4,5,6,7,8,9,10,11,2,2,3,3 - -shuffle1 4,5,3,5 -shuffle1 6,7,4,7 -shuffle1 8,9,6,9 -shuffle1 10,11,8,11 - -/* level 2 */ -vmovdqa _REVIDXD*2(%rsi),%ymm12 -vpermd (_ZETAS_EXP+(1-\off)*224+112)*2(%rsi),%ymm12,%ymm2 -vpermd (_ZETAS_EXP+(1-\off)*224+128)*2(%rsi),%ymm12,%ymm10 - -butterfly 3,4,6,8,5,7,9,11,2,2,10,10 - -vmovdqa _16XV*2(%rsi),%ymm1 -red16 3 - -shuffle2 3,4,10,4 -shuffle2 6,8,3,8 -shuffle2 5,7,6,7 -shuffle2 9,11,5,11 - -/* level 3 */ -vpermq $0x1B,(_ZETAS_EXP+(1-\off)*224+80)*2(%rsi),%ymm2 -vpermq $0x1B,(_ZETAS_EXP+(1-\off)*224+96)*2(%rsi),%ymm9 - -butterfly 10,3,6,5,4,8,7,11,2,2,9,9 - -shuffle4 10,3,9,3 -shuffle4 6,5,10,5 -shuffle4 4,8,6,8 -shuffle4 7,11,4,11 - -/* level 4 */ -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+48)*2(%rsi),%ymm2 -vpermq $0x4E,(_ZETAS_EXP+(1-\off)*224+64)*2(%rsi),%ymm7 - -butterfly 9,10,6,4,3,5,8,11,2,2,7,7 - -red16 9 - -shuffle8 9,10,7,10 -shuffle8 6,4,9,4 -shuffle8 3,5,6,5 -shuffle8 8,11,3,11 - -/* level5 */ -vmovdqa (_ZETAS_EXP+(1-\off)*224+16)*2(%rsi),%ymm2 -vmovdqa (_ZETAS_EXP+(1-\off)*224+32)*2(%rsi),%ymm8 - -butterfly 7,9,6,3,10,4,5,11,2,2,8,8 - -vmovdqa %ymm7,(128*\off+ 0)*2(%rdi) -vmovdqa %ymm9,(128*\off+ 16)*2(%rdi) -vmovdqa %ymm6,(128*\off+ 32)*2(%rdi) -vmovdqa %ymm3,(128*\off+ 48)*2(%rdi) -vmovdqa %ymm10,(128*\off+ 64)*2(%rdi) -vmovdqa %ymm4,(128*\off+ 80)*2(%rdi) -vmovdqa %ymm5,(128*\off+ 96)*2(%rdi) -vmovdqa %ymm11,(128*\off+112)*2(%rdi) -.endm - -.macro intt_level6 off -/* level 6 */ -vmovdqa (64*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (64*\off+128)*2(%rdi),%ymm8 -vmovdqa (64*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (64*\off+144)*2(%rdi),%ymm9 -vpbroadcastq (_ZETAS_EXP+0)*2(%rsi),%ymm2 - -vmovdqa (64*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (64*\off+160)*2(%rdi),%ymm10 -vmovdqa (64*\off+ 48)*2(%rdi),%ymm7 -vmovdqa (64*\off+176)*2(%rdi),%ymm11 -vpbroadcastq (_ZETAS_EXP+4)*2(%rsi),%ymm3 - -butterfly 4,5,6,7,8,9,10,11 - -.if \off == 0 -red16 4 -.endif - -vmovdqa %ymm4,(64*\off+ 0)*2(%rdi) -vmovdqa %ymm5,(64*\off+ 16)*2(%rdi) -vmovdqa %ymm6,(64*\off+ 32)*2(%rdi) -vmovdqa %ymm7,(64*\off+ 48)*2(%rdi) -vmovdqa %ymm8,(64*\off+128)*2(%rdi) -vmovdqa %ymm9,(64*\off+144)*2(%rdi) -vmovdqa %ymm10,(64*\off+160)*2(%rdi) -vmovdqa %ymm11,(64*\off+176)*2(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_KYBER76890S_AVX2_invntt_avx) -.global _cdecl(PQCLEAN_KYBER76890S_AVX2_invntt_avx) -cdecl(PQCLEAN_KYBER76890S_AVX2_invntt_avx): -_cdecl(PQCLEAN_KYBER76890S_AVX2_invntt_avx): -vmovdqa _16XQ*2(%rsi),%ymm0 - -intt_levels0t5 0 -intt_levels0t5 1 - -intt_level6 0 -intt_level6 1 -ret diff --git a/crypto_kem/kyber768-90s/avx2/kem.c b/crypto_kem/kyber768-90s/avx2/kem.c deleted file mode 100644 index 460ccbbb..00000000 --- a/crypto_kem/kyber768-90s/avx2/kem.c +++ /dev/null @@ -1,126 +0,0 @@ -#include "indcpa.h" -#include "kem.h" -#include "params.h" -#include "randombytes.h" -#include "symmetric.h" -#include "verify.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER76890S_AVX2_crypto_kem_keypair(unsigned char pk[KYBER_PUBLICKEYBYTES], - unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - PQCLEAN_KYBER76890S_AVX2_indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - } - hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - /* Value z for pseudo-random output on reject */ - randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER76890S_AVX2_crypto_kem_enc(unsigned char ct[KYBER_CIPHERTEXTBYTES], - unsigned char ss[KYBER_SSBYTES], - const unsigned char pk[KYBER_PUBLICKEYBYTES]) { - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - - randombytes(buf, KYBER_SYMBYTES); - /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); - - /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER76890S_AVX2_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int PQCLEAN_KYBER76890S_AVX2_crypto_kem_dec(unsigned char ss[KYBER_SSBYTES], - const unsigned char ct[KYBER_CIPHERTEXTBYTES], - const unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - int fail; - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - ALIGNED_UINT8(KYBER_CIPHERTEXTBYTES) cmp; - const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; - - PQCLEAN_KYBER76890S_AVX2_indcpa_dec(buf, ct, sk); - - /* Multitarget countermeasure for coins + contributory KEM */ - for (i = 0; i < KYBER_SYMBYTES; i++) { - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; - } - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER76890S_AVX2_indcpa_enc(cmp.coeffs, buf, pk, kr + KYBER_SYMBYTES); - - fail = PQCLEAN_KYBER76890S_AVX2_verify(ct, cmp.coeffs, KYBER_CIPHERTEXTBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - - /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER76890S_AVX2_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, fail); - - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} diff --git a/crypto_kem/kyber768-90s/avx2/kem.h b/crypto_kem/kyber768-90s/avx2/kem.h deleted file mode 100644 index 0bc9cf68..00000000 --- a/crypto_kem/kyber768-90s/avx2/kem.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_KEM_H -#define PQCLEAN_KYBER76890S_AVX2_KEM_H -#include "params.h" - - -int PQCLEAN_KYBER76890S_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_KYBER76890S_AVX2_crypto_kem_enc(unsigned char *ct, - unsigned char *ss, - const unsigned char *pk); - -int PQCLEAN_KYBER76890S_AVX2_crypto_kem_dec(unsigned char *ss, - const unsigned char *ct, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/ntt.S b/crypto_kem/kyber768-90s/avx2/ntt.S deleted file mode 100644 index 41a54aa9..00000000 --- a/crypto_kem/kyber768-90s/avx2/ntt.S +++ /dev/null @@ -1,191 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.macro mul rh0,rh1,rh2,rh3,zl0=15,zl1=15,zh0=2,zh1=2 -vpmullw %ymm\zl0,%ymm\rh0,%ymm12 -vpmullw %ymm\zl0,%ymm\rh1,%ymm13 - -vpmullw %ymm\zl1,%ymm\rh2,%ymm14 -vpmullw %ymm\zl1,%ymm\rh3,%ymm15 - -vpmulhw %ymm\zh0,%ymm\rh0,%ymm\rh0 -vpmulhw %ymm\zh0,%ymm\rh1,%ymm\rh1 - -vpmulhw %ymm\zh1,%ymm\rh2,%ymm\rh2 -vpmulhw %ymm\zh1,%ymm\rh3,%ymm\rh3 -.endm - -.macro reduce -vpmulhw %ymm0,%ymm12,%ymm12 -vpmulhw %ymm0,%ymm13,%ymm13 - -vpmulhw %ymm0,%ymm14,%ymm14 -vpmulhw %ymm0,%ymm15,%ymm15 -.endm - -.macro update rln,rl0,rl1,rl2,rl3,rh0,rh1,rh2,rh3 -vpaddw %ymm\rh0,%ymm\rl0,%ymm\rln -vpsubw %ymm\rh0,%ymm\rl0,%ymm\rh0 -vpaddw %ymm\rh1,%ymm\rl1,%ymm\rl0 - -vpsubw %ymm\rh1,%ymm\rl1,%ymm\rh1 -vpaddw %ymm\rh2,%ymm\rl2,%ymm\rl1 -vpsubw %ymm\rh2,%ymm\rl2,%ymm\rh2 - -vpaddw %ymm\rh3,%ymm\rl3,%ymm\rl2 -vpsubw %ymm\rh3,%ymm\rl3,%ymm\rh3 - -vpsubw %ymm12,%ymm\rln,%ymm\rln -vpaddw %ymm12,%ymm\rh0,%ymm\rh0 -vpsubw %ymm13,%ymm\rl0,%ymm\rl0 - -vpaddw %ymm13,%ymm\rh1,%ymm\rh1 -vpsubw %ymm14,%ymm\rl1,%ymm\rl1 -vpaddw %ymm14,%ymm\rh2,%ymm\rh2 - -vpsubw %ymm15,%ymm\rl2,%ymm\rl2 -vpaddw %ymm15,%ymm\rh3,%ymm\rh3 -.endm - -.macro level0 off -vpbroadcastq (_ZETAS_EXP+0)*2(%rsi),%ymm15 -vmovdqa (64*\off+128)*2(%rdi),%ymm8 -vmovdqa (64*\off+144)*2(%rdi),%ymm9 -vmovdqa (64*\off+160)*2(%rdi),%ymm10 -vmovdqa (64*\off+176)*2(%rdi),%ymm11 -vpbroadcastq (_ZETAS_EXP+4)*2(%rsi),%ymm2 - -mul 8,9,10,11 - -vmovdqa (64*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (64*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (64*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (64*\off+ 48)*2(%rdi),%ymm7 - -reduce -update 3,4,5,6,7,8,9,10,11 - -vmovdqa %ymm3,(64*\off+ 0)*2(%rdi) -vmovdqa %ymm4,(64*\off+ 16)*2(%rdi) -vmovdqa %ymm5,(64*\off+ 32)*2(%rdi) -vmovdqa %ymm6,(64*\off+ 48)*2(%rdi) -vmovdqa %ymm8,(64*\off+128)*2(%rdi) -vmovdqa %ymm9,(64*\off+144)*2(%rdi) -vmovdqa %ymm10,(64*\off+160)*2(%rdi) -vmovdqa %ymm11,(64*\off+176)*2(%rdi) -.endm - -.macro levels1t6 off -/* level 1 */ -vmovdqa (_ZETAS_EXP+224*\off+16)*2(%rsi),%ymm15 -vmovdqa (128*\off+ 64)*2(%rdi),%ymm8 -vmovdqa (128*\off+ 80)*2(%rdi),%ymm9 -vmovdqa (128*\off+ 96)*2(%rdi),%ymm10 -vmovdqa (128*\off+112)*2(%rdi),%ymm11 -vmovdqa (_ZETAS_EXP+224*\off+32)*2(%rsi),%ymm2 - -mul 8,9,10,11 - -vmovdqa (128*\off+ 0)*2(%rdi),%ymm4 -vmovdqa (128*\off+ 16)*2(%rdi),%ymm5 -vmovdqa (128*\off+ 32)*2(%rdi),%ymm6 -vmovdqa (128*\off+ 48)*2(%rdi),%ymm7 - -reduce -update 3,4,5,6,7,8,9,10,11 - -/* level 2 */ -shuffle8 5,10,7,10 -shuffle8 6,11,5,11 - -vmovdqa (_ZETAS_EXP+224*\off+48)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+64)*2(%rsi),%ymm2 - -mul 7,10,5,11 - -shuffle8 3,8,6,8 -shuffle8 4,9,3,9 - -reduce -update 4,6,8,3,9,7,10,5,11 - -/* level 3 */ -shuffle4 8,5,9,5 -shuffle4 3,11,8,11 - -vmovdqa (_ZETAS_EXP+224*\off+80)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+96)*2(%rsi),%ymm2 - -mul 9,5,8,11 - -shuffle4 4,7,3,7 -shuffle4 6,10,4,10 - -reduce -update 6,3,7,4,10,9,5,8,11 - -/* level 4 */ -shuffle2 7,8,10,8 -shuffle2 4,11,7,11 - -vmovdqa (_ZETAS_EXP+224*\off+112)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+128)*2(%rsi),%ymm2 - -mul 10,8,7,11 - -shuffle2 6,9,4,9 -shuffle2 3,5,6,5 - -reduce -update 3,4,9,6,5,10,8,7,11 - -/* level 5 */ -shuffle1 9,7,5,7 -shuffle1 6,11,9,11 - -vmovdqa (_ZETAS_EXP+224*\off+144)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+160)*2(%rsi),%ymm2 - -mul 5,7,9,11 - -shuffle1 3,10,6,10 -shuffle1 4,8,3,8 - -reduce -update 4,6,10,3,8,5,7,9,11 - -/* level 6 */ -vmovdqa (_ZETAS_EXP+224*\off+176)*2(%rsi),%ymm14 -vmovdqa (_ZETAS_EXP+224*\off+208)*2(%rsi),%ymm15 -vmovdqa (_ZETAS_EXP+224*\off+192)*2(%rsi),%ymm8 -vmovdqa (_ZETAS_EXP+224*\off+224)*2(%rsi),%ymm2 - -mul 10,3,9,11,14,15,8,2 - -reduce -update 8,4,6,5,7,10,3,9,11 - -vmovdqa %ymm8,(128*\off+ 0)*2(%rdi) -vmovdqa %ymm4,(128*\off+ 16)*2(%rdi) -vmovdqa %ymm10,(128*\off+ 32)*2(%rdi) -vmovdqa %ymm3,(128*\off+ 48)*2(%rdi) -vmovdqa %ymm6,(128*\off+ 64)*2(%rdi) -vmovdqa %ymm5,(128*\off+ 80)*2(%rdi) -vmovdqa %ymm9,(128*\off+ 96)*2(%rdi) -vmovdqa %ymm11,(128*\off+112)*2(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_KYBER76890S_AVX2_ntt_avx) -.global _cdecl(PQCLEAN_KYBER76890S_AVX2_ntt_avx) -cdecl(PQCLEAN_KYBER76890S_AVX2_ntt_avx): -_cdecl(PQCLEAN_KYBER76890S_AVX2_ntt_avx): -vmovdqa _16XQ*2(%rsi),%ymm0 - -level0 0 -level0 1 - -levels1t6 0 -levels1t6 1 - -ret diff --git a/crypto_kem/kyber768-90s/avx2/ntt.h b/crypto_kem/kyber768-90s/avx2/ntt.h deleted file mode 100644 index 291d5b0a..00000000 --- a/crypto_kem/kyber768-90s/avx2/ntt.h +++ /dev/null @@ -1,21 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_NTT_H -#define PQCLEAN_KYBER76890S_AVX2_NTT_H - -#include -#include - -void PQCLEAN_KYBER76890S_AVX2_ntt_avx(__m256i *r, const __m256i *PQCLEAN_KYBER76890S_AVX2_qdata); -void PQCLEAN_KYBER76890S_AVX2_invntt_avx(__m256i *r, const __m256i *PQCLEAN_KYBER76890S_AVX2_qdata); - -void PQCLEAN_KYBER76890S_AVX2_nttpack_avx(__m256i *r, const __m256i *PQCLEAN_KYBER76890S_AVX2_qdata); -void PQCLEAN_KYBER76890S_AVX2_nttunpack_avx(__m256i *r, const __m256i *PQCLEAN_KYBER76890S_AVX2_qdata); - -void PQCLEAN_KYBER76890S_AVX2_basemul_avx(__m256i *r, - const __m256i *a, - const __m256i *b, - const __m256i *PQCLEAN_KYBER76890S_AVX2_qdata); - -void PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx(uint8_t *r, const __m256i *a, const __m256i *PQCLEAN_KYBER76890S_AVX2_qdata); -void PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx(__m256i *r, const uint8_t *a, const __m256i *PQCLEAN_KYBER76890S_AVX2_qdata); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/params.h b/crypto_kem/kyber768-90s/avx2/params.h deleted file mode 100644 index be92ce0c..00000000 --- a/crypto_kem/kyber768-90s/avx2/params.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_PARAMS_H -#define PQCLEAN_KYBER76890S_AVX2_PARAMS_H - - - - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - -#define KYBER_K 3 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) - -#define KYBER_ETA2 2 - -#define KYBER_INDCPA_MSGBYTES KYBER_SYMBYTES -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES \ - + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -/* 32 bytes of additional space to save H(pk) */ -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES \ - + KYBER_INDCPA_PUBLICKEYBYTES \ - + 2*KYBER_SYMBYTES) -#define KYBER_CIPHERTEXTBYTES KYBER_INDCPA_BYTES - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/poly.c b/crypto_kem/kyber768-90s/avx2/poly.c deleted file mode 100644 index edb305ca..00000000 --- a/crypto_kem/kyber768-90s/avx2/poly.c +++ /dev/null @@ -1,357 +0,0 @@ -#include "align.h" -#include "cbd.h" -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "symmetric.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_compress -* -* Description: Compression and subsequent serialization of a polynomial. -* The coefficients of the input polynomial are assumed to -* lie in the invertal [0,q], i.e. the polynomial must be reduced -* by PQCLEAN_KYBER76890S_AVX2_poly_reduce(). -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_compress(uint8_t r[128], const poly *restrict a) { - unsigned int i; - __m256i f0, f1, f2, f3; - const __m256i v = _mm256_load_si256(&PQCLEAN_KYBER76890S_AVX2_qdata.vec[_16XV / 16]); - const __m256i shift1 = _mm256_set1_epi16(1 << 9); - const __m256i mask = _mm256_set1_epi16(15); - const __m256i shift2 = _mm256_set1_epi16((16 << 8) + 1); - const __m256i permdidx = _mm256_set_epi32(7, 3, 6, 2, 5, 1, 4, 0); - - for (i = 0; i < KYBER_N / 64; i++) { - f0 = _mm256_load_si256(&a->vec[4 * i + 0]); - f1 = _mm256_load_si256(&a->vec[4 * i + 1]); - f2 = _mm256_load_si256(&a->vec[4 * i + 2]); - f3 = _mm256_load_si256(&a->vec[4 * i + 3]); - f0 = _mm256_mulhi_epi16(f0, v); - f1 = _mm256_mulhi_epi16(f1, v); - f2 = _mm256_mulhi_epi16(f2, v); - f3 = _mm256_mulhi_epi16(f3, v); - f0 = _mm256_mulhrs_epi16(f0, shift1); - f1 = _mm256_mulhrs_epi16(f1, shift1); - f2 = _mm256_mulhrs_epi16(f2, shift1); - f3 = _mm256_mulhrs_epi16(f3, shift1); - f0 = _mm256_and_si256(f0, mask); - f1 = _mm256_and_si256(f1, mask); - f2 = _mm256_and_si256(f2, mask); - f3 = _mm256_and_si256(f3, mask); - f0 = _mm256_packus_epi16(f0, f1); - f2 = _mm256_packus_epi16(f2, f3); - f0 = _mm256_maddubs_epi16(f0, shift2); - f2 = _mm256_maddubs_epi16(f2, shift2); - f0 = _mm256_packus_epi16(f0, f2); - f0 = _mm256_permutevar8x32_epi32(f0, permdidx); - _mm256_storeu_si256((__m256i *)&r[32 * i], f0); - } -} - -void PQCLEAN_KYBER76890S_AVX2_poly_decompress(poly *restrict r, const uint8_t a[128]) { - unsigned int i; - __m128i t; - __m256i f; - const __m256i q = _mm256_load_si256(&PQCLEAN_KYBER76890S_AVX2_qdata.vec[_16XQ / 16]); - const __m256i shufbidx = _mm256_set_epi8(7, 7, 7, 7, 6, 6, 6, 6, 5, 5, 5, 5, 4, 4, 4, 4, - 3, 3, 3, 3, 2, 2, 2, 2, 1, 1, 1, 1, 0, 0, 0, 0); - const __m256i mask = _mm256_set1_epi32(0x00F0000F); - const __m256i shift = _mm256_set1_epi32((128 << 16) + 2048); - - for (i = 0; i < KYBER_N / 16; i++) { - t = _mm_loadl_epi64((__m128i *)&a[8 * i]); - f = _mm256_broadcastsi128_si256(t); - f = _mm256_shuffle_epi8(f, shufbidx); - f = _mm256_and_si256(f, mask); - f = _mm256_mullo_epi16(f, shift); - f = _mm256_mulhrs_epi16(f, q); - _mm256_store_si256(&r->vec[i], f); - } -} - - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_tobytes -* -* Description: Serialization of a polynomial in NTT representation. -* The coefficients of the input polynomial are assumed to -* lie in the invertal [0,q], i.e. the polynomial must be reduced -* by PQCLEAN_KYBER76890S_AVX2_poly_reduce(). The coefficients are orderd as output by -* PQCLEAN_KYBER76890S_AVX2_poly_ntt(); the serialized output coefficients are in bitreversed -* order. -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a) { - PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx(r, a->vec, PQCLEAN_KYBER76890S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of PQCLEAN_KYBER76890S_AVX2_poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx(r->vec, a, PQCLEAN_KYBER76890S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_frommsg(poly *restrict r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - __m256i f, g0, g1, g2, g3, h0, h1, h2, h3; - const __m256i shift = _mm256_broadcastsi128_si256(_mm_set_epi32(0, 1, 2, 3)); - const __m256i idx = _mm256_broadcastsi128_si256(_mm_set_epi8(15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0)); - const __m256i hqs = _mm256_set1_epi16((KYBER_Q + 1) / 2); - -#define FROMMSG64(i) \ - g3 = _mm256_shuffle_epi32(f,0x55*(i)); \ - g3 = _mm256_sllv_epi32(g3,shift); \ - g3 = _mm256_shuffle_epi8(g3,idx); \ - g0 = _mm256_slli_epi16(g3,12); \ - g1 = _mm256_slli_epi16(g3,8); \ - g2 = _mm256_slli_epi16(g3,4); \ - g0 = _mm256_srai_epi16(g0,15); \ - g1 = _mm256_srai_epi16(g1,15); \ - g2 = _mm256_srai_epi16(g2,15); \ - g3 = _mm256_srai_epi16(g3,15); \ - g0 = _mm256_and_si256(g0,hqs); /* 19 18 17 16 3 2 1 0 */ \ - g1 = _mm256_and_si256(g1,hqs); /* 23 22 21 20 7 6 5 4 */ \ - g2 = _mm256_and_si256(g2,hqs); /* 27 26 25 24 11 10 9 8 */ \ - g3 = _mm256_and_si256(g3,hqs); /* 31 30 29 28 15 14 13 12 */ \ - h0 = _mm256_unpacklo_epi64(g0,g1); \ - h2 = _mm256_unpackhi_epi64(g0,g1); \ - h1 = _mm256_unpacklo_epi64(g2,g3); \ - h3 = _mm256_unpackhi_epi64(g2,g3); \ - g0 = _mm256_permute2x128_si256(h0,h1,0x20); \ - g2 = _mm256_permute2x128_si256(h0,h1,0x31); \ - g1 = _mm256_permute2x128_si256(h2,h3,0x20); \ - g3 = _mm256_permute2x128_si256(h2,h3,0x31); \ - _mm256_store_si256(&r->vec[0+2*(i)+0],g0); \ - _mm256_store_si256(&r->vec[0+2*(i)+1],g1); \ - _mm256_store_si256(&r->vec[8+2*(i)+0],g2); \ - _mm256_store_si256(&r->vec[8+2*(i)+1],g3) - - f = _mm256_loadu_si256((__m256i *)msg); - FROMMSG64(0); - FROMMSG64(1); - FROMMSG64(2); - FROMMSG64(3); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_tomsg -* -* Description: Convert polynomial to 32-byte message. -* The coefficients of the input polynomial are assumed to -* lie in the invertal [0,q], i.e. the polynomial must be reduced -* by PQCLEAN_KYBER76890S_AVX2_poly_reduce(). -* -* Arguments: - uint8_t *msg: pointer to output message -* - poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *restrict a) { - unsigned int i; - uint32_t small; - __m256i f0, f1, g0, g1; - const __m256i hq = _mm256_set1_epi16((KYBER_Q - 1) / 2); - const __m256i hhq = _mm256_set1_epi16((KYBER_Q - 1) / 4); - - for (i = 0; i < KYBER_N / 32; i++) { - f0 = _mm256_load_si256(&a->vec[2 * i + 0]); - f1 = _mm256_load_si256(&a->vec[2 * i + 1]); - f0 = _mm256_sub_epi16(hq, f0); - f1 = _mm256_sub_epi16(hq, f1); - g0 = _mm256_srai_epi16(f0, 15); - g1 = _mm256_srai_epi16(f1, 15); - f0 = _mm256_xor_si256(f0, g0); - f1 = _mm256_xor_si256(f1, g1); - f0 = _mm256_sub_epi16(f0, hhq); - f1 = _mm256_sub_epi16(f1, hhq); - f0 = _mm256_packs_epi16(f0, f1); - small = _mm256_movemask_epi8(f0); - msg[4 * i + 0] = small; - msg[4 * i + 1] = small >> 16; - msg[4 * i + 2] = small >> 8; - msg[4 * i + 3] = small >> 24; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - ALIGNED_UINT8(KYBER_ETA1 * KYBER_N / 4 + 32) buf; // +32 bytes as required by PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta1 - prf(buf.coeffs, KYBER_ETA1 * KYBER_N / 4, seed, nonce); - PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta1(r, buf.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - ALIGNED_UINT8(KYBER_ETA2 * KYBER_N / 4) buf; - prf(buf.coeffs, KYBER_ETA2 * KYBER_N / 4, seed, nonce); - PQCLEAN_KYBER76890S_AVX2_poly_cbd_eta2(r, buf.vec); -} - - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place. -* Input coefficients assumed to be in normal order, -* output coefficients are in special order that is natural -* for the vectorization. Input coefficients are assumed to be -* bounded by q in absolute value, output coefficients are bounded -* by 16118 in absolute value. -* -* Arguments: - poly *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_ntt(poly *r) { - PQCLEAN_KYBER76890S_AVX2_ntt_avx(r->vec, PQCLEAN_KYBER76890S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* Input coefficients assumed to be in special order from vectorized -* forward ntt, output in normal order. Input coefficients can be -* arbitrary 16-bit integers, output coefficients are bounded by 14870 -* in absolute value. -* -* Arguments: - poly *a: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_invntt_tomont(poly *r) { - PQCLEAN_KYBER76890S_AVX2_invntt_avx(r->vec, PQCLEAN_KYBER76890S_AVX2_qdata.vec); -} - -void PQCLEAN_KYBER76890S_AVX2_poly_nttunpack(poly *r) { - PQCLEAN_KYBER76890S_AVX2_nttunpack_avx(r->vec, PQCLEAN_KYBER76890S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain. -* One of the input polynomials needs to have coefficients -* bounded by q, the other polynomial can have arbitrary -* coefficients. Output coefficients are bounded by 6656. -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - PQCLEAN_KYBER76890S_AVX2_basemul_avx(r->vec, a->vec, b->vec, PQCLEAN_KYBER76890S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_tomont(poly *r) { - PQCLEAN_KYBER76890S_AVX2_tomont_avx(r->vec, PQCLEAN_KYBER76890S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_reduce(poly *r) { - PQCLEAN_KYBER76890S_AVX2_reduce_avx(r->vec, PQCLEAN_KYBER76890S_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_add -* -* Description: Add two polynomials. No modular reduction -* is performed. -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_add(poly *r, const poly *a, const poly *b) { - unsigned int i; - __m256i f0, f1; - - for (i = 0; i < KYBER_N / 16; i++) { - f0 = _mm256_load_si256(&a->vec[i]); - f1 = _mm256_load_si256(&b->vec[i]); - f0 = _mm256_add_epi16(f0, f1); - _mm256_store_si256(&r->vec[i], f0); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_poly_sub -* -* Description: Subtract two polynomials. No modular reduction -* is performed. -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_poly_sub(poly *r, const poly *a, const poly *b) { - unsigned int i; - __m256i f0, f1; - - for (i = 0; i < KYBER_N / 16; i++) { - f0 = _mm256_load_si256(&a->vec[i]); - f1 = _mm256_load_si256(&b->vec[i]); - f0 = _mm256_sub_epi16(f0, f1); - _mm256_store_si256(&r->vec[i], f0); - } -} diff --git a/crypto_kem/kyber768-90s/avx2/poly.h b/crypto_kem/kyber768-90s/avx2/poly.h deleted file mode 100644 index f28d7d10..00000000 --- a/crypto_kem/kyber768-90s/avx2/poly.h +++ /dev/null @@ -1,36 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_POLY_H -#define PQCLEAN_KYBER76890S_AVX2_POLY_H -#include "align.h" -#include "params.h" -#include -#include - -typedef ALIGNED_INT16(KYBER_N) poly; - -void PQCLEAN_KYBER76890S_AVX2_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a); -void PQCLEAN_KYBER76890S_AVX2_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - -void PQCLEAN_KYBER76890S_AVX2_poly_tobytes(uint8_t r[KYBER_POLYBYTES], poly *a); -void PQCLEAN_KYBER76890S_AVX2_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - -void PQCLEAN_KYBER76890S_AVX2_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); -void PQCLEAN_KYBER76890S_AVX2_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], poly *a); - -void PQCLEAN_KYBER76890S_AVX2_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -void PQCLEAN_KYBER76890S_AVX2_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - - - -void PQCLEAN_KYBER76890S_AVX2_poly_ntt(poly *r); -void PQCLEAN_KYBER76890S_AVX2_poly_invntt_tomont(poly *r); -void PQCLEAN_KYBER76890S_AVX2_poly_nttunpack(poly *r); -void PQCLEAN_KYBER76890S_AVX2_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER76890S_AVX2_poly_tomont(poly *r); - -void PQCLEAN_KYBER76890S_AVX2_poly_reduce(poly *r); - -void PQCLEAN_KYBER76890S_AVX2_poly_add(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER76890S_AVX2_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/polyvec.c b/crypto_kem/kyber768-90s/avx2/polyvec.c deleted file mode 100644 index 3357b6e9..00000000 --- a/crypto_kem/kyber768-90s/avx2/polyvec.c +++ /dev/null @@ -1,224 +0,0 @@ -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include -#include - -static void poly_compress10(uint8_t r[320], const poly *restrict a) { - size_t i; - uint32_t low; - __m256i f0, f1, f2; - __m128i t0, t1; - const __m256i v = _mm256_load_si256(&PQCLEAN_KYBER76890S_AVX2_qdata.vec[_16XV / 16]); - const __m256i v8 = _mm256_slli_epi16(v, 3); - const __m256i off = _mm256_set1_epi16(15); - const __m256i shift1 = _mm256_set1_epi16(1 << 12); - const __m256i mask = _mm256_set1_epi16(1023); - const __m256i shift2 = _mm256_set1_epi64x((1024LL << 48) + (1LL << 32) + (1024 << 16) + 1); - const __m256i sllvdidx = _mm256_set1_epi64x(12); - const __m256i shufbidx = _mm256_set_epi8( 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, - -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0); - - for (i = 0; i < KYBER_N / 16; i++) { - f0 = _mm256_load_si256(&a->vec[i]); - f1 = _mm256_mullo_epi16(f0, v8); - f2 = _mm256_add_epi16(f0, off); - f0 = _mm256_slli_epi16(f0, 3); - f0 = _mm256_mulhi_epi16(f0, v); - f2 = _mm256_sub_epi16(f1, f2); - f1 = _mm256_andnot_si256(f1, f2); - f1 = _mm256_srli_epi16(f1, 15); - f0 = _mm256_sub_epi16(f0, f1); - f0 = _mm256_mulhrs_epi16(f0, shift1); - f0 = _mm256_and_si256(f0, mask); - f0 = _mm256_madd_epi16(f0, shift2); - f0 = _mm256_sllv_epi32(f0, sllvdidx); - f0 = _mm256_srli_epi64(f0, 12); - f0 = _mm256_shuffle_epi8(f0, shufbidx); - t0 = _mm256_castsi256_si128(f0); - t1 = _mm256_extracti128_si256(f0, 1); - t0 = _mm_blend_epi16(t0, t1, 0xE0); - _mm_storeu_si128((__m128i *)&r[20 * i + 0], t0); - _mm_store_ss((float *)&low, _mm_castsi128_ps(t1)); - r[20 * i + 16] = (uint8_t)low; - r[20 * i + 17] = (uint8_t)(low >> 0x08); - r[20 * i + 18] = (uint8_t)(low >> 0x10); - r[20 * i + 19] = (uint8_t)(low >> 0x18); - } -} - -static void poly_decompress10(poly *restrict r, const uint8_t a[320 + 12]) { - size_t i; - __m256i f; - const __m256i q = _mm256_set1_epi32((KYBER_Q << 16) + 4 * KYBER_Q); - const __m256i shufbidx = _mm256_set_epi8(11, 10, 10, 9, 9, 8, 8, 7, - 6, 5, 5, 4, 4, 3, 3, 2, - 9, 8, 8, 7, 7, 6, 6, 5, - 4, 3, 3, 2, 2, 1, 1, 0); - const __m256i sllvdidx = _mm256_set1_epi64x(4); - const __m256i mask = _mm256_set1_epi32((32736 << 16) + 8184); - - for (i = 0; i < KYBER_N / 16; i++) { - f = _mm256_loadu_si256((__m256i *)&a[20 * i]); - f = _mm256_permute4x64_epi64(f, 0x94); - f = _mm256_shuffle_epi8(f, shufbidx); - f = _mm256_sllv_epi32(f, sllvdidx); - f = _mm256_srli_epi16(f, 1); - f = _mm256_and_si256(f, mask); - f = _mm256_mulhrs_epi16(f, q); - _mm256_store_si256(&r->vec[i], f); - } -} - - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES + 2], polyvec *a) { - size_t i; - - for (i = 0; i < KYBER_K; i++) { - poly_compress10(&r[320 * i], &a->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of PQCLEAN_KYBER76890S_AVX2_polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES + 12]) { - size_t i; - - for (i = 0; i < KYBER_K; i++) { - poly_decompress10(&r->vec[i], &a[320 * i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_polyvec_ntt(polyvec *r) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_poly_ntt(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_polyvec_invntt_tomont(polyvec *r) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_poly_invntt_tomont(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_polyvec_basemul_acc_montgomery -* -* Description: Multiply elements in a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - size_t i; - poly tmp; - - PQCLEAN_KYBER76890S_AVX2_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for (i = 1; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_poly_basemul_montgomery(&tmp, &a->vec[i], &b->vec[i]); - PQCLEAN_KYBER76890S_AVX2_poly_add(r, r, &tmp); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(polyvec *r) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_poly_reduce(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - size_t i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_AVX2_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); - } -} diff --git a/crypto_kem/kyber768-90s/avx2/polyvec.h b/crypto_kem/kyber768-90s/avx2/polyvec.h deleted file mode 100644 index 3ef4364f..00000000 --- a/crypto_kem/kyber768-90s/avx2/polyvec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_POLYVEC_H -#define PQCLEAN_KYBER76890S_AVX2_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -typedef struct { - poly vec[KYBER_K]; -} polyvec; - -void PQCLEAN_KYBER76890S_AVX2_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES + 2], polyvec *a); -void PQCLEAN_KYBER76890S_AVX2_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES + 12]); - -void PQCLEAN_KYBER76890S_AVX2_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], polyvec *a); -void PQCLEAN_KYBER76890S_AVX2_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - -void PQCLEAN_KYBER76890S_AVX2_polyvec_ntt(polyvec *r); -void PQCLEAN_KYBER76890S_AVX2_polyvec_invntt_tomont(polyvec *r); - -void PQCLEAN_KYBER76890S_AVX2_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - -void PQCLEAN_KYBER76890S_AVX2_polyvec_reduce(polyvec *r); - -void PQCLEAN_KYBER76890S_AVX2_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/reduce.h b/crypto_kem/kyber768-90s/avx2/reduce.h deleted file mode 100644 index 758e4f82..00000000 --- a/crypto_kem/kyber768-90s/avx2/reduce.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_REDUCE_H -#define PQCLEAN_KYBER76890S_AVX2_REDUCE_H -#include "params.h" -#include - -void PQCLEAN_KYBER76890S_AVX2_reduce_avx(__m256i *r, const __m256i *PQCLEAN_KYBER76890S_AVX2_qdata); -void PQCLEAN_KYBER76890S_AVX2_tomont_avx(__m256i *r, const __m256i *PQCLEAN_KYBER76890S_AVX2_qdata); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/rejsample.c b/crypto_kem/kyber768-90s/avx2/rejsample.c deleted file mode 100644 index 3fc98ef6..00000000 --- a/crypto_kem/kyber768-90s/avx2/rejsample.c +++ /dev/null @@ -1,126 +0,0 @@ -#include "align.h" -#include "consts.h" -#include "params.h" -#include "rejsample.h" -#include -#include -#include - -//#define BMI - - -#define _mm256_cmpge_epu16(a, b) _mm256_cmpeq_epi16(_mm256_max_epu16(a, b), a) -#define _mm_cmpge_epu16(a, b) _mm_cmpeq_epi16(_mm_max_epu16(a, b), a) - -unsigned int PQCLEAN_KYBER76890S_AVX2_rej_uniform_avx(int16_t *restrict r, const uint8_t *buf) { - unsigned int ctr, pos; - uint16_t val0, val1; - uint32_t good; - uint64_t idx0, idx1, idx2, idx3; - const __m256i bound = _mm256_load_si256(&PQCLEAN_KYBER76890S_AVX2_qdata.vec[_16XQ / 16]); - const __m256i ones = _mm256_set1_epi8(1); - const __m256i mask = _mm256_set1_epi16(0xFFF); - const __m256i idx8 = _mm256_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, - 9, 8, 8, 7, 6, 5, 5, 4, - 11, 10, 10, 9, 8, 7, 7, 6, - 5, 4, 4, 3, 2, 1, 1, 0); - __m256i f0, f1, g0, g1, g2, g3; - __m128i f, t, pilo, pihi; - - ctr = pos = 0; - while (ctr <= KYBER_N - 32 && pos <= REJ_UNIFORM_AVX_BUFLEN - 48) { - f0 = _mm256_loadu_si256((__m256i *)&buf[pos]); - f1 = _mm256_loadu_si256((__m256i *)&buf[pos + 24]); - f0 = _mm256_permute4x64_epi64(f0, 0x94); - f1 = _mm256_permute4x64_epi64(f1, 0x94); - f0 = _mm256_shuffle_epi8(f0, idx8); - f1 = _mm256_shuffle_epi8(f1, idx8); - g0 = _mm256_srli_epi16(f0, 4); - g1 = _mm256_srli_epi16(f1, 4); - f0 = _mm256_blend_epi16(f0, g0, 0xAA); - f1 = _mm256_blend_epi16(f1, g1, 0xAA); - f0 = _mm256_and_si256(f0, mask); - f1 = _mm256_and_si256(f1, mask); - pos += 48; - - g0 = _mm256_cmpgt_epi16(bound, f0); - g1 = _mm256_cmpgt_epi16(bound, f1); - - g0 = _mm256_packs_epi16(g0, g1); - good = _mm256_movemask_epi8(g0); - - idx0 = _pdep_u64(good >> 0, 0x0101010101010101); - idx1 = _pdep_u64(good >> 8, 0x0101010101010101); - idx2 = _pdep_u64(good >> 16, 0x0101010101010101); - idx3 = _pdep_u64(good >> 24, 0x0101010101010101); - idx0 = (idx0 << 8) - idx0; - idx0 = _pext_u64(0x0E0C0A0806040200, idx0); - idx1 = (idx1 << 8) - idx1; - idx1 = _pext_u64(0x0E0C0A0806040200, idx1); - idx2 = (idx2 << 8) - idx2; - idx2 = _pext_u64(0x0E0C0A0806040200, idx2); - idx3 = (idx3 << 8) - idx3; - idx3 = _pext_u64(0x0E0C0A0806040200, idx3); - - g0 = _mm256_castsi128_si256(_mm_cvtsi64_si128(idx0)); - g1 = _mm256_castsi128_si256(_mm_cvtsi64_si128(idx1)); - g0 = _mm256_inserti128_si256(g0, _mm_cvtsi64_si128(idx2), 1); - g1 = _mm256_inserti128_si256(g1, _mm_cvtsi64_si128(idx3), 1); - - g2 = _mm256_add_epi8(g0, ones); - g3 = _mm256_add_epi8(g1, ones); - g0 = _mm256_unpacklo_epi8(g0, g2); - g1 = _mm256_unpacklo_epi8(g1, g3); - - f0 = _mm256_shuffle_epi8(f0, g0); - f1 = _mm256_shuffle_epi8(f1, g1); - - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_castsi256_si128(f0)); - ctr += _mm_popcnt_u32((good >> 0) & 0xFF); - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_extracti128_si256(f0, 1)); - ctr += _mm_popcnt_u32((good >> 16) & 0xFF); - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_castsi256_si128(f1)); - ctr += _mm_popcnt_u32((good >> 8) & 0xFF); - _mm_storeu_si128((__m128i *)&r[ctr], _mm256_extracti128_si256(f1, 1)); - ctr += _mm_popcnt_u32((good >> 24) & 0xFF); - } - - while (ctr <= KYBER_N - 8 && pos <= REJ_UNIFORM_AVX_BUFLEN - 12) { - f = _mm_loadu_si128((__m128i *)&buf[pos]); - f = _mm_shuffle_epi8(f, _mm256_castsi256_si128(idx8)); - t = _mm_srli_epi16(f, 4); - f = _mm_blend_epi16(f, t, 0xAA); - f = _mm_and_si128(f, _mm256_castsi256_si128(mask)); - pos += 12; - - t = _mm_cmpgt_epi16(_mm256_castsi256_si128(bound), f); - good = _mm_movemask_epi8(t); - - good &= 0x5555; - idx0 = _pdep_u64(good, 0x1111111111111111); - idx0 = (idx0 << 8) - idx0; - idx0 = _pext_u64(0x0E0C0A0806040200, idx0); - pilo = _mm_cvtsi64_si128(idx0); - - pihi = _mm_add_epi8(pilo, _mm256_castsi256_si128(ones)); - pilo = _mm_unpacklo_epi8(pilo, pihi); - f = _mm_shuffle_epi8(f, pilo); - _mm_storeu_si128((__m128i *)&r[ctr], f); - ctr += _mm_popcnt_u32(good); - } - - while (ctr < KYBER_N && pos <= REJ_UNIFORM_AVX_BUFLEN - 3) { - val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; - val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)); - pos += 3; - - if (val0 < KYBER_Q) { - r[ctr++] = val0; - } - if (val1 < KYBER_Q && ctr < KYBER_N) { - r[ctr++] = val1; - } - } - - return ctr; -} diff --git a/crypto_kem/kyber768-90s/avx2/rejsample.h b/crypto_kem/kyber768-90s/avx2/rejsample.h deleted file mode 100644 index 1b8e7888..00000000 --- a/crypto_kem/kyber768-90s/avx2/rejsample.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_REJSAMPLE_H -#define PQCLEAN_KYBER76890S_AVX2_REJSAMPLE_H -#include "params.h" -#include "symmetric.h" -#include - -#define REJ_UNIFORM_AVX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) -#define REJ_UNIFORM_AVX_BUFLEN (REJ_UNIFORM_AVX_NBLOCKS*XOF_BLOCKBYTES) - -unsigned int PQCLEAN_KYBER76890S_AVX2_rej_uniform_avx(int16_t *r, const uint8_t *buf); - -#endif diff --git a/crypto_kem/kyber768-90s/avx2/shuffle.S b/crypto_kem/kyber768-90s/avx2/shuffle.S deleted file mode 100644 index bc1d58b3..00000000 --- a/crypto_kem/kyber768-90s/avx2/shuffle.S +++ /dev/null @@ -1,261 +0,0 @@ -#include "cdecl.h" -.include "fq.inc" -.include "shuffle.inc" - -/* -nttpack_avx: -#load -vmovdqa (%rdi),%ymm4 -vmovdqa 32(%rdi),%ymm5 -vmovdqa 64(%rdi),%ymm6 -vmovdqa 96(%rdi),%ymm7 -vmovdqa 128(%rdi),%ymm8 -vmovdqa 160(%rdi),%ymm9 -vmovdqa 192(%rdi),%ymm10 -vmovdqa 224(%rdi),%ymm11 - -shuffle1 4,5,3,5 -shuffle1 6,7,4,7 -shuffle1 8,9,6,9 -shuffle1 10,11,8,11 - -shuffle2 3,4,10,4 -shuffle2 6,8,3,8 -shuffle2 5,7,6,7 -shuffle2 9,11,5,11 - -shuffle4 10,3,9,3 -shuffle4 6,5,10,5 -shuffle4 4,8,6,8 -shuffle4 7,11,4,11 - -shuffle8 9,10,7,10 -shuffle8 6,4,9,4 -shuffle8 3,5,6,5 -shuffle8 8,11,3,11 - -#store -vmovdqa %ymm7,(%rdi) -vmovdqa %ymm9,32(%rdi) -vmovdqa %ymm6,64(%rdi) -vmovdqa %ymm3,96(%rdi) -vmovdqa %ymm10,128(%rdi) -vmovdqa %ymm4,160(%rdi) -vmovdqa %ymm5,192(%rdi) -vmovdqa %ymm11,224(%rdi) - -ret -*/ - -.text -nttunpack128_avx: -#load -vmovdqa (%rdi),%ymm4 -vmovdqa 32(%rdi),%ymm5 -vmovdqa 64(%rdi),%ymm6 -vmovdqa 96(%rdi),%ymm7 -vmovdqa 128(%rdi),%ymm8 -vmovdqa 160(%rdi),%ymm9 -vmovdqa 192(%rdi),%ymm10 -vmovdqa 224(%rdi),%ymm11 - -shuffle8 4,8,3,8 -shuffle8 5,9,4,9 -shuffle8 6,10,5,10 -shuffle8 7,11,6,11 - -shuffle4 3,5,7,5 -shuffle4 8,10,3,10 -shuffle4 4,6,8,6 -shuffle4 9,11,4,11 - -shuffle2 7,8,9,8 -shuffle2 5,6,7,6 -shuffle2 3,4,5,4 -shuffle2 10,11,3,11 - -shuffle1 9,5,10,5 -shuffle1 8,4,9,4 -shuffle1 7,3,8,3 -shuffle1 6,11,7,11 - -#store -vmovdqa %ymm10,(%rdi) -vmovdqa %ymm5,32(%rdi) -vmovdqa %ymm9,64(%rdi) -vmovdqa %ymm4,96(%rdi) -vmovdqa %ymm8,128(%rdi) -vmovdqa %ymm3,160(%rdi) -vmovdqa %ymm7,192(%rdi) -vmovdqa %ymm11,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER76890S_AVX2_nttunpack_avx) -.global _cdecl(PQCLEAN_KYBER76890S_AVX2_nttunpack_avx) -cdecl(PQCLEAN_KYBER76890S_AVX2_nttunpack_avx): -_cdecl(PQCLEAN_KYBER76890S_AVX2_nttunpack_avx): -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -ret - -ntttobytes128_avx: -#load -vmovdqa (%rsi),%ymm5 -vmovdqa 32(%rsi),%ymm6 -vmovdqa 64(%rsi),%ymm7 -vmovdqa 96(%rsi),%ymm8 -vmovdqa 128(%rsi),%ymm9 -vmovdqa 160(%rsi),%ymm10 -vmovdqa 192(%rsi),%ymm11 -vmovdqa 224(%rsi),%ymm12 - -#csubq -csubq 5,13 -csubq 6,13 -csubq 7,13 -csubq 8,13 -csubq 9,13 -csubq 10,13 -csubq 11,13 -csubq 12,13 - -#bitpack -vpsllw $12,%ymm6,%ymm4 -vpor %ymm4,%ymm5,%ymm4 - -vpsrlw $4,%ymm6,%ymm5 -vpsllw $8,%ymm7,%ymm6 -vpor %ymm5,%ymm6,%ymm5 - -vpsrlw $8,%ymm7,%ymm6 -vpsllw $4,%ymm8,%ymm7 -vpor %ymm6,%ymm7,%ymm6 - -vpsllw $12,%ymm10,%ymm7 -vpor %ymm7,%ymm9,%ymm7 - -vpsrlw $4,%ymm10,%ymm8 -vpsllw $8,%ymm11,%ymm9 -vpor %ymm8,%ymm9,%ymm8 - -vpsrlw $8,%ymm11,%ymm9 -vpsllw $4,%ymm12,%ymm10 -vpor %ymm9,%ymm10,%ymm9 - -shuffle1 4,5,3,5 -shuffle1 6,7,4,7 -shuffle1 8,9,6,9 - -shuffle2 3,4,8,4 -shuffle2 6,5,3,5 -shuffle2 7,9,6,9 - -shuffle4 8,3,7,3 -shuffle4 6,4,8,4 -shuffle4 5,9,6,9 - -shuffle8 7,8,5,8 -shuffle8 6,3,7,3 -shuffle8 4,9,6,9 - -#store -vmovdqu %ymm5,(%rdi) -vmovdqu %ymm7,32(%rdi) -vmovdqu %ymm6,64(%rdi) -vmovdqu %ymm8,96(%rdi) -vmovdqu %ymm3,128(%rdi) -vmovdqu %ymm9,160(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx) -.global _cdecl(PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx) -cdecl(PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx): -_cdecl(PQCLEAN_KYBER76890S_AVX2_ntttobytes_avx): -#consts -vmovdqa _16XQ*2(%rdx),%ymm0 -call ntttobytes128_avx -add $256,%rsi -add $192,%rdi -call ntttobytes128_avx -ret - -nttfrombytes128_avx: -#load -vmovdqu (%rsi),%ymm4 -vmovdqu 32(%rsi),%ymm5 -vmovdqu 64(%rsi),%ymm6 -vmovdqu 96(%rsi),%ymm7 -vmovdqu 128(%rsi),%ymm8 -vmovdqu 160(%rsi),%ymm9 - -shuffle8 4,7,3,7 -shuffle8 5,8,4,8 -shuffle8 6,9,5,9 - -shuffle4 3,8,6,8 -shuffle4 7,5,3,5 -shuffle4 4,9,7,9 - -shuffle2 6,5,4,5 -shuffle2 8,7,6,7 -shuffle2 3,9,8,9 - -shuffle1 4,7,10,7 -shuffle1 5,8,4,8 -shuffle1 6,9,5,9 - -#bitunpack -vpsrlw $12,%ymm10,%ymm11 -vpsllw $4,%ymm7,%ymm12 -vpor %ymm11,%ymm12,%ymm11 -vpand %ymm0,%ymm10,%ymm10 -vpand %ymm0,%ymm11,%ymm11 - -vpsrlw $8,%ymm7,%ymm12 -vpsllw $8,%ymm4,%ymm13 -vpor %ymm12,%ymm13,%ymm12 -vpand %ymm0,%ymm12,%ymm12 - -vpsrlw $4,%ymm4,%ymm13 -vpand %ymm0,%ymm13,%ymm13 - -vpsrlw $12,%ymm8,%ymm14 -vpsllw $4,%ymm5,%ymm15 -vpor %ymm14,%ymm15,%ymm14 -vpand %ymm0,%ymm8,%ymm8 -vpand %ymm0,%ymm14,%ymm14 - -vpsrlw $8,%ymm5,%ymm15 -vpsllw $8,%ymm9,%ymm1 -vpor %ymm15,%ymm1,%ymm15 -vpand %ymm0,%ymm15,%ymm15 - -vpsrlw $4,%ymm9,%ymm1 -vpand %ymm0,%ymm1,%ymm1 - -#store -vmovdqa %ymm10,(%rdi) -vmovdqa %ymm11,32(%rdi) -vmovdqa %ymm12,64(%rdi) -vmovdqa %ymm13,96(%rdi) -vmovdqa %ymm8,128(%rdi) -vmovdqa %ymm14,160(%rdi) -vmovdqa %ymm15,192(%rdi) -vmovdqa %ymm1,224(%rdi) - -ret - -.global cdecl(PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx) -.global _cdecl(PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx) -cdecl(PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx): -_cdecl(PQCLEAN_KYBER76890S_AVX2_nttfrombytes_avx): -#consts -vmovdqa _16XMASK*2(%rdx),%ymm0 -call nttfrombytes128_avx -add $256,%rdi -add $192,%rsi -call nttfrombytes128_avx -ret diff --git a/crypto_kem/kyber768-90s/avx2/shuffle.inc b/crypto_kem/kyber768-90s/avx2/shuffle.inc deleted file mode 100644 index 73e9ffe0..00000000 --- a/crypto_kem/kyber768-90s/avx2/shuffle.inc +++ /dev/null @@ -1,25 +0,0 @@ -.macro shuffle8 r0,r1,r2,r3 -vperm2i128 $0x20,%ymm\r1,%ymm\r0,%ymm\r2 -vperm2i128 $0x31,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle4 r0,r1,r2,r3 -vpunpcklqdq %ymm\r1,%ymm\r0,%ymm\r2 -vpunpckhqdq %ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle2 r0,r1,r2,r3 -#vpsllq $32,%ymm\r1,%ymm\r2 -vmovsldup %ymm\r1,%ymm\r2 -vpblendd $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrlq $32,%ymm\r0,%ymm\r0 -#vmovshdup %ymm\r0,%ymm\r0 -vpblendd $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle1 r0,r1,r2,r3 -vpslld $16,%ymm\r1,%ymm\r2 -vpblendw $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrld $16,%ymm\r0,%ymm\r0 -vpblendw $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm diff --git a/crypto_kem/kyber768-90s/avx2/symmetric.h b/crypto_kem/kyber768-90s/avx2/symmetric.h deleted file mode 100644 index 3473cfc0..00000000 --- a/crypto_kem/kyber768-90s/avx2/symmetric.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_SYMMETRIC_H -#define PQCLEAN_KYBER76890S_AVX2_SYMMETRIC_H -#include "aes256ctr.h" -#include "params.h" -#include "sha2.h" -#include -#include - - - -typedef aes256ctr_ctx xof_state; - -#define XOF_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_absorb(STATE, SEED, X, Y) PQCLEAN_KYBER76890S_AVX2_aes256ctr_init(STATE, SEED, (X) | ((uint16_t)(Y) << 8)) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER76890S_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER76890S_AVX2_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - - -#endif /* SYMMETRIC_H */ diff --git a/crypto_kem/kyber768-90s/avx2/verify.c b/crypto_kem/kyber768-90s/avx2/verify.c deleted file mode 100644 index 9ec47757..00000000 --- a/crypto_kem/kyber768-90s/avx2/verify.c +++ /dev/null @@ -1,73 +0,0 @@ -#include "verify.h" -#include -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_KYBER76890S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i; - uint64_t r; - __m256i f, g, h; - - h = _mm256_setzero_si256(); - for (i = 0; i < len / 32; i++) { - f = _mm256_loadu_si256((__m256i *)&a[32 * i]); - g = _mm256_loadu_si256((__m256i *)&b[32 * i]); - f = _mm256_xor_si256(f, g); - h = _mm256_or_si256(h, f); - } - r = 1 - _mm256_testz_si256(h, h); - - a += 32 * i; - b += 32 * i; - len -= 32 * i; - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - r = (-r) >> 63; - return r; -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_AVX2_cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: unsigned char *r: pointer to output byte array -* const unsigned char *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* unsigned char b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_KYBER76890S_AVX2_cmov(uint8_t *restrict r, const uint8_t *x, size_t len, uint8_t b) { - size_t i; - __m256i xvec, rvec, bvec; - - bvec = _mm256_set1_epi64x(-(uint64_t)b); - for (i = 0; i < len / 32; i++) { - rvec = _mm256_loadu_si256((__m256i *)&r[32 * i]); - xvec = _mm256_loadu_si256((__m256i *)&x[32 * i]); - rvec = _mm256_blendv_epi8(rvec, xvec, bvec); - _mm256_storeu_si256((__m256i *)&r[32 * i], rvec); - } - - r += 32 * i; - x += 32 * i; - len -= 32 * i; - for (i = 0; i < len; i++) { - r[i] ^= -b & (x[i] ^ r[i]); - } -} diff --git a/crypto_kem/kyber768-90s/avx2/verify.h b/crypto_kem/kyber768-90s/avx2/verify.h deleted file mode 100644 index 2b556e54..00000000 --- a/crypto_kem/kyber768-90s/avx2/verify.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_AVX2_VERIFY_H -#define PQCLEAN_KYBER76890S_AVX2_VERIFY_H -#include "params.h" -#include -#include - -int PQCLEAN_KYBER76890S_AVX2_verify(const uint8_t *a, const uint8_t *b, size_t len); - -void PQCLEAN_KYBER76890S_AVX2_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/LICENSE b/crypto_kem/kyber768-90s/clean/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_kem/kyber768-90s/clean/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_kem/kyber768-90s/clean/Makefile.Microsoft_nmake b/crypto_kem/kyber768-90s/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 381f983f..00000000 --- a/crypto_kem/kyber768-90s/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libkyber768-90s_clean.lib -OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-aes.obj verify.obj - -# Warning C4146 is raised when a unary minus operator is applied to an -# unsigned type; this has nonetheless been standard and portable for as -# long as there has been a C standard, and we need it for constant-time -# computations. Thus, we disable that spurious warning. -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/kyber768-90s/clean/api.h b/crypto_kem/kyber768-90s/clean/api.h deleted file mode 100644 index d45b646b..00000000 --- a/crypto_kem/kyber768-90s/clean/api.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_API_H -#define PQCLEAN_KYBER76890S_CLEAN_API_H - -#include - -#define PQCLEAN_KYBER76890S_CLEAN_CRYPTO_SECRETKEYBYTES 2400 -#define PQCLEAN_KYBER76890S_CLEAN_CRYPTO_PUBLICKEYBYTES 1184 -#define PQCLEAN_KYBER76890S_CLEAN_CRYPTO_CIPHERTEXTBYTES 1088 -#define PQCLEAN_KYBER76890S_CLEAN_CRYPTO_BYTES 32 -#define PQCLEAN_KYBER76890S_CLEAN_CRYPTO_ALGNAME "Kyber768-90s" - -int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk); - -int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/cbd.c b/crypto_kem/kyber768-90s/clean/cbd.c deleted file mode 100644 index 3c1290e9..00000000 --- a/crypto_kem/kyber768-90s/clean/cbd.c +++ /dev/null @@ -1,83 +0,0 @@ -#include "cbd.h" -#include "params.h" -#include - -/************************************************* -* Name: load32_littleendian -* -* Description: load 4 bytes into a 32-bit integer -* in little-endian order -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x -**************************************************/ -static uint32_t load32_littleendian(const uint8_t x[4]) { - uint32_t r; - r = (uint32_t)x[0]; - r |= (uint32_t)x[1] << 8; - r |= (uint32_t)x[2] << 16; - r |= (uint32_t)x[3] << 24; - return r; -} - -/************************************************* -* Name: load24_littleendian -* -* Description: load 3 bytes into a 32-bit integer -* in little-endian order. -* This function is only needed for Kyber-512 -* -* Arguments: - const uint8_t *x: pointer to input byte array -* -* Returns 32-bit unsigned integer loaded from x (most significant byte is zero) -**************************************************/ - - -/************************************************* -* Name: cbd2 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ -static void cbd2(poly *r, const uint8_t buf[2 * KYBER_N / 4]) { - unsigned int i, j; - uint32_t t, d; - int16_t a, b; - - for (i = 0; i < KYBER_N / 8; i++) { - t = load32_littleendian(buf + 4 * i); - d = t & 0x55555555; - d += (t >> 1) & 0x55555555; - - for (j = 0; j < 8; j++) { - a = (d >> (4 * j + 0)) & 0x3; - b = (d >> (4 * j + 2)) & 0x3; - r->coeffs[8 * i + j] = a - b; - } - } -} - -/************************************************* -* Name: cbd3 -* -* Description: Given an array of uniformly random bytes, compute -* polynomial with coefficients distributed according to -* a centered binomial distribution with parameter eta=3. -* This function is only needed for Kyber-512 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *buf: pointer to input byte array -**************************************************/ - -void PQCLEAN_KYBER76890S_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]) { - cbd2(r, buf); -} - -void PQCLEAN_KYBER76890S_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]) { - cbd2(r, buf); -} diff --git a/crypto_kem/kyber768-90s/clean/cbd.h b/crypto_kem/kyber768-90s/clean/cbd.h deleted file mode 100644 index f2de6763..00000000 --- a/crypto_kem/kyber768-90s/clean/cbd.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_CBD_H -#define PQCLEAN_KYBER76890S_CLEAN_CBD_H -#include "params.h" -#include "poly.h" -#include - -void PQCLEAN_KYBER76890S_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]); - -void PQCLEAN_KYBER76890S_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/indcpa.c b/crypto_kem/kyber768-90s/clean/indcpa.c deleted file mode 100644 index 835abb8a..00000000 --- a/crypto_kem/kyber768-90s/clean/indcpa.c +++ /dev/null @@ -1,330 +0,0 @@ -#include "indcpa.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "symmetric.h" -#include -#include - -/************************************************* -* Name: pack_pk -* -* Description: Serialize the public key as concatenation of the -* serialized vector of polynomials pk -* and the public seed used to generate the matrix A. -* -* Arguments: uint8_t *r: pointer to the output serialized public key -* polyvec *pk: pointer to the input public-key polyvec -* const uint8_t *seed: pointer to the input public seed -**************************************************/ -static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES], - polyvec *pk, - const uint8_t seed[KYBER_SYMBYTES]) { - size_t i; - PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes(r, pk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - r[i + KYBER_POLYVECBYTES] = seed[i]; - } -} - -/************************************************* -* Name: unpack_pk -* -* Description: De-serialize public key from a byte array; -* approximate inverse of pack_pk -* -* Arguments: - polyvec *pk: pointer to output public-key polynomial vector -* - uint8_t *seed: pointer to output seed to generate matrix A -* - const uint8_t *packedpk: pointer to input serialized public key -**************************************************/ -static void unpack_pk(polyvec *pk, - uint8_t seed[KYBER_SYMBYTES], - const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) { - size_t i; - PQCLEAN_KYBER76890S_CLEAN_polyvec_frombytes(pk, packedpk); - for (i = 0; i < KYBER_SYMBYTES; i++) { - seed[i] = packedpk[i + KYBER_POLYVECBYTES]; - } -} - -/************************************************* -* Name: pack_sk -* -* Description: Serialize the secret key -* -* Arguments: - uint8_t *r: pointer to output serialized secret key -* - polyvec *sk: pointer to input vector of polynomials (secret key) -**************************************************/ -static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) { - PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes(r, sk); -} - -/************************************************* -* Name: unpack_sk -* -* Description: De-serialize the secret key; inverse of pack_sk -* -* Arguments: - polyvec *sk: pointer to output vector of polynomials (secret key) -* - const uint8_t *packedsk: pointer to input serialized secret key -**************************************************/ -static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) { - PQCLEAN_KYBER76890S_CLEAN_polyvec_frombytes(sk, packedsk); -} - -/************************************************* -* Name: pack_ciphertext -* -* Description: Serialize the ciphertext as concatenation of the -* compressed and serialized vector of polynomials b -* and the compressed and serialized polynomial v -* -* Arguments: uint8_t *r: pointer to the output serialized ciphertext -* poly *pk: pointer to the input vector of polynomials b -* poly *v: pointer to the input polynomial v -**************************************************/ -static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) { - PQCLEAN_KYBER76890S_CLEAN_polyvec_compress(r, b); - PQCLEAN_KYBER76890S_CLEAN_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v); -} - -/************************************************* -* Name: unpack_ciphertext -* -* Description: De-serialize and decompress ciphertext from a byte array; -* approximate inverse of pack_ciphertext -* -* Arguments: - polyvec *b: pointer to the output vector of polynomials b -* - poly *v: pointer to the output polynomial v -* - const uint8_t *c: pointer to the input serialized ciphertext -**************************************************/ -static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) { - PQCLEAN_KYBER76890S_CLEAN_polyvec_decompress(b, c); - PQCLEAN_KYBER76890S_CLEAN_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES); -} - -/************************************************* -* Name: rej_uniform -* -* Description: Run rejection sampling on uniform random bytes to generate -* uniform random integers mod q -* -* Arguments: - int16_t *r: pointer to output buffer -* - unsigned int len: requested number of 16-bit integers (uniform mod q) -* - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes) -* - unsigned int buflen: length of input buffer in bytes -* -* Returns number of sampled 16-bit integers (at most len) -**************************************************/ -static unsigned int rej_uniform(int16_t *r, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint16_t val0, val1; - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF; - val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF; - pos += 3; - - if (val0 < KYBER_Q) { - r[ctr++] = val0; - } - if (ctr < len && val1 < KYBER_Q) { - r[ctr++] = val1; - } - } - - return ctr; -} - -#define gen_a(A,B) PQCLEAN_KYBER76890S_CLEAN_gen_matrix(A,B,0) -#define gen_at(A,B) PQCLEAN_KYBER76890S_CLEAN_gen_matrix(A,B,1) - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_gen_matrix -* -* Description: Deterministically generate matrix A (or the transpose of A) -* from a seed. Entries of the matrix are polynomials that look -* uniformly random. Performs rejection sampling on output of -* a XOF -* -* Arguments: - polyvec *a: pointer to ouptput matrix A -* - const uint8_t *seed: pointer to input seed -* - int transposed: boolean deciding whether A or A^T is generated -**************************************************/ -#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES) -// Not static for benchmarking -void PQCLEAN_KYBER76890S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) { - unsigned int ctr, i, j, k; - unsigned int buflen, off; - uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES + 2]; - xof_state state; - - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_K; j++) { - if (transposed) { - xof_absorb(&state, seed, (uint8_t)i, (uint8_t)j); - } else { - xof_absorb(&state, seed, (uint8_t)j, (uint8_t)i); - } - - xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state); - buflen = GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES; - ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen); - - while (ctr < KYBER_N) { - off = buflen % 3; - for (k = 0; k < off; k++) { - buf[k] = buf[buflen - off + k]; - } - xof_squeezeblocks(buf + off, 1, &state); - buflen = off + XOF_BLOCKBYTES; - ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen); - } - xof_ctx_release(&state); - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_indcpa_keypair -* -* Description: Generates public and private key for the CPA-secure -* public-key encryption scheme underlying Kyber -* -* Arguments: - uint8_t *pk: pointer to output public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key - (of length KYBER_INDCPA_SECRETKEYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - unsigned int i; - uint8_t buf[2 * KYBER_SYMBYTES]; - const uint8_t *publicseed = buf; - const uint8_t *noiseseed = buf + KYBER_SYMBYTES; - uint8_t nonce = 0; - polyvec a[KYBER_K], e, pkpv, skpv; - - randombytes(buf, KYBER_SYMBYTES); - hash_g(buf, buf, KYBER_SYMBYTES); - - gen_a(a, publicseed); - - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta1(&skpv.vec[i], noiseseed, nonce++); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta1(&e.vec[i], noiseseed, nonce++); - } - - PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt(&skpv); - PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt(&e); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv); - PQCLEAN_KYBER76890S_CLEAN_poly_tomont(&pkpv.vec[i]); - } - - PQCLEAN_KYBER76890S_CLEAN_polyvec_add(&pkpv, &pkpv, &e); - PQCLEAN_KYBER76890S_CLEAN_polyvec_reduce(&pkpv); - - pack_sk(sk, &skpv); - pack_pk(pk, &pkpv, publicseed); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_indcpa_enc -* -* Description: Encryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *c: pointer to output ciphertext -* (of length KYBER_INDCPA_BYTES bytes) -* - const uint8_t *m: pointer to input message -* (of length KYBER_INDCPA_MSGBYTES bytes) -* - const uint8_t *pk: pointer to input public key -* (of length KYBER_INDCPA_PUBLICKEYBYTES) -* - const uint8_t *coins: pointer to input random coins used as seed -* (of length KYBER_SYMBYTES) to deterministically -* generate all randomness -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]) { - unsigned int i; - uint8_t seed[KYBER_SYMBYTES]; - uint8_t nonce = 0; - polyvec sp, pkpv, ep, at[KYBER_K], b; - poly v, k, epp; - - unpack_pk(&pkpv, seed, pk); - PQCLEAN_KYBER76890S_CLEAN_poly_frommsg(&k, m); - gen_at(at, seed); - - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta1(sp.vec + i, coins, nonce++); - } - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta2(ep.vec + i, coins, nonce++); - } - PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta2(&epp, coins, nonce++); - - PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt(&sp); - - // matrix-vector multiplication - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp); - } - - PQCLEAN_KYBER76890S_CLEAN_polyvec_basemul_acc_montgomery(&v, &pkpv, &sp); - - PQCLEAN_KYBER76890S_CLEAN_polyvec_invntt_tomont(&b); - PQCLEAN_KYBER76890S_CLEAN_poly_invntt_tomont(&v); - - PQCLEAN_KYBER76890S_CLEAN_polyvec_add(&b, &b, &ep); - PQCLEAN_KYBER76890S_CLEAN_poly_add(&v, &v, &epp); - PQCLEAN_KYBER76890S_CLEAN_poly_add(&v, &v, &k); - PQCLEAN_KYBER76890S_CLEAN_polyvec_reduce(&b); - PQCLEAN_KYBER76890S_CLEAN_poly_reduce(&v); - - pack_ciphertext(c, &b, &v); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_indcpa_dec -* -* Description: Decryption function of the CPA-secure -* public-key encryption scheme underlying Kyber. -* -* Arguments: - uint8_t *m: pointer to output decrypted message -* (of length KYBER_INDCPA_MSGBYTES) -* - const uint8_t *c: pointer to input ciphertext -* (of length KYBER_INDCPA_BYTES) -* - const uint8_t *sk: pointer to input secret key -* (of length KYBER_INDCPA_SECRETKEYBYTES) -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) { - polyvec b, skpv; - poly v, mp; - - unpack_ciphertext(&b, &v, c); - unpack_sk(&skpv, sk); - - PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt(&b); - PQCLEAN_KYBER76890S_CLEAN_polyvec_basemul_acc_montgomery(&mp, &skpv, &b); - PQCLEAN_KYBER76890S_CLEAN_poly_invntt_tomont(&mp); - - PQCLEAN_KYBER76890S_CLEAN_poly_sub(&mp, &v, &mp); - PQCLEAN_KYBER76890S_CLEAN_poly_reduce(&mp); - - PQCLEAN_KYBER76890S_CLEAN_poly_tomsg(m, &mp); -} diff --git a/crypto_kem/kyber768-90s/clean/indcpa.h b/crypto_kem/kyber768-90s/clean/indcpa.h deleted file mode 100644 index ac4d8c4a..00000000 --- a/crypto_kem/kyber768-90s/clean/indcpa.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_INDCPA_H -#define PQCLEAN_KYBER76890S_CLEAN_INDCPA_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_KYBER76890S_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed); -void PQCLEAN_KYBER76890S_CLEAN_indcpa_keypair(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -void PQCLEAN_KYBER76890S_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES], - const uint8_t coins[KYBER_SYMBYTES]); - -void PQCLEAN_KYBER76890S_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES], - const uint8_t c[KYBER_INDCPA_BYTES], - const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/kem.c b/crypto_kem/kyber768-90s/clean/kem.c deleted file mode 100644 index c662fbbd..00000000 --- a/crypto_kem/kyber768-90s/clean/kem.c +++ /dev/null @@ -1,126 +0,0 @@ -#include "indcpa.h" -#include "kem.h" -#include "params.h" -#include "randombytes.h" -#include "symmetric.h" -#include "verify.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_crypto_kem_keypair -* -* Description: Generates public and private key -* for CCA-secure Kyber key encapsulation mechanism -* -* Arguments: - unsigned char *pk: pointer to output public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* - unsigned char *sk: pointer to output private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_keypair(unsigned char pk[KYBER_PUBLICKEYBYTES], - unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - PQCLEAN_KYBER76890S_CLEAN_indcpa_keypair(pk, sk); - for (i = 0; i < KYBER_INDCPA_PUBLICKEYBYTES; i++) { - sk[i + KYBER_INDCPA_SECRETKEYBYTES] = pk[i]; - } - hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - /* Value z for pseudo-random output on reject */ - randombytes(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_crypto_kem_enc -* -* Description: Generates cipher text and shared -* secret for given public key -* -* Arguments: - unsigned char *ct: pointer to output cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *pk: pointer to input public key -* (an already allocated array of KYBER_PUBLICKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_enc(unsigned char ct[KYBER_CIPHERTEXTBYTES], - unsigned char ss[KYBER_SSBYTES], - const unsigned char pk[KYBER_PUBLICKEYBYTES]) { - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - - randombytes(buf, KYBER_SYMBYTES); - /* Don't release system RNG output */ - hash_h(buf, buf, KYBER_SYMBYTES); - - /* Multitarget countermeasure for coins + contributory KEM */ - hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES); - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER76890S_CLEAN_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_crypto_kem_dec -* -* Description: Generates shared secret for given -* cipher text and private key -* -* Arguments: - unsigned char *ss: pointer to output shared secret -* (an already allocated array of KYBER_SSBYTES bytes) -* - const unsigned char *ct: pointer to input cipher text -* (an already allocated array of KYBER_CIPHERTEXTBYTES bytes) -* - const unsigned char *sk: pointer to input private key -* (an already allocated array of KYBER_SECRETKEYBYTES bytes) -* -* Returns 0. -* -* On failure, ss will contain a pseudo-random value. -**************************************************/ -int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_dec(unsigned char ss[KYBER_SSBYTES], - const unsigned char ct[KYBER_CIPHERTEXTBYTES], - const unsigned char sk[KYBER_SECRETKEYBYTES]) { - size_t i; - int fail; - uint8_t buf[2 * KYBER_SYMBYTES]; - /* Will contain key, coins */ - uint8_t kr[2 * KYBER_SYMBYTES]; - uint8_t cmp[KYBER_CIPHERTEXTBYTES]; - const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES; - - PQCLEAN_KYBER76890S_CLEAN_indcpa_dec(buf, ct, sk); - - /* Multitarget countermeasure for coins + contributory KEM */ - for (i = 0; i < KYBER_SYMBYTES; i++) { - buf[KYBER_SYMBYTES + i] = sk[KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES + i]; - } - hash_g(kr, buf, 2 * KYBER_SYMBYTES); - - /* coins are in kr+KYBER_SYMBYTES */ - PQCLEAN_KYBER76890S_CLEAN_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES); - - fail = PQCLEAN_KYBER76890S_CLEAN_verify(ct, cmp, KYBER_CIPHERTEXTBYTES); - - /* overwrite coins in kr with H(c) */ - hash_h(kr + KYBER_SYMBYTES, ct, KYBER_CIPHERTEXTBYTES); - - /* Overwrite pre-k with z on re-encryption failure */ - PQCLEAN_KYBER76890S_CLEAN_cmov(kr, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, KYBER_SYMBYTES, (uint8_t)fail); - - /* hash concatenation of pre-k and H(c) to k */ - kdf(ss, kr, 2 * KYBER_SYMBYTES); - return 0; -} diff --git a/crypto_kem/kyber768-90s/clean/kem.h b/crypto_kem/kyber768-90s/clean/kem.h deleted file mode 100644 index bfe7609a..00000000 --- a/crypto_kem/kyber768-90s/clean/kem.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_KEM_H -#define PQCLEAN_KYBER76890S_CLEAN_KEM_H -#include "params.h" - - -int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); - -int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_enc(unsigned char *ct, - unsigned char *ss, - const unsigned char *pk); - -int PQCLEAN_KYBER76890S_CLEAN_crypto_kem_dec(unsigned char *ss, - const unsigned char *ct, - const unsigned char *sk); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/ntt.c b/crypto_kem/kyber768-90s/clean/ntt.c deleted file mode 100644 index e9e4890a..00000000 --- a/crypto_kem/kyber768-90s/clean/ntt.c +++ /dev/null @@ -1,146 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "reduce.h" -#include - -/* Code to generate PQCLEAN_KYBER76890S_CLEAN_zetas and zetas_inv used in the number-theoretic transform: - -#define KYBER_ROOT_OF_UNITY 17 - -static const uint8_t tree[128] = { - 0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, - 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, - 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, - 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, - 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, - 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, - 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, - 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127 -}; - -void init_ntt() { - unsigned int i; - int16_t tmp[128]; - - tmp[0] = MONT; - for(i=1;i<128;i++) - tmp[i] = fqmul(tmp[i-1],MONT*KYBER_ROOT_OF_UNITY % KYBER_Q); - - for(i=0;i<128;i++) { - PQCLEAN_KYBER76890S_CLEAN_zetas[i] = tmp[tree[i]]; - if(PQCLEAN_KYBER76890S_CLEAN_zetas[i] > KYBER_Q/2) - PQCLEAN_KYBER76890S_CLEAN_zetas[i] -= KYBER_Q; - if(PQCLEAN_KYBER76890S_CLEAN_zetas[i] < -KYBER_Q/2) - PQCLEAN_KYBER76890S_CLEAN_zetas[i] += KYBER_Q; - } -} -*/ - -const int16_t PQCLEAN_KYBER76890S_CLEAN_zetas[128] = { - -1044, -758, -359, -1517, 1493, 1422, 287, 202, - -171, 622, 1577, 182, 962, -1202, -1474, 1468, - 573, -1325, 264, 383, -829, 1458, -1602, -130, - -681, 1017, 732, 608, -1542, 411, -205, -1571, - 1223, 652, -552, 1015, -1293, 1491, -282, -1544, - 516, -8, -320, -666, -1618, -1162, 126, 1469, - -853, -90, -271, 830, 107, -1421, -247, -951, - -398, 961, -1508, -725, 448, -1065, 677, -1275, - -1103, 430, 555, 843, -1251, 871, 1550, 105, - 422, 587, 177, -235, -291, -460, 1574, 1653, - -246, 778, 1159, -147, -777, 1483, -602, 1119, - -1590, 644, -872, 349, 418, 329, -156, -75, - 817, 1097, 603, 610, 1322, -1285, -1465, 384, - -1215, -136, 1218, -1335, -874, 220, -1187, -1659, - -1185, -1530, -1278, 794, -1510, -854, -870, 478, - -108, -308, 996, 991, 958, -1460, 1522, 1628 - }; - -/************************************************* -* Name: fqmul -* -* Description: Multiplication followed by Montgomery reduction -* -* Arguments: - int16_t a: first factor -* - int16_t b: second factor -* -* Returns 16-bit integer congruent to a*b*R^{-1} mod q -**************************************************/ -static int16_t fqmul(int16_t a, int16_t b) { - return PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce((int32_t)a * b); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_ntt -* -* Description: Inplace number-theoretic transform (NTT) in Rq. -* input is in standard order, output is in bitreversed order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_ntt(int16_t r[256]) { - unsigned int len, start, j, k; - int16_t t, zeta; - - k = 1; - for (len = 128; len >= 2; len >>= 1) { - for (start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER76890S_CLEAN_zetas[k++]; - for (j = start; j < start + len; j++) { - t = fqmul(zeta, r[j + len]); - r[j + len] = r[j] - t; - r[j] = r[j] + t; - } - } - } -} - -/************************************************* -* Name: invntt_tomont -* -* Description: Inplace inverse number-theoretic transform in Rq and -* multiplication by Montgomery factor 2^16. -* Input is in bitreversed order, output is in standard order -* -* Arguments: - int16_t r[256]: pointer to input/output vector of elements of Zq -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_invntt(int16_t r[256]) { - unsigned int start, len, j, k; - int16_t t, zeta; - const int16_t f = 1441; // mont^2/128 - - k = 127; - for (len = 2; len <= 128; len <<= 1) { - for (start = 0; start < 256; start = j + len) { - zeta = PQCLEAN_KYBER76890S_CLEAN_zetas[k--]; - for (j = start; j < start + len; j++) { - t = r[j]; - r[j] = PQCLEAN_KYBER76890S_CLEAN_barrett_reduce(t + r[j + len]); - r[j + len] = r[j + len] - t; - r[j + len] = fqmul(zeta, r[j + len]); - } - } - } - - for (j = 0; j < 256; j++) { - r[j] = fqmul(r[j], f); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_basemul -* -* Description: Multiplication of polynomials in Zq[X]/(X^2-zeta) -* used for multiplication of elements in Rq in NTT domain -* -* Arguments: - int16_t r[2]: pointer to the output polynomial -* - const int16_t a[2]: pointer to the first factor -* - const int16_t b[2]: pointer to the second factor -* - int16_t zeta: integer defining the reduction polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) { - r[0] = fqmul(a[1], b[1]); - r[0] = fqmul(r[0], zeta); - r[0] += fqmul(a[0], b[0]); - r[1] = fqmul(a[0], b[1]); - r[1] += fqmul(a[1], b[0]); -} diff --git a/crypto_kem/kyber768-90s/clean/ntt.h b/crypto_kem/kyber768-90s/clean/ntt.h deleted file mode 100644 index 68ae2734..00000000 --- a/crypto_kem/kyber768-90s/clean/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_NTT_H -#define PQCLEAN_KYBER76890S_CLEAN_NTT_H -#include "params.h" -#include - -extern const int16_t PQCLEAN_KYBER76890S_CLEAN_zetas[128]; - -void PQCLEAN_KYBER76890S_CLEAN_ntt(int16_t r[256]); - -void PQCLEAN_KYBER76890S_CLEAN_invntt(int16_t r[256]); - -void PQCLEAN_KYBER76890S_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/params.h b/crypto_kem/kyber768-90s/clean/params.h deleted file mode 100644 index a30ea122..00000000 --- a/crypto_kem/kyber768-90s/clean/params.h +++ /dev/null @@ -1,33 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_PARAMS_H -#define PQCLEAN_KYBER76890S_CLEAN_PARAMS_H - - - - -#define KYBER_N 256 -#define KYBER_Q 3329 - -#define KYBER_SYMBYTES 32 /* size in bytes of hashes, and seeds */ -#define KYBER_SSBYTES 32 /* size in bytes of shared key */ - -#define KYBER_POLYBYTES 384 -#define KYBER_POLYVECBYTES (KYBER_K * KYBER_POLYBYTES) - -#define KYBER_K 3 -#define KYBER_ETA1 2 -#define KYBER_POLYCOMPRESSEDBYTES 128 -#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320) - -#define KYBER_ETA2 2 - -#define KYBER_INDCPA_MSGBYTES (KYBER_SYMBYTES) -#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES) -#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES) -#define KYBER_INDCPA_BYTES (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES) - -#define KYBER_PUBLICKEYBYTES (KYBER_INDCPA_PUBLICKEYBYTES) -/* 32 bytes of additional space to save H(pk) */ -#define KYBER_SECRETKEYBYTES (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES) -#define KYBER_CIPHERTEXTBYTES (KYBER_INDCPA_BYTES) - -#endif diff --git a/crypto_kem/kyber768-90s/clean/poly.c b/crypto_kem/kyber768-90s/clean/poly.c deleted file mode 100644 index b67f124a..00000000 --- a/crypto_kem/kyber768-90s/clean/poly.c +++ /dev/null @@ -1,287 +0,0 @@ -#include "cbd.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "symmetric.h" -#include - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_compress -* -* Description: Compression and subsequent serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (of length KYBER_POLYCOMPRESSEDBYTES) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) { - size_t i, j; - int16_t u; - uint8_t t[8]; - - for (i = 0; i < KYBER_N / 8; i++) { - for (j = 0; j < 8; j++) { - // map to positive standard representatives - u = a->coeffs[8 * i + j]; - u += (u >> 15) & KYBER_Q; - t[j] = ((((uint16_t)u << 4) + KYBER_Q / 2) / KYBER_Q) & 15; - } - - r[0] = t[0] | (t[1] << 4); - r[1] = t[2] | (t[3] << 4); - r[2] = t[4] | (t[5] << 4); - r[3] = t[6] | (t[7] << 4); - r += 4; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_decompress -* -* Description: De-serialization and subsequent decompression of a polynomial; -* approximate inverse of PQCLEAN_KYBER76890S_CLEAN_poly_compress -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYCOMPRESSEDBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) { - size_t i; - - for (i = 0; i < KYBER_N / 2; i++) { - r->coeffs[2 * i + 0] = (((uint16_t)(a[0] & 15) * KYBER_Q) + 8) >> 4; - r->coeffs[2 * i + 1] = (((uint16_t)(a[0] >> 4) * KYBER_Q) + 8) >> 4; - a += 1; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_tobytes -* -* Description: Serialization of a polynomial -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYBYTES bytes) -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) { - size_t i; - uint16_t t0, t1; - - for (i = 0; i < KYBER_N / 2; i++) { - // map to positive standard representatives - t0 = a->coeffs[2 * i]; - t0 += ((int16_t)t0 >> 15) & KYBER_Q; - t1 = a->coeffs[2 * i + 1]; - t1 += ((int16_t)t1 >> 15) & KYBER_Q; - r[3 * i + 0] = (uint8_t)(t0 >> 0); - r[3 * i + 1] = (uint8_t)((t0 >> 8) | (t1 << 4)); - r[3 * i + 2] = (uint8_t)(t1 >> 4); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_frombytes -* -* Description: De-serialization of a polynomial; -* inverse of PQCLEAN_KYBER76890S_CLEAN_poly_tobytes -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: pointer to input byte array -* (of KYBER_POLYBYTES bytes) -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) { - size_t i; - for (i = 0; i < KYBER_N / 2; i++) { - r->coeffs[2 * i] = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF; - r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_frommsg -* -* Description: Convert 32-byte message to polynomial -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *msg: pointer to input message -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) { - size_t i, j; - int16_t mask; - - for (i = 0; i < KYBER_N / 8; i++) { - for (j = 0; j < 8; j++) { - mask = -(int16_t)((msg[i] >> j) & 1); - r->coeffs[8 * i + j] = mask & ((KYBER_Q + 1) / 2); - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_tomsg -* -* Description: Convert polynomial to 32-byte message -* -* Arguments: - uint8_t *msg: pointer to output message -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) { - size_t i, j; - uint16_t t; - - for (i = 0; i < KYBER_N / 8; i++) { - msg[i] = 0; - for (j = 0; j < 8; j++) { - t = a->coeffs[8 * i + j]; - t += ((int16_t)t >> 15) & KYBER_Q; - t = (((t << 1) + KYBER_Q / 2) / KYBER_Q) & 1; - msg[i] |= t << j; - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta1 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA1 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - uint8_t buf[KYBER_ETA1 * KYBER_N / 4]; - prf(buf, sizeof(buf), seed, nonce); - PQCLEAN_KYBER76890S_CLEAN_poly_cbd_eta1(r, buf); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta2 -* -* Description: Sample a polynomial deterministically from a seed and a nonce, -* with output polynomial close to centered binomial distribution -* with parameter KYBER_ETA2 -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *seed: pointer to input seed -* (of length KYBER_SYMBYTES bytes) -* - uint8_t nonce: one-byte input nonce -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) { - uint8_t buf[KYBER_ETA2 * KYBER_N / 4]; - prf(buf, sizeof(buf), seed, nonce); - PQCLEAN_KYBER76890S_CLEAN_poly_cbd_eta2(r, buf); -} - - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_ntt -* -* Description: Computes negacyclic number-theoretic transform (NTT) of -* a polynomial in place; -* inputs assumed to be in normal order, output in bitreversed order -* -* Arguments: - uint16_t *r: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_ntt(poly *r) { - PQCLEAN_KYBER76890S_CLEAN_ntt(r->coeffs); - PQCLEAN_KYBER76890S_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_invntt_tomont -* -* Description: Computes inverse of negacyclic number-theoretic transform (NTT) -* of a polynomial in place; -* inputs assumed to be in bitreversed order, output in normal order -* -* Arguments: - uint16_t *a: pointer to in/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_invntt_tomont(poly *r) { - PQCLEAN_KYBER76890S_CLEAN_invntt(r->coeffs); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_basemul_montgomery -* -* Description: Multiplication of two polynomials in NTT domain -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) { - size_t i; - for (i = 0; i < KYBER_N / 4; i++) { - PQCLEAN_KYBER76890S_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_KYBER76890S_CLEAN_zetas[64 + i]); - PQCLEAN_KYBER76890S_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], -PQCLEAN_KYBER76890S_CLEAN_zetas[64 + i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_tomont -* -* Description: Inplace conversion of all coefficients of a polynomial -* from normal domain to Montgomery domain -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_tomont(poly *r) { - size_t i; - const int16_t f = (1ULL << 32) % KYBER_Q; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_reduce -* -* Description: Applies Barrett reduction to all coefficients of a polynomial -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - poly *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_reduce(poly *r) { - size_t i; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = PQCLEAN_KYBER76890S_CLEAN_barrett_reduce(r->coeffs[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_add -* -* Description: Add two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_add(poly *r, const poly *a, const poly *b) { - size_t i; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] + b->coeffs[i]; - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_poly_sub -* -* Description: Subtract two polynomials; no modular reduction is performed -* -* Arguments: - poly *r: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) { - size_t i; - for (i = 0; i < KYBER_N; i++) { - r->coeffs[i] = a->coeffs[i] - b->coeffs[i]; - } -} diff --git a/crypto_kem/kyber768-90s/clean/poly.h b/crypto_kem/kyber768-90s/clean/poly.h deleted file mode 100644 index a7e4a36b..00000000 --- a/crypto_kem/kyber768-90s/clean/poly.h +++ /dev/null @@ -1,37 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_POLY_H -#define PQCLEAN_KYBER76890S_CLEAN_POLY_H -#include "params.h" -#include - -/* - * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial - * coeffs[0] + X*coeffs[1] + X^2*xoeffs[2] + ... + X^{n-1}*coeffs[n-1] - */ -typedef struct { - int16_t coeffs[KYBER_N]; -} poly; - -void PQCLEAN_KYBER76890S_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a); -void PQCLEAN_KYBER76890S_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]); - -void PQCLEAN_KYBER76890S_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a); -void PQCLEAN_KYBER76890S_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]); - -void PQCLEAN_KYBER76890S_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]); -void PQCLEAN_KYBER76890S_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a); - -void PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -void PQCLEAN_KYBER76890S_CLEAN_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce); - -void PQCLEAN_KYBER76890S_CLEAN_poly_ntt(poly *r); -void PQCLEAN_KYBER76890S_CLEAN_poly_invntt_tomont(poly *r); -void PQCLEAN_KYBER76890S_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER76890S_CLEAN_poly_tomont(poly *r); - -void PQCLEAN_KYBER76890S_CLEAN_poly_reduce(poly *r); - -void PQCLEAN_KYBER76890S_CLEAN_poly_add(poly *r, const poly *a, const poly *b); -void PQCLEAN_KYBER76890S_CLEAN_poly_sub(poly *r, const poly *a, const poly *b); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/polyvec.c b/crypto_kem/kyber768-90s/clean/polyvec.c deleted file mode 100644 index 08fc8b57..00000000 --- a/crypto_kem/kyber768-90s/clean/polyvec.c +++ /dev/null @@ -1,181 +0,0 @@ -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_polyvec_compress -* -* Description: Compress and serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECCOMPRESSEDBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) { - unsigned int i, j, k; - - uint16_t t[4]; - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_N / 4; j++) { - for (k = 0; k < 4; k++) { - t[k] = a->vec[i].coeffs[4 * j + k]; - t[k] += ((int16_t)t[k] >> 15) & KYBER_Q; - t[k] = ((((uint32_t)t[k] << 10) + KYBER_Q / 2) / KYBER_Q) & 0x3ff; - } - - r[0] = (uint8_t)(t[0] >> 0); - r[1] = (uint8_t)((t[0] >> 8) | (t[1] << 2)); - r[2] = (uint8_t)((t[1] >> 6) | (t[2] << 4)); - r[3] = (uint8_t)((t[2] >> 4) | (t[3] << 6)); - r[4] = (uint8_t)(t[3] >> 2); - r += 5; - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_polyvec_decompress -* -* Description: De-serialize and decompress vector of polynomials; -* approximate inverse of PQCLEAN_KYBER76890S_CLEAN_polyvec_compress -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const uint8_t *a: pointer to input byte array -* (of length KYBER_POLYVECCOMPRESSEDBYTES) -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) { - unsigned int i, j, k; - - uint16_t t[4]; - for (i = 0; i < KYBER_K; i++) { - for (j = 0; j < KYBER_N / 4; j++) { - t[0] = (a[0] >> 0) | ((uint16_t)a[1] << 8); - t[1] = (a[1] >> 2) | ((uint16_t)a[2] << 6); - t[2] = (a[2] >> 4) | ((uint16_t)a[3] << 4); - t[3] = (a[3] >> 6) | ((uint16_t)a[4] << 2); - a += 5; - - for (k = 0; k < 4; k++) { - r->vec[i].coeffs[4 * j + k] = ((uint32_t)(t[k] & 0x3FF) * KYBER_Q + 512) >> 10; - } - } - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes -* -* Description: Serialize vector of polynomials -* -* Arguments: - uint8_t *r: pointer to output byte array -* (needs space for KYBER_POLYVECBYTES) -* - const polyvec *a: pointer to input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_polyvec_frombytes -* -* Description: De-serialize vector of polynomials; -* inverse of PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes -* -* Arguments: - uint8_t *r: pointer to output byte array -* - const polyvec *a: pointer to input vector of polynomials -* (of length KYBER_POLYVECBYTES) -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt -* -* Description: Apply forward NTT to all elements of a vector of polynomials -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt(polyvec *r) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_ntt(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_polyvec_invntt_tomont -* -* Description: Apply inverse NTT to all elements of a vector of polynomials -* and multiply by Montgomery factor 2^16 -* -* Arguments: - polyvec *r: pointer to in/output vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_polyvec_invntt_tomont(polyvec *r) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_invntt_tomont(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_polyvec_basemul_acc_montgomery -* -* Description: Multiply elements of a and b in NTT domain, accumulate into r, -* and multiply by 2^-16. -* -* Arguments: - poly *r: pointer to output polynomial -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) { - unsigned int i; - poly t; - - PQCLEAN_KYBER76890S_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]); - for (i = 1; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_basemul_montgomery(&t, &a->vec[i], &b->vec[i]); - PQCLEAN_KYBER76890S_CLEAN_poly_add(r, r, &t); - } - - PQCLEAN_KYBER76890S_CLEAN_poly_reduce(r); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_polyvec_reduce -* -* Description: Applies Barrett reduction to each coefficient -* of each element of a vector of polynomials; -* for details of the Barrett reduction see comments in reduce.c -* -* Arguments: - polyvec *r: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_polyvec_reduce(polyvec *r) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_reduce(&r->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_polyvec_add -* -* Description: Add vectors of polynomials -* -* Arguments: - polyvec *r: pointer to output vector of polynomials -* - const polyvec *a: pointer to first input vector of polynomials -* - const polyvec *b: pointer to second input vector of polynomials -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) { - unsigned int i; - for (i = 0; i < KYBER_K; i++) { - PQCLEAN_KYBER76890S_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]); - } -} diff --git a/crypto_kem/kyber768-90s/clean/polyvec.h b/crypto_kem/kyber768-90s/clean/polyvec.h deleted file mode 100644 index 95b08c3c..00000000 --- a/crypto_kem/kyber768-90s/clean/polyvec.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_POLYVEC_H -#define PQCLEAN_KYBER76890S_CLEAN_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -typedef struct { - poly vec[KYBER_K]; -} polyvec; - -void PQCLEAN_KYBER76890S_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a); -void PQCLEAN_KYBER76890S_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]); - -void PQCLEAN_KYBER76890S_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a); -void PQCLEAN_KYBER76890S_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]); - -void PQCLEAN_KYBER76890S_CLEAN_polyvec_ntt(polyvec *r); -void PQCLEAN_KYBER76890S_CLEAN_polyvec_invntt_tomont(polyvec *r); - -void PQCLEAN_KYBER76890S_CLEAN_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b); - -void PQCLEAN_KYBER76890S_CLEAN_polyvec_reduce(polyvec *r); - -void PQCLEAN_KYBER76890S_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/reduce.c b/crypto_kem/kyber768-90s/clean/reduce.c deleted file mode 100644 index 18ef32b8..00000000 --- a/crypto_kem/kyber768-90s/clean/reduce.c +++ /dev/null @@ -1,44 +0,0 @@ -#include "params.h" -#include "reduce.h" -#include - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce -* -* Description: Montgomery reduction; given a 32-bit integer a, computes -* 16-bit integer congruent to a * R^-1 mod q, where R=2^16 -* -* Arguments: - int32_t a: input integer to be reduced; -* has to be in {-q2^15,...,q2^15-1} -* -* Returns: integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce(int32_t a) { - int32_t t; - int16_t u; - - u = (int16_t)(a * (int64_t)QINV); - t = (int32_t)u * KYBER_Q; - t = a - t; - t >>= 16; - return (int16_t)t; -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_barrett_reduce -* -* Description: Barrett reduction; given a 16-bit integer a, computes -* centered representative congruent to a mod q in {-(q-1)/2,...,(q-1)/2} -* -* Arguments: - int16_t a: input integer to be reduced -* -* Returns: integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q. -**************************************************/ -int16_t PQCLEAN_KYBER76890S_CLEAN_barrett_reduce(int16_t a) { - int16_t t; - const int16_t v = ((1U << 26) + KYBER_Q / 2) / KYBER_Q; - - t = ((int32_t)v * a + (1 << 25)) >> 26; - t *= KYBER_Q; - return a - t; -} diff --git a/crypto_kem/kyber768-90s/clean/reduce.h b/crypto_kem/kyber768-90s/clean/reduce.h deleted file mode 100644 index 97007300..00000000 --- a/crypto_kem/kyber768-90s/clean/reduce.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_REDUCE_H -#define PQCLEAN_KYBER76890S_CLEAN_REDUCE_H -#include "params.h" -#include - -#define MONT 2285 // 2^16 mod q -#define QINV 62209 // q^-1 mod 2^16 - -int16_t PQCLEAN_KYBER76890S_CLEAN_montgomery_reduce(int32_t a); - -int16_t PQCLEAN_KYBER76890S_CLEAN_barrett_reduce(int16_t a); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/symmetric-aes.c b/crypto_kem/kyber768-90s/clean/symmetric-aes.c deleted file mode 100644 index 466aad48..00000000 --- a/crypto_kem/kyber768-90s/clean/symmetric-aes.c +++ /dev/null @@ -1,100 +0,0 @@ -#include "symmetric-aes.h" -#include "symmetric.h" -#include -#include -#include - - -static inline void br_enc32be(unsigned char *dst, uint32_t x) { - dst[3] = (unsigned char)x; - dst[2] = (unsigned char)(x >> 8); - dst[1] = (unsigned char)(x >> 16); - dst[0] = (unsigned char)(x >> 24); -} - -static void aes256_ctr_xof(unsigned char *out, size_t outlen, const unsigned char *iv, uint32_t ctr, const aes256ctx *ctx) { - uint8_t ivw[16]; - uint8_t buf[AES_BLOCKBYTES]; - size_t i = 0; - - memcpy(ivw, iv, AESCTR_NONCEBYTES); - br_enc32be(ivw + AESCTR_NONCEBYTES, ctr); - - while (outlen > AES_BLOCKBYTES) { - aes256_ecb(out, ivw, 1, ctx); - br_enc32be(ivw + AESCTR_NONCEBYTES, ++ctr); - out += AES_BLOCKBYTES; - outlen -= AES_BLOCKBYTES; - } - if (outlen > 0) { - aes256_ecb(buf, ivw, 1, ctx); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} - -/************************************************* -* Name: aes256_prf -* -* Description: AES256 stream generation in CTR mode using 32-bit counter, -* nonce is zero-padded to 12 bytes, counter starts at zero -* -* Arguments: - uint8_t *output: pointer to output -* - size_t outlen: length of requested output in bytes -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t nonce: 1-byte nonce (will be zero-padded to 12 bytes) -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_aes256ctr_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce) { - uint8_t iv[12]; - for (int i = 1; i < 12; i++) { - iv[i] = 0; - } - iv[0] = nonce; - - aes256ctx ctx; - aes256_ctr_keyexp(&ctx, key); - aes256_ctr(output, outlen, iv, &ctx); - aes256_ctx_release(&ctx); -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* "absorbs" a 32-byte key and two additional bytes that are zero-padded -* to a 12-byte nonce -* -* Arguments: - aes256xof_ctx *s: pointer to state to "absorb" key and IV into -* - const uint8_t *key: pointer to 32-byte key -* - uint8_t x: first additional byte to "absorb" -* - uint8_t y: second additional byte to "absorb" -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y) { - aes256_ecb_keyexp(&s->sk_exp, key); - for (int i = 2; i < 12; i++) { - s->iv[i] = 0; - } - s->iv[0] = x; - s->iv[1] = y; - s->ctr = 0; -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks -* -* Description: AES256 CTR used as a replacement for a XOF; this function -* generates 4 blocks out AES256-CTR output -* -* Arguments: - uint8_t *out: pointer to output -* - size_t nblocks: number of reqested 64-byte output blocks -* - aes256xof_ctx *s: AES "state", i.e. expanded key and IV -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s) { - aes256_ctr_xof(out, nblocks * 64, s->iv, s->ctr, &s->sk_exp); - s->ctr += (uint32_t) (4 * nblocks); -} - -void PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s) { - aes256_ctx_release(&s->sk_exp); -} diff --git a/crypto_kem/kyber768-90s/clean/symmetric-aes.h b/crypto_kem/kyber768-90s/clean/symmetric-aes.h deleted file mode 100644 index 42499ec0..00000000 --- a/crypto_kem/kyber768-90s/clean/symmetric-aes.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_SYMMETRIC_AES_H -#define PQCLEAN_KYBER76890S_CLEAN_SYMMETRIC_AES_H -#include "aes.h" -#include -#include - -typedef struct { - aes256ctx sk_exp; - uint8_t iv[12]; - uint32_t ctr; -} aes256xof_ctx; - -void PQCLEAN_KYBER76890S_CLEAN_aes256ctr_prf(uint8_t *output, size_t outlen, const uint8_t *key, uint8_t nonce); -void PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(aes256xof_ctx *s, const uint8_t *key, uint8_t x, uint8_t y); -void PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(uint8_t *out, size_t nblocks, aes256xof_ctx *s); -void PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(aes256xof_ctx *s); - -#endif diff --git a/crypto_kem/kyber768-90s/clean/symmetric.h b/crypto_kem/kyber768-90s/clean/symmetric.h deleted file mode 100644 index d2ee27c9..00000000 --- a/crypto_kem/kyber768-90s/clean/symmetric.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_SYMMETRIC_H -#define PQCLEAN_KYBER76890S_CLEAN_SYMMETRIC_H -#include "params.h" -#include "sha2.h" -#include "symmetric-aes.h" -#include -#include - - - - -typedef aes256xof_ctx xof_state; - -void PQCLEAN_KYBER76890S_CLEAN_kyber_aes256xof_absorb(aes256xof_ctx *state, const uint8_t seed[32], uint8_t x, uint8_t y); - -void PQCLEAN_KYBER76890S_CLEAN_kyber_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t key[32], uint8_t nonce); - -#define XOF_BLOCKBYTES 64 - -#define hash_h(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) -#define hash_g(OUT, IN, INBYTES) sha512(OUT, IN, INBYTES) -#define xof_absorb(STATE, SEED, X, Y) PQCLEAN_KYBER76890S_CLEAN_aes256xof_absorb(STATE, SEED, X, Y) -#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_KYBER76890S_CLEAN_aes256xof_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define xof_ctx_release(STATE) PQCLEAN_KYBER76890S_CLEAN_aes256xof_ctx_release(STATE) -#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_KYBER76890S_CLEAN_aes256ctr_prf(OUT, OUTBYTES, KEY, NONCE) -#define kdf(OUT, IN, INBYTES) sha256(OUT, IN, INBYTES) - - -#endif /* SYMMETRIC_H */ diff --git a/crypto_kem/kyber768-90s/clean/verify.c b/crypto_kem/kyber768-90s/clean/verify.c deleted file mode 100644 index 05d4d5d5..00000000 --- a/crypto_kem/kyber768-90s/clean/verify.c +++ /dev/null @@ -1,47 +0,0 @@ -#include "verify.h" -#include -#include - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_verify -* -* Description: Compare two arrays for equality in constant time. -* -* Arguments: const uint8_t *a: pointer to first byte array -* const uint8_t *b: pointer to second byte array -* size_t len: length of the byte arrays -* -* Returns 0 if the byte arrays are equal, 1 otherwise -**************************************************/ -int PQCLEAN_KYBER76890S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) { - size_t i; - uint8_t r = 0; - - for (i = 0; i < len; i++) { - r |= a[i] ^ b[i]; - } - - return (-(uint64_t)r) >> 63; -} - -/************************************************* -* Name: PQCLEAN_KYBER76890S_CLEAN_cmov -* -* Description: Copy len bytes from x to r if b is 1; -* don't modify x if b is 0. Requires b to be in {0,1}; -* assumes two's complement representation of negative integers. -* Runs in constant time. -* -* Arguments: uint8_t *r: pointer to output byte array -* const uint8_t *x: pointer to input byte array -* size_t len: Amount of bytes to be copied -* uint8_t b: Condition bit; has to be in {0,1} -**************************************************/ -void PQCLEAN_KYBER76890S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) { - size_t i; - - b = -b; - for (i = 0; i < len; i++) { - r[i] ^= b & (r[i] ^ x[i]); - } -} diff --git a/crypto_kem/kyber768-90s/clean/verify.h b/crypto_kem/kyber768-90s/clean/verify.h deleted file mode 100644 index 783aa44e..00000000 --- a/crypto_kem/kyber768-90s/clean/verify.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_KYBER76890S_CLEAN_VERIFY_H -#define PQCLEAN_KYBER76890S_CLEAN_VERIFY_H -#include "params.h" -#include -#include - -int PQCLEAN_KYBER76890S_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len); - -void PQCLEAN_KYBER76890S_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b); - -#endif diff --git a/crypto_kem/sntrup653/META.yml b/crypto_kem/sntrup653/META.yml deleted file mode 100644 index c27eb1c1..00000000 --- a/crypto_kem/sntrup653/META.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: sntrup653 -type: kem -claimed-nist-level: 2 -claimed-security: IND-CCA2 -length-public-key: 994 -length-secret-key: 1518 -length-ciphertext: 897 -length-shared-secret: 32 -nistkat-sha256: 0d8643f1c81a20f4de836542224c49f01a3d4498d612f98577d76710896ed7fc -principal-submitters: - - Daniel J. Bernstein - - Chitchanok Chuengsatiansup - - Tanja Lange - - Christine van Vredendaal -implementations: - - name: clean - version: supercop-20200826 - - name: avx2 - version: supercop-20200826 - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - avx2 diff --git a/crypto_kem/sntrup653/avx2/LICENSE b/crypto_kem/sntrup653/avx2/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/sntrup653/avx2/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/sntrup653/avx2/api.h b/crypto_kem/sntrup653/avx2/api.h deleted file mode 100644 index c9f95e0a..00000000 --- a/crypto_kem/sntrup653/avx2/api.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_API_H -#define PQCLEAN_SNTRUP653_AVX2_API_H - - - -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_ALGNAME "sntrup653" - -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_SECRETKEYBYTES 1518 -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_PUBLICKEYBYTES 994 -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_CIPHERTEXTBYTES 897 -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_BYTES 32 - -int PQCLEAN_SNTRUP653_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_SNTRUP653_AVX2_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk); -int PQCLEAN_SNTRUP653_AVX2_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_core_inv3sntrup653.c b/crypto_kem/sntrup653/avx2/crypto_core_inv3sntrup653.c deleted file mode 100644 index 37570727..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_inv3sntrup653.c +++ /dev/null @@ -1,542 +0,0 @@ -#include "crypto_core_inv3sntrup653.h" -#include - - -#define int8 int8_t -typedef int8 small; - -#define p 653 -#define ppad 768 -#define numvec 3 - -typedef __m256i vec256; - -/* -This code stores 768-coeff poly as vec256[3]. -Order of 256 coefficients in each vec256 -is optimized in light of costs of vector instructions: - 0,4,...,252 in 64-bit word; - 1,5,...,253 in 64-bit word; - 2,6,...,254 in 64-bit word; - 3,7,...,255 in 64-bit word. -*/ - -static inline void vec256_frombits(vec256 *v, const small *b) { - int i; - - for (i = 0; i < numvec; ++i) { - vec256 b0 = _mm256_loadu_si256((vec256 *) b); - b += 32; /* 0,1,...,31 */ - vec256 b1 = _mm256_loadu_si256((vec256 *) b); - b += 32; /* 32,33,... */ - vec256 b2 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b3 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b4 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b5 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b6 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b7 = _mm256_loadu_si256((vec256 *) b); - b += 32; - - vec256 c0 = _mm256_unpacklo_epi32(b0, b1); /* 0 1 2 3 32 33 34 35 4 5 6 7 36 37 38 39 ... 55 */ - vec256 c1 = _mm256_unpackhi_epi32(b0, b1); /* 8 9 10 11 40 41 42 43 ... 63 */ - vec256 c2 = _mm256_unpacklo_epi32(b2, b3); - vec256 c3 = _mm256_unpackhi_epi32(b2, b3); - vec256 c4 = _mm256_unpacklo_epi32(b4, b5); - vec256 c5 = _mm256_unpackhi_epi32(b4, b5); - vec256 c6 = _mm256_unpacklo_epi32(b6, b7); - vec256 c7 = _mm256_unpackhi_epi32(b6, b7); - - vec256 d0 = c0 | _mm256_slli_epi32(c1, 2); /* 0 8, 1 9, 2 10, 3 11, 32 40, 33 41, ..., 55 63 */ - vec256 d2 = c2 | _mm256_slli_epi32(c3, 2); - vec256 d4 = c4 | _mm256_slli_epi32(c5, 2); - vec256 d6 = c6 | _mm256_slli_epi32(c7, 2); - - vec256 e0 = _mm256_unpacklo_epi64(d0, d2); - vec256 e2 = _mm256_unpackhi_epi64(d0, d2); - vec256 e4 = _mm256_unpacklo_epi64(d4, d6); - vec256 e6 = _mm256_unpackhi_epi64(d4, d6); - - vec256 f0 = e0 | _mm256_slli_epi32(e2, 1); - vec256 f4 = e4 | _mm256_slli_epi32(e6, 1); - - vec256 g0 = _mm256_permute2x128_si256(f0, f4, 0x20); - vec256 g4 = _mm256_permute2x128_si256(f0, f4, 0x31); - - vec256 h = g0 | _mm256_slli_epi32(g4, 4); - -#define TRANSPOSE _mm256_set_epi8( 31,27,23,19, 30,26,22,18, 29,25,21,17, 28,24,20,16, 15,11,7,3, 14,10,6,2, 13,9,5,1, 12,8,4,0 ) - h = _mm256_shuffle_epi8(h, TRANSPOSE); - h = _mm256_permute4x64_epi64(h, 0xd8); - h = _mm256_shuffle_epi32(h, 0xd8); - - *v++ = h; - } -} - -static inline void vec256_tobits(const vec256 *v, small *b) { - int i; - - for (i = 0; i < numvec; ++i) { - vec256 h = *v++; - - h = _mm256_shuffle_epi32(h, 0xd8); - h = _mm256_permute4x64_epi64(h, 0xd8); - h = _mm256_shuffle_epi8(h, TRANSPOSE); - - vec256 g0 = h & _mm256_set1_epi8(15); - vec256 g4 = _mm256_srli_epi32(h, 4) & _mm256_set1_epi8(15); - - vec256 f0 = _mm256_permute2x128_si256(g0, g4, 0x20); - vec256 f4 = _mm256_permute2x128_si256(g0, g4, 0x31); - - vec256 e0 = f0 & _mm256_set1_epi8(5); - vec256 e2 = _mm256_srli_epi32(f0, 1) & _mm256_set1_epi8(5); - vec256 e4 = f4 & _mm256_set1_epi8(5); - vec256 e6 = _mm256_srli_epi32(f4, 1) & _mm256_set1_epi8(5); - - vec256 d0 = _mm256_unpacklo_epi32(e0, e2); - vec256 d2 = _mm256_unpackhi_epi32(e0, e2); - vec256 d4 = _mm256_unpacklo_epi32(e4, e6); - vec256 d6 = _mm256_unpackhi_epi32(e4, e6); - - vec256 c0 = d0 & _mm256_set1_epi8(1); - vec256 c1 = _mm256_srli_epi32(d0, 2) & _mm256_set1_epi8(1); - vec256 c2 = d2 & _mm256_set1_epi8(1); - vec256 c3 = _mm256_srli_epi32(d2, 2) & _mm256_set1_epi8(1); - vec256 c4 = d4 & _mm256_set1_epi8(1); - vec256 c5 = _mm256_srli_epi32(d4, 2) & _mm256_set1_epi8(1); - vec256 c6 = d6 & _mm256_set1_epi8(1); - vec256 c7 = _mm256_srli_epi32(d6, 2) & _mm256_set1_epi8(1); - - vec256 b0 = _mm256_unpacklo_epi64(c0, c1); - vec256 b1 = _mm256_unpackhi_epi64(c0, c1); - vec256 b2 = _mm256_unpacklo_epi64(c2, c3); - vec256 b3 = _mm256_unpackhi_epi64(c2, c3); - vec256 b4 = _mm256_unpacklo_epi64(c4, c5); - vec256 b5 = _mm256_unpackhi_epi64(c4, c5); - vec256 b6 = _mm256_unpacklo_epi64(c6, c7); - vec256 b7 = _mm256_unpackhi_epi64(c6, c7); - - _mm256_storeu_si256((vec256 *) b, b0); - b += 32; - _mm256_storeu_si256((vec256 *) b, b1); - b += 32; - _mm256_storeu_si256((vec256 *) b, b2); - b += 32; - _mm256_storeu_si256((vec256 *) b, b3); - b += 32; - _mm256_storeu_si256((vec256 *) b, b4); - b += 32; - _mm256_storeu_si256((vec256 *) b, b5); - b += 32; - _mm256_storeu_si256((vec256 *) b, b6); - b += 32; - _mm256_storeu_si256((vec256 *) b, b7); - b += 32; - } -} - -static void vec256_init(vec256 *G0, vec256 *G1, const small *s) { - int i; - small srev[ppad + (ppad - p)]; - small si; - small g0[ppad]; - small g1[ppad]; - - for (i = 0; i < p; ++i) { - srev[ppad - 1 - i] = s[i]; - } - for (i = 0; i < ppad - p; ++i) { - srev[i] = 0; - } - for (i = p; i < ppad; ++i) { - srev[i + ppad - p] = 0; - } - - for (i = 0; i < ppad; ++i) { - si = srev[i + ppad - p]; - g0[i] = si & 1; - g1[i] = (si >> 1) & g0[i]; - } - - vec256_frombits(G0, g0); - vec256_frombits(G1, g1); -} - -static void vec256_final(small *out, const vec256 *V0, const vec256 *V1) { - int i; - small v0[ppad]; - small v1[ppad]; - small v[ppad]; - small vrev[ppad + (ppad - p)]; - - vec256_tobits(V0, v0); - vec256_tobits(V1, v1); - - for (i = 0; i < ppad; ++i) { - v[i] = (small) (v0[i] + 2 * v1[i] - 4 * (v0[i] & v1[i])); - } - - for (i = 0; i < ppad; ++i) { - vrev[i] = v[ppad - 1 - i]; - } - for (i = ppad; i < ppad + (ppad - p); ++i) { - vrev[i] = 0; - } - - for (i = 0; i < p; ++i) { - out[i] = vrev[i + ppad - p]; - } -} - -static inline int negative_mask(int x) { - return x >> 31; -} - -static inline void vec256_swap(vec256 *f, vec256 *g, int len, vec256 mask) { - vec256 flip; - int i; - - for (i = 0; i < len; ++i) { - flip = mask & (f[i] ^ g[i]); - f[i] ^= flip; - g[i] ^= flip; - } -} - -static inline void vec256_scale(vec256 *f0, vec256 *f1, const vec256 c0, const vec256 c1) { - int i; - - for (i = 0; i < numvec; ++i) { - vec256 f0i = f0[i]; - vec256 f1i = f1[i]; - - f0i &= c0; - f1i ^= c1; - f1i &= f0i; - - f0[i] = f0i; - f1[i] = f1i; - } -} - -static inline void vec256_eliminate(vec256 *f0, vec256 *f1, vec256 *g0, vec256 *g1, int len, const vec256 c0, const vec256 c1) { - int i; - - for (i = 0; i < len; ++i) { - vec256 f0i = f0[i]; - vec256 f1i = f1[i]; - vec256 g0i = g0[i]; - vec256 g1i = g1[i]; - vec256 t; - - f0i &= c0; - f1i ^= c1; - f1i &= f0i; - - t = g0i ^ f0i; - g0[i] = t | (g1i ^ f1i); - g1[i] = (g1i ^ f0i) & (f1i ^ t); - } -} - -static inline int vec256_bit0mask(vec256 *f) { - return -(_mm_cvtsi128_si32(_mm256_castsi256_si128(f[0])) & 1); -} - -static inline void vec256_divx_1(vec256 *f) { - vec256 f0 = f[0]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - - low0 = low0 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); -} - -static inline void vec256_divx_2(vec256 *f) { - vec256 f0 = f[0]; - vec256 f1 = f[1]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - - low0 = (low0 >> 1) | (low1 << 63); - low1 = low1 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); - f[1] = _mm256_permute4x64_epi64(f1, 0x39); -} - -static inline void vec256_divx_3(vec256 *f) { - vec256 f0 = f[0]; - vec256 f1 = f[1]; - vec256 f2 = f[2]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - unsigned long long low2 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f2)); - - low0 = (low0 >> 1) | (low1 << 63); - low1 = (low1 >> 1) | (low2 << 63); - low2 = low2 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - f2 = _mm256_blend_epi32(f2, _mm256_set_epi64x(0, 0, 0, (long long) low2), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); - f[1] = _mm256_permute4x64_epi64(f1, 0x39); - f[2] = _mm256_permute4x64_epi64(f2, 0x39); -} - -static inline void vec256_timesx_1(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - - low0 = low0 << 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - - f[0] = f0; -} - -static inline void vec256_timesx_2(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - vec256 f1 = _mm256_permute4x64_epi64(f[1], 0x93); - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - - low1 = (low1 << 1) | (low0 >> 63); - low0 = low0 << 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - - f[0] = f0; - f[1] = f1; -} - -static inline void vec256_timesx_3(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - vec256 f1 = _mm256_permute4x64_epi64(f[1], 0x93); - vec256 f2 = _mm256_permute4x64_epi64(f[2], 0x93); - - unsigned long long low0 = *(unsigned long long *) &f0; - unsigned long long low1 = *(unsigned long long *) &f1; - unsigned long long low2 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f2)); - - low2 = (low2 << 1) | (low1 >> 63); - low1 = (low1 << 1) | (low0 >> 63); - low0 = low0 << 1; - - *(unsigned long long *) &f0 = low0; - *(unsigned long long *) &f1 = low1; - f2 = _mm256_blend_epi32(f2, _mm256_set_epi64x(0, 0, 0, (long long) low2), 0x3); - - f[0] = f0; - f[1] = f1; - f[2] = f2; -} - - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_inv3sntrup653(unsigned char *outbytes, const unsigned char *inbytes) { - small *out = (void *) outbytes; - small *in = (void *) inbytes; - vec256 F0[numvec]; - vec256 F1[numvec]; - vec256 G0[numvec]; - vec256 G1[numvec]; - vec256 V0[numvec]; - vec256 V1[numvec]; - vec256 R0[numvec]; - vec256 R1[numvec]; - vec256 c0vec, c1vec; - int loop; - int c0, c1; - int minusdelta = -1; - int swapmask; - vec256 swapvec; - - vec256_init(G0, G1, in); - F0[0] = _mm256_set_epi32(0, 0, 0, 0, 0, 0, 0, 1); - F0[1] = _mm256_set1_epi32(0); - F0[2] = _mm256_set_epi32(0, 0, 0, 0, 8, 0, 8, 0); - F1[0] = _mm256_set1_epi32(0); - F1[1] = _mm256_set1_epi32(0); - F1[2] = _mm256_set_epi32(0, 0, 0, 0, 8, 0, 8, 0); - - V0[0] = _mm256_set1_epi32(0); - V1[0] = _mm256_set1_epi32(0); - V0[1] = _mm256_set1_epi32(0); - V1[1] = _mm256_set1_epi32(0); - V0[2] = _mm256_set1_epi32(0); - V1[2] = _mm256_set1_epi32(0); - - R0[0] = _mm256_set_epi32(0, 0, 0, 0, 0, 0, 0, 1); - R1[0] = _mm256_set1_epi32(0); - R0[1] = _mm256_set1_epi32(0); - R1[1] = _mm256_set1_epi32(0); - R0[2] = _mm256_set1_epi32(0); - R1[2] = _mm256_set1_epi32(0); - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_1(V0); - vec256_timesx_1(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 3, swapvec); - vec256_swap(F1, G1, 3, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 3, c0vec, c1vec); - vec256_divx_3(G0); - vec256_divx_3(G1); - - vec256_swap(V0, R0, 1, swapvec); - vec256_swap(V1, R1, 1, swapvec); - vec256_eliminate(V0, V1, R0, R1, 1, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_2(V0); - vec256_timesx_2(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 3, swapvec); - vec256_swap(F1, G1, 3, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 3, c0vec, c1vec); - vec256_divx_3(G0); - vec256_divx_3(G1); - - vec256_swap(V0, R0, 2, swapvec); - vec256_swap(V1, R1, 2, swapvec); - vec256_eliminate(V0, V1, R0, R1, 2, c0vec, c1vec); - } - - for (loop = 281; loop > 0; --loop) { - vec256_timesx_3(V0); - vec256_timesx_3(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 3, swapvec); - vec256_swap(F1, G1, 3, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 3, c0vec, c1vec); - vec256_divx_3(G0); - vec256_divx_3(G1); - - vec256_swap(V0, R0, 3, swapvec); - vec256_swap(V1, R1, 3, swapvec); - vec256_eliminate(V0, V1, R0, R1, 3, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_3(V0); - vec256_timesx_3(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 2, swapvec); - vec256_swap(F1, G1, 2, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 2, c0vec, c1vec); - vec256_divx_2(G0); - vec256_divx_2(G1); - - vec256_swap(V0, R0, 3, swapvec); - vec256_swap(V1, R1, 3, swapvec); - vec256_eliminate(V0, V1, R0, R1, 3, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_3(V0); - vec256_timesx_3(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 1, swapvec); - vec256_swap(F1, G1, 1, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 1, c0vec, c1vec); - vec256_divx_1(G0); - vec256_divx_1(G1); - - vec256_swap(V0, R0, 3, swapvec); - vec256_swap(V1, R1, 3, swapvec); - vec256_eliminate(V0, V1, R0, R1, 3, c0vec, c1vec); - } - - c0vec = _mm256_set1_epi32(vec256_bit0mask(F0)); - c1vec = _mm256_set1_epi32(vec256_bit0mask(F1)); - vec256_scale(V0, V1, c0vec, c1vec); - - vec256_final(out, V0, V1); - out[p] = (small) negative_mask(minusdelta); - return 0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_core_inv3sntrup653.h b/crypto_kem/sntrup653/avx2/crypto_core_inv3sntrup653.h deleted file mode 100644 index 3b1ca939..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_inv3sntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_INV3SNTRUP653_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_INV3SNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_inv3sntrup653_OUTPUTBYTES 654 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_inv3sntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_inv3sntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_inv3sntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_inv3sntrup653(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_core_invsntrup653.c b/crypto_kem/sntrup653/avx2/crypto_core_invsntrup653.c deleted file mode 100644 index c7807e1c..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_invsntrup653.c +++ /dev/null @@ -1,202 +0,0 @@ -#include "crypto_core_invsntrup653.h" -#include "params.h" -#include - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - - - -/* ----- masks */ - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* return -1 if x<0; otherwise return 0 */ -static int int16_negative_mask(int16 x) { - return x >> 15; /* XXX: theoretically need gcc -fwrapv for this */ -} - -/* ----- arithmetic mod q */ - -typedef int8 small; - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* works for -14000000 < x < 14000000 if q in 4591, 4621, 5167 */ -static Fq Fq_freeze(int32 x) { - x -= q * ((q18 * x) >> 18); - x -= q * ((q27 * x + 67108864) >> 27); - return (Fq) x; -} - -/* nonnegative e */ -static Fq Fq_pow(Fq a, int e) { - if (e == 0) { - return 1; - } - if (e == 1) { - return a; - } - if (e & 1) { - return Fq_freeze(a * (int32)Fq_pow(a, e - 1)); - } - a = Fq_freeze(a * (int32)a); - return Fq_pow(a, e >> 1); -} - -static Fq Fq_recip(Fq a) { - return Fq_pow(a, q - 2); -} - -/* ----- more */ - -#define qvec _mm256_set1_epi16(q) -#define qinvvec _mm256_set1_epi16(qinv) - -static inline __m256i montproduct(__m256i x, __m256i y, __m256i yqinv) { - __m256i hi, d, e; - - d = _mm256_mullo_epi16(x, yqinv); - hi = _mm256_mulhi_epi16(x, y); - e = _mm256_mulhi_epi16(d, qvec); - return _mm256_sub_epi16(hi, e); -} - -static inline void vectormodq_swapeliminate(Fq *f, Fq *g, int len, const Fq f0, const Fq g0, int mask) { - __m256i f0vec = _mm256_set1_epi16(f0); - __m256i g0vec = _mm256_set1_epi16(g0); - __m256i f0vecqinv = _mm256_mullo_epi16(f0vec, qinvvec); - __m256i g0vecqinv = _mm256_mullo_epi16(g0vec, qinvvec); - __m256i maskvec = _mm256_set1_epi32(mask); - - while (len > 0) { - __m256i fi = _mm256_loadu_si256((__m256i *) f); - __m256i gi = _mm256_loadu_si256((__m256i *) g); - __m256i finew = _mm256_blendv_epi8(fi, gi, maskvec); - __m256i ginew = _mm256_blendv_epi8(gi, fi, maskvec); - ginew = _mm256_sub_epi16(montproduct(ginew, f0vec, f0vecqinv), montproduct(finew, g0vec, g0vecqinv)); - _mm256_storeu_si256((__m256i *) f, finew); - _mm256_storeu_si256((__m256i *) (g - 1), ginew); - f += 16; - g += 16; - len -= 16; - } -} - -static inline void vectormodq_xswapeliminate(Fq *f, Fq *g, int len, const Fq f0, const Fq g0, int mask) { - __m256i f0vec = _mm256_set1_epi16(f0); - __m256i g0vec = _mm256_set1_epi16(g0); - __m256i f0vecqinv = _mm256_mullo_epi16(f0vec, qinvvec); - __m256i g0vecqinv = _mm256_mullo_epi16(g0vec, qinvvec); - __m256i maskvec = _mm256_set1_epi32(mask); - - f += len + (-len & 15); - g += len + (-len & 15); - while (len > 0) { - f -= 16; - g -= 16; - len -= 16; - __m256i fi = _mm256_loadu_si256((__m256i *) f); - __m256i gi = _mm256_loadu_si256((__m256i *) g); - __m256i finew = _mm256_blendv_epi8(fi, gi, maskvec); - __m256i ginew = _mm256_blendv_epi8(gi, fi, maskvec); - ginew = _mm256_sub_epi16(montproduct(ginew, f0vec, f0vecqinv), montproduct(finew, g0vec, g0vecqinv)); - _mm256_storeu_si256((__m256i *) (f + 1), finew); - _mm256_storeu_si256((__m256i *) g, ginew); - } -} - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_invsntrup653(unsigned char *outbytes, const unsigned char *inbytes) { - small *in = (void *) inbytes; - int loop; - Fq out[p], f[ppad], g[ppad], v[ppad], r[ppad]; - Fq f0, g0; - Fq scale; - int i; - int delta = 1; - int minusdelta; - int fgflip; - int swap; - - for (i = 0; i < ppad; ++i) { - f[i] = 0; - } - f[0] = 1; - f[p - 1] = -1; - f[p] = -1; - /* generalization: initialize f to reversal of any deg-p polynomial m */ - - for (i = 0; i < p; ++i) { - g[i] = in[p - 1 - i]; - } - for (i = p; i < ppad; ++i) { - g[i] = 0; - } - - for (i = 0; i < ppad; ++i) { - r[i] = 0; - } - r[0] = Fq_recip(3); - - for (i = 0; i < ppad; ++i) { - v[i] = 0; - } - - for (loop = 0; loop < p; ++loop) { - g0 = Fq_freeze(g[0]); - f0 = f[0]; - - minusdelta = -delta; - swap = int16_negative_mask((int16) minusdelta) & int16_nonzero_mask(g0); - delta ^= swap & (delta ^ minusdelta); - delta += 1; - - fgflip = swap & (f0 ^ g0); - f0 ^= (Fq) fgflip; - g0 ^= (Fq) fgflip; - - f[0] = f0; - - vectormodq_swapeliminate(f + 1, g + 1, p, f0, g0, swap); - vectormodq_xswapeliminate(v, r, loop + 1, f0, g0, swap); - } - - for (loop = p - 1; loop > 0; --loop) { - g0 = Fq_freeze(g[0]); - f0 = f[0]; - - minusdelta = -delta; - swap = int16_negative_mask((int16) minusdelta) & int16_nonzero_mask(g0); - delta ^= swap & (delta ^ minusdelta); - delta += 1; - - fgflip = swap & (f0 ^ g0); - f0 ^= (Fq) fgflip; - g0 ^= (Fq) fgflip; - - f[0] = f0; - - vectormodq_swapeliminate(f + 1, g + 1, loop, f0, g0, swap); - vectormodq_xswapeliminate(v, r, p, f0, g0, swap); - } - - scale = Fq_recip(Fq_freeze(f[0])); - for (i = 0; i < p; ++i) { - out[i] = Fq_freeze(scale * (int32)Fq_freeze(v[p - i])); - } - - crypto_encode_pxint16(outbytes, out); - outbytes[2 * p] = (unsigned char) int16_nonzero_mask((int16) delta); - return 0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_core_invsntrup653.h b/crypto_kem/sntrup653/avx2/crypto_core_invsntrup653.h deleted file mode 100644 index b0d14477..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_invsntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_INVSNTRUP653_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_INVSNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_invsntrup653_OUTPUTBYTES 1307 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_invsntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_invsntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_invsntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_invsntrup653(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_core_mult3sntrup653.c b/crypto_kem/sntrup653/avx2/crypto_core_mult3sntrup653.c deleted file mode 100644 index 4160d770..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_mult3sntrup653.c +++ /dev/null @@ -1,259 +0,0 @@ -#include "crypto_core_mult3sntrup653.h" -#include "crypto_core_multsntrup653_ntt.h" -#include "crypto_decode_653xint16.h" -#include "crypto_encode_653xint16.h" -#include - -typedef int8_t int8; -typedef int16_t int16; - -#define int16x16 __m256i -#define load_x16(p) _mm256_loadu_si256((int16x16 *) (p)) -#define store_x16(p,v) _mm256_storeu_si256((int16x16 *) (p),(v)) -#define const_x16 _mm256_set1_epi16 -#define add_x16 _mm256_add_epi16 -#define sub_x16 _mm256_sub_epi16 -#define mullo_x16 _mm256_mullo_epi16 -#define mulhi_x16 _mm256_mulhi_epi16 -#define mulhrs_x16 _mm256_mulhrs_epi16 -#define signmask_x16(x) _mm256_srai_epi16((x),15) - -typedef union { - int16 v[3][512]; - int16x16 _dummy; -} vec3x512; - -typedef union { - int16 v[768]; - int16x16 _dummy; -} vec768; - -typedef union { - int16 v[3 * 512]; - int16x16 _dummy; -} vec1536; - -static int16x16 squeeze_3_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(10923)), const_x16(3))); -} - -static int16x16 squeeze_7681_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(4)), const_x16(7681))); -} - -static int16x16 mulmod_7681_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-7679)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(7681)); - return sub_x16(b, e); -} - -#define mask0 _mm256_set_epi16(-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1) -#define mask1 _mm256_set_epi16(0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0) -#define mask2 _mm256_set_epi16(0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0) - -static void good(int16 fpad[3][512], const int16 f[768]) { - int j; - int16x16 f0, f1; - - j = 0; - for (;;) { - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask0) | (f1 & mask1)); - store_x16(&fpad[1][j], (f0 & mask1) | (f1 & mask2)); - store_x16(&fpad[2][j], (f0 & mask2) | (f1 & mask0)); - j += 16; - if (j == 256) { - break; - } - - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask2) | (f1 & mask0)); - store_x16(&fpad[1][j], (f0 & mask0) | (f1 & mask1)); - store_x16(&fpad[2][j], (f0 & mask1) | (f1 & mask2)); - j += 16; - - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask1) | (f1 & mask2)); - store_x16(&fpad[1][j], (f0 & mask2) | (f1 & mask0)); - store_x16(&fpad[2][j], (f0 & mask0) | (f1 & mask1)); - j += 16; - } - for (;;) { - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask2); - store_x16(&fpad[1][j], f0 & mask0); - store_x16(&fpad[2][j], f0 & mask1); - j += 16; - if (j == 512) { - break; - } - - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask1); - store_x16(&fpad[1][j], f0 & mask2); - store_x16(&fpad[2][j], f0 & mask0); - j += 16; - - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask0); - store_x16(&fpad[1][j], f0 & mask1); - store_x16(&fpad[2][j], f0 & mask2); - j += 16; - } -} - -static void ungood(int16 f[1536], const int16 fpad[3][512]) { - int j; - int16x16 f0, f1, f2, g0, g1, g2; - - j = 0; - - for (;;) { - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask0) | (f1 & mask1) | (f2 & mask2); - g1 = (f0 & mask1) | (f1 & mask2) | (f2 & mask0); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask2)|(f1&mask0)|(f2&mask1) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask2) | (f1 & mask0) | (f2 & mask1); - g1 = (f0 & mask0) | (f1 & mask1) | (f2 & mask2); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask1)|(f1&mask2)|(f2&mask0) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - if (j == 512) { - break; - } - - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask1) | (f1 & mask2) | (f2 & mask0); - g1 = (f0 & mask2) | (f1 & mask0) | (f2 & mask1); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask0)|(f1&mask1)|(f2&mask2) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - } -} - -static void mult768(int16 h[1536], const int16 f[768], const int16 g[768]) { - vec3x512 x1, x2; - vec1536 x3; -#define fpad (x1.v) -#define gpad (x2.v) -#define hpad fpad -#define h_7681 (x3.v) - int i; - - good(fpad, f); - PQCLEAN_SNTRUP653_AVX2_ntt512_7681(fpad[0], 3); - - good(gpad, g); - PQCLEAN_SNTRUP653_AVX2_ntt512_7681(gpad[0], 3); - - for (i = 0; i < 512; i += 16) { - int16x16 f0 = squeeze_7681_x16(load_x16(&fpad[0][i])); - int16x16 f1 = squeeze_7681_x16(load_x16(&fpad[1][i])); - int16x16 f2 = squeeze_7681_x16(load_x16(&fpad[2][i])); - int16x16 g0 = squeeze_7681_x16(load_x16(&gpad[0][i])); - int16x16 g1 = squeeze_7681_x16(load_x16(&gpad[1][i])); - int16x16 g2 = squeeze_7681_x16(load_x16(&gpad[2][i])); - int16x16 d0 = mulmod_7681_x16(f0, g0); - int16x16 d1 = mulmod_7681_x16(f1, g1); - int16x16 d2 = mulmod_7681_x16(f2, g2); - int16x16 dsum = add_x16(add_x16(d0, d1), d2); - int16x16 h0 = add_x16(dsum, mulmod_7681_x16(sub_x16(f2, f1), sub_x16(g1, g2))); - int16x16 h1 = add_x16(dsum, mulmod_7681_x16(sub_x16(f1, f0), sub_x16(g0, g1))); - int16x16 h2 = add_x16(dsum, mulmod_7681_x16(sub_x16(f0, f2), sub_x16(g2, g0))); - store_x16(&hpad[0][i], squeeze_7681_x16(h0)); - store_x16(&hpad[1][i], squeeze_7681_x16(h1)); - store_x16(&hpad[2][i], squeeze_7681_x16(h2)); - } - - PQCLEAN_SNTRUP653_AVX2_invntt512_7681(hpad[0], 3); - ungood(h_7681, (const int16(*)[512]) hpad); - - for (i = 0; i < 1536; i += 16) { - int16x16 u = load_x16(&h_7681[i]); - u = mulmod_7681_x16(u, const_x16(956)); - store_x16(&h[i], u); - } -} - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xint16 - -#define p 653 - -static inline int16x16 freeze_3_x16(int16x16 x) { - int16x16 mask, x3; - x = add_x16(x, const_x16(3)&signmask_x16(x)); - mask = signmask_x16(sub_x16(x, const_x16(2))); - x3 = sub_x16(x, const_x16(3)); - x = _mm256_blendv_epi8(x3, x, mask); - return x; -} - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_mult3sntrup653(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - vec768 x1, x2; - vec1536 x3; -#define f (x1.v) -#define g (x2.v) -#define fg (x3.v) -#define h f - int i; - int16x16 x; - - x = const_x16(0); - for (i = p & ~15; i < 768; i += 16) { - store_x16(&f[i], x); - } - for (i = p & ~15; i < 768; i += 16) { - store_x16(&g[i], x); - } - - for (i = 0; i < p; ++i) { - int8 fi = (int8) inbytes[i]; - int8 fi0 = fi & 1; - f[i] = (int16) (fi0 - (fi & (fi0 << 1))); - } - for (i = 0; i < p; ++i) { - int8 gi = (int8) kbytes[i]; - int8 gi0 = gi & 1; - g[i] = (int16) (gi0 - (gi & (gi0 << 1))); - } - - mult768(fg, f, g); - - fg[0] = (int16) (fg[0] - fg[p - 1]); - for (i = 0; i < 768; i += 16) { - int16x16 fgi = load_x16(&fg[i]); - int16x16 fgip = load_x16(&fg[i + p]); - int16x16 fgip1 = load_x16(&fg[i + p - 1]); - x = add_x16(fgi, add_x16(fgip, fgip1)); - x = freeze_3_x16(squeeze_3_x16(x)); - store_x16(&h[i], x); - } - - for (i = 0; i < p; ++i) { - outbytes[i] = (unsigned char) h[i]; - } - - return 0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_core_mult3sntrup653.h b/crypto_kem/sntrup653/avx2/crypto_core_mult3sntrup653.h deleted file mode 100644 index e4e84330..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_mult3sntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_MULT3SNTRUP653_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_MULT3SNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_mult3sntrup653_OUTPUTBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_mult3sntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_mult3sntrup653_KEYBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_mult3sntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_mult3sntrup653(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653.c b/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653.c deleted file mode 100644 index 6793709d..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653.c +++ /dev/null @@ -1,314 +0,0 @@ -#include "crypto_core_multsntrup653.h" -#include "crypto_core_multsntrup653_ntt.h" -#include "crypto_decode_653xint16.h" -#include "crypto_encode_653xint16.h" -#include - -typedef int8_t int8; -typedef int16_t int16; - -#define int16x16 __m256i -#define load_x16(p) _mm256_loadu_si256((int16x16 *) (p)) -#define store_x16(p,v) _mm256_storeu_si256((int16x16 *) (p),(v)) -#define const_x16 _mm256_set1_epi16 -#define add_x16 _mm256_add_epi16 -#define sub_x16 _mm256_sub_epi16 -#define mullo_x16 _mm256_mullo_epi16 -#define mulhi_x16 _mm256_mulhi_epi16 -#define mulhrs_x16 _mm256_mulhrs_epi16 -#define signmask_x16(x) _mm256_srai_epi16((x),15) - -typedef union { - int16 v[3][512]; - int16x16 _dummy; -} vec3x512; - -typedef union { - int16 v[768]; - int16x16 _dummy; -} vec768; - -typedef union { - int16 v[3 * 512]; - int16x16 _dummy; -} vec1536; - -static inline int16x16 squeeze_4621_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(7)), const_x16(4621))); -} - -static inline int16x16 squeeze_7681_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(4)), const_x16(7681))); -} - -static inline int16x16 squeeze_10753_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(3)), const_x16(10753))); -} - -static inline int16x16 mulmod_4621_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-29499)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(4621)); - return sub_x16(b, e); -} - -static inline int16x16 mulmod_7681_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-7679)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(7681)); - return sub_x16(b, e); -} - -static inline int16x16 mulmod_10753_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-10751)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(10753)); - return sub_x16(b, e); -} - -#define mask0 _mm256_set_epi16(-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1) -#define mask1 _mm256_set_epi16(0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0) -#define mask2 _mm256_set_epi16(0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0) - -static void good(int16 fpad[3][512], const int16 f[768]) { - int j; - int16x16 f0, f1; - - j = 0; - for (;;) { - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask0) | (f1 & mask1)); - store_x16(&fpad[1][j], (f0 & mask1) | (f1 & mask2)); - store_x16(&fpad[2][j], (f0 & mask2) | (f1 & mask0)); - j += 16; - if (j == 256) { - break; - } - - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask2) | (f1 & mask0)); - store_x16(&fpad[1][j], (f0 & mask0) | (f1 & mask1)); - store_x16(&fpad[2][j], (f0 & mask1) | (f1 & mask2)); - j += 16; - - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask1) | (f1 & mask2)); - store_x16(&fpad[1][j], (f0 & mask2) | (f1 & mask0)); - store_x16(&fpad[2][j], (f0 & mask0) | (f1 & mask1)); - j += 16; - } - for (;;) { - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask2); - store_x16(&fpad[1][j], f0 & mask0); - store_x16(&fpad[2][j], f0 & mask1); - j += 16; - if (j == 512) { - break; - } - - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask1); - store_x16(&fpad[1][j], f0 & mask2); - store_x16(&fpad[2][j], f0 & mask0); - j += 16; - - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask0); - store_x16(&fpad[1][j], f0 & mask1); - store_x16(&fpad[2][j], f0 & mask2); - j += 16; - } -} - -static void ungood(int16 f[1536], const int16 fpad[3][512]) { - int j; - int16x16 f0, f1, f2, g0, g1, g2; - - j = 0; - - for (;;) { - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask0) | (f1 & mask1) | (f2 & mask2); - g1 = (f0 & mask1) | (f1 & mask2) | (f2 & mask0); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask2)|(f1&mask0)|(f2&mask1) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask2) | (f1 & mask0) | (f2 & mask1); - g1 = (f0 & mask0) | (f1 & mask1) | (f2 & mask2); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask1)|(f1&mask2)|(f2&mask0) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - if (j == 512) { - break; - } - - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask1) | (f1 & mask2) | (f2 & mask0); - g1 = (f0 & mask2) | (f1 & mask0) | (f2 & mask1); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask0)|(f1&mask1)|(f2&mask2) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - } -} - -static void mult768(int16 h[1536], const int16 f[768], const int16 g[768]) { - vec3x512 x1, x2; - vec1536 x3, x4; -#define fpad (x1.v) -#define gpad (x2.v) -#define hpad fpad -#define h_7681 (x3.v) -#define h_10753 (x4.v) - int i; - - good(fpad, f); - PQCLEAN_SNTRUP653_AVX2_ntt512_7681(fpad[0], 3); - - good(gpad, g); - PQCLEAN_SNTRUP653_AVX2_ntt512_7681(gpad[0], 3); - - for (i = 0; i < 512; i += 16) { - int16x16 f0 = squeeze_7681_x16(load_x16(&fpad[0][i])); - int16x16 f1 = squeeze_7681_x16(load_x16(&fpad[1][i])); - int16x16 f2 = squeeze_7681_x16(load_x16(&fpad[2][i])); - int16x16 g0 = squeeze_7681_x16(load_x16(&gpad[0][i])); - int16x16 g1 = squeeze_7681_x16(load_x16(&gpad[1][i])); - int16x16 g2 = squeeze_7681_x16(load_x16(&gpad[2][i])); - int16x16 d0 = mulmod_7681_x16(f0, g0); - int16x16 d1 = mulmod_7681_x16(f1, g1); - int16x16 d2 = mulmod_7681_x16(f2, g2); - int16x16 dsum = add_x16(add_x16(d0, d1), d2); - int16x16 h0 = add_x16(dsum, mulmod_7681_x16(sub_x16(f2, f1), sub_x16(g1, g2))); - int16x16 h1 = add_x16(dsum, mulmod_7681_x16(sub_x16(f1, f0), sub_x16(g0, g1))); - int16x16 h2 = add_x16(dsum, mulmod_7681_x16(sub_x16(f0, f2), sub_x16(g2, g0))); - store_x16(&hpad[0][i], squeeze_7681_x16(h0)); - store_x16(&hpad[1][i], squeeze_7681_x16(h1)); - store_x16(&hpad[2][i], squeeze_7681_x16(h2)); - } - - PQCLEAN_SNTRUP653_AVX2_invntt512_7681(hpad[0], 3); - ungood(h_7681, (const int16(*)[512]) hpad); - - good(fpad, f); - PQCLEAN_SNTRUP653_AVX2_ntt512_10753(fpad[0], 3); - - good(gpad, g); - PQCLEAN_SNTRUP653_AVX2_ntt512_10753(gpad[0], 3); - - for (i = 0; i < 512; i += 16) { - int16x16 f0 = squeeze_10753_x16(load_x16(&fpad[0][i])); - int16x16 f1 = squeeze_10753_x16(load_x16(&fpad[1][i])); - int16x16 f2 = squeeze_10753_x16(load_x16(&fpad[2][i])); - int16x16 g0 = squeeze_10753_x16(load_x16(&gpad[0][i])); - int16x16 g1 = squeeze_10753_x16(load_x16(&gpad[1][i])); - int16x16 g2 = squeeze_10753_x16(load_x16(&gpad[2][i])); - int16x16 d0 = mulmod_10753_x16(f0, g0); - int16x16 d1 = mulmod_10753_x16(f1, g1); - int16x16 d2 = mulmod_10753_x16(f2, g2); - int16x16 dsum = add_x16(add_x16(d0, d1), d2); - int16x16 h0 = add_x16(dsum, mulmod_10753_x16(sub_x16(f2, f1), sub_x16(g1, g2))); - int16x16 h1 = add_x16(dsum, mulmod_10753_x16(sub_x16(f1, f0), sub_x16(g0, g1))); - int16x16 h2 = add_x16(dsum, mulmod_10753_x16(sub_x16(f0, f2), sub_x16(g2, g0))); - store_x16(&hpad[0][i], squeeze_10753_x16(h0)); - store_x16(&hpad[1][i], squeeze_10753_x16(h1)); - store_x16(&hpad[2][i], squeeze_10753_x16(h2)); - } - - PQCLEAN_SNTRUP653_AVX2_invntt512_10753(hpad[0], 3); - ungood(h_10753, (const int16(*)[512]) hpad); - - for (i = 0; i < 1536; i += 16) { - int16x16 u1 = load_x16(&h_10753[i]); - int16x16 u2 = load_x16(&h_7681[i]); - int16x16 t; - u1 = mulmod_10753_x16(u1, const_x16(1268)); - u2 = mulmod_7681_x16(u2, const_x16(956)); - t = mulmod_7681_x16(sub_x16(u2, u1), const_x16(-2539)); - t = add_x16(u1, mulmod_4621_x16(t, const_x16(1487))); - store_x16(&h[i], t); - } -} - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xint16 - -#define p 653 -#define q 4621 - -static inline int16x16 freeze_4621_x16(int16x16 x) { - int16x16 mask, xq; - x = add_x16(x, const_x16(q)&signmask_x16(x)); - mask = signmask_x16(sub_x16(x, const_x16((q + 1) / 2))); - xq = sub_x16(x, const_x16(q)); - x = _mm256_blendv_epi8(xq, x, mask); - return x; -} - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_multsntrup653(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - vec768 x1, x2; - vec1536 x3; -#define f (x1.v) -#define g (x2.v) -#define fg (x3.v) -#define h f - int i; - int16x16 x; - - x = const_x16(0); - for (i = p & ~15; i < 768; i += 16) { - store_x16(&f[i], x); - } - for (i = p & ~15; i < 768; i += 16) { - store_x16(&g[i], x); - } - - crypto_decode_pxint16(f, inbytes); - - for (i = 0; i < 768; i += 16) { - x = load_x16(&f[i]); - x = freeze_4621_x16(squeeze_4621_x16(x)); - store_x16(&f[i], x); - } - for (i = 0; i < p; ++i) { - int8 gi = (int8) kbytes[i]; - int8 gi0 = gi & 1; - g[i] = (int16) (gi0 - (gi & (gi0 << 1))); - } - - mult768(fg, f, g); - - fg[0] = (int16) (fg[0] - fg[p - 1]); - for (i = 0; i < 768; i += 16) { - int16x16 fgi = load_x16(&fg[i]); - int16x16 fgip = load_x16(&fg[i + p]); - int16x16 fgip1 = load_x16(&fg[i + p - 1]); - x = add_x16(fgi, add_x16(fgip, fgip1)); - x = freeze_4621_x16(squeeze_4621_x16(x)); - store_x16(&h[i], x); - } - - crypto_encode_pxint16(outbytes, h); - - return 0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653.h b/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653.h deleted file mode 100644 index cd6648d5..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_MULTSNTRUP653_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_MULTSNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_multsntrup653_OUTPUTBYTES 1306 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_multsntrup653_INPUTBYTES 1306 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_multsntrup653_KEYBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_multsntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_multsntrup653(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653_ntt.c b/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653_ntt.c deleted file mode 100644 index 6fe2436c..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653_ntt.c +++ /dev/null @@ -1,927 +0,0 @@ -#include "crypto_core_multsntrup653.h" -#include "crypto_core_multsntrup653_ntt.h" -#include -#include - -/* auto-generated; do not edit */ - - -typedef int8_t int8; -typedef int16_t int16; - -#define zeta(n,i) (((__m256i *) zeta_##n)[(i)]) -#define zeta_x4(n,i) (((__m256i *) zeta_x4_##n)[(i)]) -#define zeta_qinv(n,i) (((__m256i *) qinvzeta_##n)[(i)]) -#define zeta_x4_qinv(n,i) (((__m256i *) qinvzeta_x4_##n)[(i)]) -#define zetainv(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) zeta_##n+(n)/2+1-16*((i)+1))) -#define zetainv_x4(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) zeta_x4_##n+2*(n)+4-16*((i)+1))) -#define zetainv_qinv(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) qinvzeta_##n+(n)/2+1-16*((i)+1))) -#define zetainv_x4_qinv(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) qinvzeta_x4_##n+2*(n)+4-16*((i)+1))) - -typedef union { - int16 data[93 * 16]; - __m256i _dummy; -} vec1488; - -static const vec1488 qdata_7681 = { .data = { - -#define q_x16 (qdata[0]) - 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, - -#define qrecip_x16 (qdata[1]) - 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, - -#define qshift_x16 (qdata[2]) - 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, - -#define zeta4_x16 (qdata[3]) - -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, - -#define zeta4_x16_qinv (qdata[4]) - -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, - -#define zeta8_x16 (qdata[5]) - -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, - -#define zeta8_x16_qinv (qdata[6]) - -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, - -#define zetainv8_x16 (qdata[7]) - -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, - -#define zetainv8_x16_qinv (qdata[8]) - -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, - -#define zeta_x4_16 (qdata+9) - -3593, -3593, -3593, -3593, -2194, -2194, -2194, -2194, -3625, -3625, -3625, -3625, 1100, 1100, 1100, 1100, - -3777, -3777, -3777, -3777, -2456, -2456, -2456, -2456, 3182, 3182, 3182, 3182, 3696, 3696, 3696, 3696, - 3593, 3593, 3593, 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_x4_16 (qdata+12) - -9, -9, -9, -9, 4974, 4974, 4974, 4974, -16425, -16425, -16425, -16425, 7244, 7244, 7244, 7244, - -28865, -28865, -28865, -28865, -14744, -14744, -14744, -14744, 10350, 10350, 10350, 10350, -4496, -4496, -4496, -4496, - 9, 9, 9, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_x4_32 (qdata+15) - -3593, -3593, -3593, -3593, 1414, 1414, 1414, 1414, -2194, -2194, -2194, -2194, -2495, -2495, -2495, -2495, - -3625, -3625, -3625, -3625, 2876, 2876, 2876, 2876, 1100, 1100, 1100, 1100, -2250, -2250, -2250, -2250, - -3777, -3777, -3777, -3777, -1701, -1701, -1701, -1701, -2456, -2456, -2456, -2456, 834, 834, 834, 834, - 3182, 3182, 3182, 3182, -2319, -2319, -2319, -2319, 3696, 3696, 3696, 3696, 121, 121, 121, 121, - 3593, 3593, 3593, 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_x4_32 (qdata+20) - -9, -9, -9, -9, 20870, 20870, 20870, 20870, 4974, 4974, 4974, 4974, 22593, 22593, 22593, 22593, - -16425, -16425, -16425, -16425, 828, 828, 828, 828, 7244, 7244, 7244, 7244, -23754, -23754, -23754, -23754, - -28865, -28865, -28865, -28865, 20315, 20315, 20315, 20315, -14744, -14744, -14744, -14744, 18242, 18242, 18242, 18242, - 10350, 10350, 10350, 10350, -18191, -18191, -18191, -18191, -4496, -4496, -4496, -4496, -11655, -11655, -11655, -11655, - 9, 9, 9, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_64 (qdata+25) - -3593, -617, 1414, 3706, -2194, -1296, -2495, -2237, -3625, 2830, 2876, -1599, 1100, 1525, -2250, 2816, - -3777, 1921, -1701, 2006, -2456, 1483, 834, -1986, 3182, 3364, -2319, -1993, 3696, -2557, 121, 2088, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_64 (qdata+28) - -9, 19351, 20870, -15750, 4974, -9488, 22593, 7491, -16425, 26382, 828, 23489, 7244, 20469, -23754, 2816, - -28865, -5759, 20315, -3114, -14744, 15307, 18242, -19394, 10350, -10972, -18191, -31177, -4496, -25597, -11655, 22568, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_128 (qdata+31) - -3593, -2804, -617, -396, 1414, -549, 3706, 810, -2194, -1321, -1296, 438, -2495, -2535, -2237, -3689, - -3625, 2043, 2830, -1881, 2876, 3153, -1599, 7, 1100, -514, 1525, -1760, -2250, -2440, 2816, 3600, - -3777, 103, 1921, -3174, -1701, 1535, 2006, -1887, -2456, 1399, 1483, -679, 834, 3772, -1986, 1738, - 3182, -1431, 3364, -3555, -2319, -2310, -1993, 638, 3696, -2956, -2557, -1305, 121, 2555, 2088, -3266, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_128 (qdata+36) - -9, -29428, 19351, 26228, 20870, 21467, -15750, 5930, 4974, -14121, -9488, -21066, 22593, 2073, 7491, 16279, - -16425, -25093, 26382, 26279, 828, -29103, 23489, 11783, 7244, 14846, 20469, 14624, -23754, -6536, 2816, 11792, - -28865, -4505, -5759, -6246, 20315, 9215, -3114, 6817, -14744, 4983, 15307, -28839, 18242, 1724, -19394, 23242, - 10350, -21399, -10972, -29667, -18191, -21766, -31177, 15998, -4496, 23668, -25597, -5913, -11655, -24581, 22568, -20674, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_256 (qdata+41) - -3593, 2665, -2804, -2572, -617, 727, -396, 3417, 1414, 2579, -549, 373, 3706, 3750, 810, -1054, - -2194, -2133, -1321, 1681, -1296, -1386, 438, -2732, -2495, 1919, -2535, -2391, -2237, 2835, -3689, 2, - -3625, -783, 2043, 3145, 2830, 1533, -1881, 2789, 2876, 2649, 3153, 3692, -1599, -1390, 7, -1166, - 1100, 3310, -514, 2224, 1525, -2743, -1760, 2385, -2250, -486, -2440, -1756, 2816, -3816, 3600, -3831, - -3777, -1799, 103, 1497, 1921, 1521, -3174, -194, -1701, -859, 1535, 2175, 2006, -2762, -1887, -1698, - -2456, -3480, 1399, 2883, 1483, -3428, -679, -2113, 834, 1532, 3772, -660, -1986, -2764, 1738, -915, - 3182, 1056, -1431, 1350, 3364, 1464, -3555, 2919, -2319, -2160, -2310, 730, -1993, -1598, 638, 3456, - 3696, -1168, -2956, -3588, -2557, -921, -1305, 3405, 121, -404, 2555, -3135, 2088, 2233, -3266, -2426, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_256 (qdata+50) - -9, -17303, -29428, 24052, 19351, -12073, 26228, -24743, 20870, -12269, 21467, 19317, -15750, -25946, 5930, 32738, - 4974, -4693, -14121, 2193, -9488, 26262, -21066, 7508, 22593, 9599, 2073, 10409, 7491, -12013, 16279, -15358, - -16425, -16655, -25093, 32329, 26382, 24573, 26279, 13541, 828, -25511, -29103, 26220, 23489, -8558, 11783, -24718, - 7244, 10478, 14846, 26800, 20469, 26441, 14624, -29871, -23754, -3558, -6536, -16092, 2816, 8472, 11792, -7415, - -28865, -13575, -4505, -26663, -5759, -14351, -6246, -17602, 20315, -22875, 9215, 9855, -3114, -24266, 6817, -2722, - -14744, -15768, 4983, 12611, 15307, -21860, -28839, -27201, 18242, 32252, 1724, 21868, -19394, -8908, 23242, 13933, - 10350, 17440, -21399, -11962, -10972, 30136, -29667, -1689, -18191, 6032, -21766, 30426, -31177, 15810, 15998, 3456, - -4496, -9360, 23668, 27132, -25597, -5529, -5913, 1869, -11655, 22124, -24581, 21953, 22568, 23225, -20674, 17030, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_512 (qdata+59) - -3593, 2005, 2665, 2891, -2804, 2345, -2572, 1121, -617, -188, 727, 2786, -396, -3208, 3417, -17, - 1414, -3752, 2579, 2815, -549, 1837, 373, 151, 3706, -1012, 3750, -1509, 810, -3214, -1054, 3177, - -2194, -1403, -2133, -3314, -1321, 83, 1681, -658, -1296, 2070, -1386, -3547, 438, 3781, -2732, 2230, - -2495, -1669, 1919, 2589, -2535, -3312, -2391, -3542, -2237, -1441, 2835, -3568, -3689, -402, 2, -1070, - -3625, 3763, -783, -3550, 2043, -2303, 3145, -436, 2830, -893, 1533, 1712, -1881, 124, 2789, -2001, - 2876, -2460, 2649, 3770, 3153, 2965, 3692, -1203, -1599, 2874, -1390, -1407, 7, -3745, -1166, 1649, - 1100, 2937, 3310, 3461, -514, -1526, 2224, 715, 1525, -1689, -2743, 434, -1760, -3163, 2385, -929, - -2250, -2167, -486, -1144, -2440, -370, -1756, 2378, 2816, -1084, -3816, -1586, 3600, 1931, -3831, -1242, - -3777, 592, -1799, 2340, 103, -1338, 1497, -2071, 1921, 1519, 1521, 451, -3174, 589, -194, -3744, - -1701, 3677, -859, -1295, 1535, 642, 2175, -3794, 2006, 2130, -2762, 2918, -1887, 3334, -1698, 2072, - -2456, 509, -3480, 2998, 1399, -3408, 2883, 1476, 1483, -2262, -3428, -1779, -679, 2258, -2113, 1348, - 834, -692, 1532, 2247, 3772, 2083, -660, -226, -1986, 2532, -2764, -3693, 1738, -429, -915, -2059, - 3182, 2812, 1056, 3434, -1431, -2515, 1350, -236, 3364, -2386, 1464, 222, -3555, -2963, 2919, -2422, - -2319, -3657, -2160, 3450, -2310, -791, 730, 1181, -1993, -1404, -1598, 2339, 638, -3366, 3456, 2161, - 3696, -3343, -1168, 2719, -2956, -826, -3588, -670, -2557, 777, -921, 1151, -1305, -796, 3405, -1278, - 121, -3287, -404, 1072, 2555, 293, -3135, 2767, 2088, -3335, 2233, 3581, -3266, 3723, -2426, -179, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_512 (qdata+76) - -9, 4565, -17303, 16715, -29428, 15145, 24052, -22943, 19351, 1860, -12073, -28958, 26228, -7304, -24743, -529, - 20870, -24232, -12269, 10495, 21467, -16083, 19317, 20119, -15750, -27636, -25946, -12261, 5930, -26766, 32738, -16791, - 4974, 25733, -4693, 20238, -14121, 18003, 2193, 6510, -9488, 29718, 26262, -25563, -21066, -1851, 7508, -19274, - 22593, -28805, 9599, -23523, 2073, 4880, 10409, 1578, 7491, -10145, -12013, 4624, 16279, 6766, -15358, 24530, - -16425, 5299, -16655, -2526, -25093, -9983, 32329, 5708, 26382, -23933, 24573, 26288, 26279, 30844, 13541, 30255, - 828, 15972, -25511, 17082, -29103, -27243, 26220, -2739, 23489, 16186, -8558, -9087, 11783, -12449, -24718, -14223, - 7244, -8839, 10478, 30597, 14846, -12790, 26800, 14539, 20469, -6297, 26441, 9650, 14624, -25179, -29871, -9633, - -23754, -5751, -3558, 2952, -6536, 23182, -16092, 23882, 2816, 964, 8472, -10802, 11792, -17013, -7415, -30938, - -28865, -23984, -13575, -11996, -4505, -14650, -26663, -22039, -5759, 1007, -14351, 10179, -6246, -947, -17602, -20128, - 20315, 10333, -22875, -17167, 9215, -14718, 9855, -29394, -3114, 27730, -24266, 5990, 6817, 22790, -2722, 14360, - -14744, 23549, -15768, -18506, 4983, 21168, 12611, 3524, 15307, 2858, -21860, 29453, -28839, 27858, -27201, 3396, - 18242, 5452, 32252, -18745, 1724, -4573, 21868, 31518, -19394, 20964, -8908, -18541, 23242, 17491, 13933, 16885, - 10350, -32004, 17440, -24214, -21399, -20435, -11962, -22764, -10972, -27986, 30136, -802, -29667, 11885, -1689, -13686, - -18191, 32695, 6032, -16006, -21766, -20759, 30426, -24931, -31177, -32124, 15810, -4317, 15998, 26330, 3456, -13711, - -4496, -19215, -9360, 26783, 23668, -14138, 27132, -32414, -25597, -2807, -5529, 8831, -5913, 17636, 1869, -16638, - -11655, 9513, 22124, 25648, -24581, -21723, 21953, -14129, 22568, -15111, 23225, 26621, -20674, -15221, 17030, -1715, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - } -}; - -static const vec1488 qdata_10753 = { .data = { - - 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, - - 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, - - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - - 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, - - 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, - - 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, - - -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, - - 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, - - -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, - - 1018, 1018, 1018, 1018, 2413, 2413, 2413, 2413, 4188, 4188, 4188, 4188, 357, 357, 357, 357, - 223, 223, 223, 223, -3686, -3686, -3686, -3686, -3688, -3688, -3688, -3688, -376, -376, -376, -376, - -1018, -1018, -1018, -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -6, -6, -6, 10093, 10093, 10093, 10093, -1956, -1956, -1956, -1956, 28517, 28517, 28517, 28517, - 27359, 27359, 27359, 27359, -21094, -21094, -21094, -21094, 408, 408, 408, 408, -20856, -20856, -20856, -20856, - 6, 6, 6, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, 1018, 1018, 1018, -2695, -2695, -2695, -2695, 2413, 2413, 2413, 2413, 425, 425, 425, 425, - 4188, 4188, 4188, 4188, -4855, -4855, -4855, -4855, 357, 357, 357, 357, -3364, -3364, -3364, -3364, - 223, 223, 223, 223, 730, 730, 730, 730, -3686, -3686, -3686, -3686, -4544, -4544, -4544, -4544, - -3688, -3688, -3688, -3688, -2236, -2236, -2236, -2236, -376, -376, -376, -376, 3784, 3784, 3784, 3784, - -1018, -1018, -1018, -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -6, -6, -6, 7033, 7033, 7033, 7033, 10093, 10093, 10093, 10093, 18345, 18345, 18345, 18345, - -1956, -1956, -1956, -1956, 29449, 29449, 29449, 29449, 28517, 28517, 28517, 28517, -9508, -9508, -9508, -9508, - 27359, 27359, 27359, 27359, 16090, 16090, 16090, 16090, -21094, -21094, -21094, -21094, 28224, 28224, 28224, 28224, - 408, 408, 408, 408, -12476, -12476, -12476, -12476, -20856, -20856, -20856, -20856, 16072, 16072, 16072, 16072, - 6, 6, 6, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, -1520, -2695, 1341, 2413, 918, 425, 5175, 4188, -4035, -4855, 341, 357, 4347, -3364, 5213, - 223, -4875, 730, 1931, -3686, -2503, -4544, -4095, -3688, 5063, -2236, -3823, -376, 3012, 3784, -2629, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, 23056, 7033, 829, 10093, 26518, 18345, 3639, -1956, -4547, 29449, 3925, 28517, -7429, -9508, -11683, - 27359, -17675, 16090, 14731, -21094, -25543, 28224, -14847, 408, 28103, -12476, 10001, -20856, -7228, 16072, 18363, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, -2935, -1520, -4744, -2695, -205, 1341, 1299, 2413, 4, 918, -4379, 425, -4616, 5175, -544, - 4188, 4129, -4035, 4102, -4855, -1287, 341, -2388, 357, 1284, 4347, 2984, -3364, 2178, 5213, -2576, - 223, 2790, -4875, 4876, 730, -4513, 1931, -3085, -3686, 3550, -2503, 847, -4544, 193, -4095, 1085, - -3688, 3091, 5063, -4742, -2236, 2982, -3823, -1009, -376, -268, 3012, 3062, 3784, -2565, -2629, 4189, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, 31369, 23056, 15736, 7033, -24269, 829, -6381, 10093, 22532, 26518, 23781, 18345, 15864, 3639, 15840, - -1956, -23007, -4547, 5126, 29449, 8441, 3925, -16724, 28517, 23812, -7429, 31656, -9508, -19326, -11683, -27152, - 27359, 20198, -17675, 6924, 16090, 22623, 14731, 5619, -21094, -24098, -25543, 3407, 28224, 22209, -14847, 573, - 408, -4589, 28103, -5766, -12476, -12378, 10001, -31217, -20856, -2316, -7228, -20490, 16072, -14341, 18363, -12707, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, -4734, -2935, -400, -1520, 4977, -4744, -2973, -2695, 512, -205, -779, 1341, -1356, 1299, 635, - 2413, 567, 4, -4286, 918, -5114, -4379, -1586, 425, 1615, -4616, -336, 5175, -1841, -544, 2234, - 4188, -3441, 4129, 636, -4035, -4580, 4102, 2684, -4855, 3057, -1287, -2740, 341, -5156, -2388, -472, - 357, -794, 1284, 578, 4347, 3615, 2984, -3715, -3364, 2271, 2178, -326, 5213, 454, -2576, -3337, - 223, 2998, 2790, -151, -4875, 2981, 4876, 1324, 730, 2774, -4513, 2206, 1931, 886, -3085, -970, - -3686, 3198, 3550, 2737, -2503, -909, 847, 1068, -4544, -2213, 193, 2884, -4095, -4808, 1085, 4123, - -3688, 5341, 3091, 5294, 5063, -116, -4742, -5116, -2236, -2045, 2982, -1572, -3823, 4828, -1009, 467, - -376, 5023, -268, -3169, 3012, -1458, 3062, -1268, 3784, -675, -2565, 1006, -2629, 5064, 4189, 864, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -26238, 31369, -24976, 23056, -30351, 15736, -18845, 7033, 512, -24269, -13579, 829, 29364, -6381, -11141, - 10093, -969, 22532, 6978, 26518, -4090, 23781, 11726, 18345, 4175, 15864, 7856, 3639, 719, 15840, -31558, - -1956, 31887, -23007, -21892, -4547, 22044, 5126, -19844, 29449, -32271, 8441, 32076, 3925, -11300, -16724, 28200, - 28517, 16614, 23812, 11842, -7429, -2017, 31656, 28541, -9508, 29407, -19326, 31418, -11683, -31290, -27152, 27895, - 27359, 12214, 20198, -14999, -17675, -1627, 6924, -13012, 16090, -4394, 22623, 7326, 14731, -22666, 5619, 8246, - -21094, 24702, -24098, 177, -25543, 7795, 3407, -13268, 28224, 2395, 22209, -7356, -14847, -17096, 573, -24037, - 408, -11555, -4589, -30546, 28103, 1932, -5766, 17412, -12476, 31235, -12378, -7716, 10001, -1316, -31217, 25555, - -20856, -609, -2316, -8801, -7228, 11854, -20490, 780, 16072, -17571, -14341, -2066, 18363, 17352, -12707, 17248, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, 3453, -4734, 4519, -2935, 2118, -400, -554, -1520, 2196, 4977, 1893, -4744, -1409, -2973, -1053, - -2695, 4601, 512, 279, -205, -3241, -779, 4889, 1341, 3524, -1356, -1663, 1299, 2283, 635, 73, - 2413, 2428, 567, 624, 4, -1930, -4286, 3419, 918, -2062, -5114, 5068, -4379, -97, -1586, 1782, - 425, 4621, 1615, 355, -4616, 1349, -336, 825, 5175, 3135, -1841, 1160, -544, 4408, 2234, -2605, - 4188, 854, -3441, -1056, 4129, 2439, 636, 4967, -4035, -4782, -4580, -5268, 4102, -663, 2684, -4670, - -4855, 3760, 3057, 3535, -1287, 2680, -2740, -569, 341, 2139, -5156, 3827, -2388, 1639, -472, 1927, - 357, 5172, -794, -4003, 1284, 4144, 578, 693, 4347, 4784, 3615, 3125, 2984, 1122, -3715, 2113, - -3364, -573, 2271, -4328, 2178, 2909, -326, -4000, 5213, -4447, 454, -3995, -2576, -4428, -3337, 2529, - 223, 5309, 2998, 5120, 2790, -2050, -151, 2963, -4875, 2657, 2981, -2807, 4876, 2237, 1324, -4403, - 730, 2624, 2774, -5083, -4513, 40, 2206, 152, 1931, -1573, 886, 2625, -3085, -778, -970, -5107, - -3686, 4250, 3198, -5356, 3550, -3148, 2737, -3360, -2503, -2015, -909, 3096, 847, 5313, 1068, 834, - -4544, -1132, -2213, -2151, 193, -1722, 2884, -4393, -4095, 2662, -4808, -2788, 1085, -1992, 4123, 5334, - -3688, 5215, 5341, -1689, 3091, -2117, 5294, 4859, 5063, 3410, -116, 2205, -4742, -2374, -5116, -4720, - -2236, 3570, -2045, 2813, 2982, 2087, -1572, -4973, -3823, 458, 4828, 3891, -1009, -2419, 467, -4891, - -376, -1381, 5023, 1204, -268, 274, -3169, -3260, 3012, -1635, -1458, 4540, 3062, -4254, -1268, -1111, - 3784, 2230, -675, -2279, -2565, -4359, 1006, -1510, -2629, 5015, 5064, -2449, 4189, -5005, 864, 2487, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -29827, -26238, -21593, 31369, -29626, -24976, -7722, 23056, -16236, -30351, 30053, 15736, 9343, -18845, -16925, - 7033, 14329, 512, 15127, -24269, -21161, -13579, -1767, 829, -6716, 29364, -12415, -6381, 31467, -11141, 1609, - 10093, -20100, -969, -23952, 22532, -25482, 6978, 8027, 26518, 17394, -4090, -25652, 23781, -5729, 11726, -21770, - 18345, -4083, 4175, -15517, 15864, -19643, 7856, -22215, 3639, -18881, 719, -19320, 15840, -7880, -31558, 22483, - -1956, -6314, 31887, 15328, -23007, -7289, -21892, 11623, -4547, 31058, 22044, 13164, 5126, -15511, -19844, 6594, - 29449, 11952, -32271, 6095, 8441, 23160, 32076, 22471, 3925, 6747, -11300, 12531, -16724, 8295, 28200, -7801, - 28517, -29644, 16614, -20899, 23812, 12336, 11842, 20661, -7429, 12976, -2017, 23093, 31656, -3998, 28541, 24129, - -9508, -61, 29407, -232, -19326, -13987, 31418, 12384, -11683, -31583, -31290, 24165, -27152, 26292, 27895, 8161, - 27359, 4797, 12214, 5120, 20198, 19454, -14999, -4717, -17675, 8289, -1627, 31497, 6924, 1725, -13012, 19661, - 16090, -30144, -4394, -9691, 22623, 28712, 7326, 4248, 14731, 3035, -22666, 24641, 5619, -24330, 8246, -13811, - -21094, -13158, 24702, -23788, -24098, 27572, 177, 13024, -25543, -29151, 7795, 7192, 3407, 27329, -13268, 12098, - 28224, -19564, 2395, -8807, 22209, 32070, -7356, -22313, -14847, 20070, -17096, 23836, 573, -14280, -24037, -1834, - 408, 32351, -11555, 4967, -4589, 18875, -30546, -6917, 28103, -26286, 1932, 18077, -5766, 29370, 17412, 19856, - -12476, 23026, 31235, -30467, -12378, -24025, -7716, -12653, 10001, -8758, -1316, -20173, -31217, -11123, 25555, 23269, - -20856, -29541, -609, 31924, -2316, 3346, -8801, -13500, -7228, 14237, 11854, 14780, -20490, -9374, 780, 16809, - 16072, 11446, -17571, -8935, -14341, 5369, -2066, -18918, 18363, 19863, 17352, -16273, -12707, 3699, 17248, 951, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - } -}; - -static inline __m256i sub_x16(__m256i a, __m256i b) { - //__asm__("vpsubw %1,%0,%0" : "+x"(a),"+x"(b)); - return _mm256_sub_epi16(a, b); -} - -static inline __m256i add_x16(__m256i a, __m256i b) { - return _mm256_add_epi16(a, b); -} - -static inline __m256i reduce_x16(const __m256i *qdata, __m256i x) { - __m256i y = _mm256_mulhi_epi16(x, qrecip_x16); - y = _mm256_mulhrs_epi16(y, qshift_x16); - y = _mm256_mullo_epi16(y, q_x16); - return sub_x16(x, y); -} - -static inline __m256i mulmod_x16_scaled(const __m256i *qdata, __m256i x, __m256i y, __m256i yqinv) { - __m256i b = _mm256_mulhi_epi16(x, y); - __m256i d = _mm256_mullo_epi16(x, yqinv); - __m256i e = _mm256_mulhi_epi16(d, q_x16); - return sub_x16(b, e); -} - -typedef union { - int8 data[32]; - __m256i _dummy; -} byte32; -static const byte32 shuffle_buf = { .data = { - 14, 15, 12, 13, 10, 11, 8, 9, 6, 7, 4, 5, 2, 3, 0, 1, - 14, 15, 12, 13, 10, 11, 8, 9, 6, 7, 4, 5, 2, 3, 0, 1, - } -}; -#define shuffle (*(__m256i *) shuffle_buf.data) - -static inline __m256i _mm256_loadu_reverse16(const __m256i *p) { - __m256i x = _mm256_loadu_si256(p); - x = _mm256_permute2x128_si256(x, x, 1); - x = _mm256_shuffle_epi8(x, shuffle); - return x; -} - -static void ntt128(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3, h0, h1, h2, h3; - int16 *origf = f; - int rep; - __m256i zetainv_128_0 = zetainv(128, 0); - __m256i zetainv_qinv_128_0 = zetainv_qinv(128, 0); - __m256i zetainv_x4_32_0 = zetainv_x4(32, 0); - __m256i zetainv_x4_qinv_32_0 = zetainv_x4_qinv(32, 0); - __m256i zetainv_128_1 = zetainv(128, 1); - __m256i zetainv_qinv_128_1 = zetainv_qinv(128, 1); - __m256i zetainv_x4_32_1 = zetainv_x4(32, 1); - __m256i zetainv_x4_qinv_32_1 = zetainv_x4_qinv(32, 1); - for (rep = 0; rep < reps; ++rep) { - f1 = _mm256_loadu_si256((__m256i *) (f + 32)); - f3 = _mm256_loadu_si256((__m256i *) (f + 96)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 64)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_128_0, zetainv_qinv_128_0); - f2 = mulmod_x16_scaled(qdata, f2, zeta(128, 0), zeta_qinv(128, 0)); - - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta(64, 0), zeta_qinv(64, 0)); - f0 = reduce_x16(qdata, f0); - - g0 = _mm256_unpacklo_epi16(f0, f1); - h0 = _mm256_unpacklo_epi32(g0, g2); - h1 = _mm256_unpackhi_epi32(g0, g2); - g1 = _mm256_unpackhi_epi16(f0, f1); - h2 = _mm256_unpacklo_epi32(g1, g3); - h3 = _mm256_unpackhi_epi32(g1, g3); - f0 = _mm256_permute2x128_si256(h0, h1, 0x20); - f2 = _mm256_permute2x128_si256(h0, h1, 0x31); - f1 = _mm256_permute2x128_si256(h2, h3, 0x20); - f3 = _mm256_permute2x128_si256(h2, h3, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 64), f2); - _mm256_storeu_si256((__m256i *) (f + 32), f1); - _mm256_storeu_si256((__m256i *) (f + 96), f3); - - f1 = _mm256_loadu_si256((__m256i *) (f + 48)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16)); - f2 = _mm256_loadu_si256((__m256i *) (f + 80)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_128_1, zetainv_qinv_128_1); - f2 = mulmod_x16_scaled(qdata, f2, zeta(128, 1), zeta_qinv(128, 1)); - - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta(64, 1), zeta_qinv(64, 1)); - f0 = reduce_x16(qdata, f0); - - g0 = _mm256_unpacklo_epi16(f0, f1); - h0 = _mm256_unpacklo_epi32(g0, g2); - h1 = _mm256_unpackhi_epi32(g0, g2); - g1 = _mm256_unpackhi_epi16(f0, f1); - h2 = _mm256_unpacklo_epi32(g1, g3); - h3 = _mm256_unpackhi_epi32(g1, g3); - f0 = _mm256_permute2x128_si256(h0, h1, 0x20); - f2 = _mm256_permute2x128_si256(h0, h1, 0x31); - f1 = _mm256_permute2x128_si256(h2, h3, 0x20); - f3 = _mm256_permute2x128_si256(h2, h3, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 16), f0); - _mm256_storeu_si256((__m256i *) (f + 80), f2); - _mm256_storeu_si256((__m256i *) (f + 48), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - f1 = _mm256_loadu_si256((__m256i *) (f + 64)); - f3 = _mm256_loadu_si256((__m256i *) (f + 80)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_x4_32_0, zetainv_x4_qinv_32_0); - f2 = mulmod_x16_scaled(qdata, f2, zeta_x4(32, 0), zeta_x4_qinv(32, 0)); - - g2 = _mm256_unpacklo_epi64(f2, f3); - g3 = _mm256_unpackhi_epi64(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta_x4(16, 0), zeta_x4_qinv(16, 0)); - f0 = reduce_x16(qdata, f0); - - g1 = _mm256_unpackhi_epi64(f0, f1); - g0 = _mm256_unpacklo_epi64(f0, f1); - f1 = _mm256_permute2x128_si256(g1, g3, 0x20); - f3 = _mm256_permute2x128_si256(g1, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g2, 0x20); - f2 = _mm256_permute2x128_si256(g0, g2, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 64), f1); - _mm256_storeu_si256((__m256i *) (f + 80), f3); - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 16), f2); - - f1 = _mm256_loadu_si256((__m256i *) (f + 96)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 32)); - f2 = _mm256_loadu_si256((__m256i *) (f + 48)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_x4_32_1, zetainv_x4_qinv_32_1); - f2 = mulmod_x16_scaled(qdata, f2, zeta_x4(32, 1), zeta_x4_qinv(32, 1)); - - g2 = _mm256_unpacklo_epi64(f2, f3); - g3 = _mm256_unpackhi_epi64(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta_x4(16, 1), zeta_x4_qinv(16, 1)); - f0 = reduce_x16(qdata, f0); - - g1 = _mm256_unpackhi_epi64(f0, f1); - g0 = _mm256_unpacklo_epi64(f0, f1); - f1 = _mm256_permute2x128_si256(g1, g3, 0x20); - f3 = _mm256_permute2x128_si256(g1, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g2, 0x20); - f2 = _mm256_permute2x128_si256(g0, g2, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 96), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - _mm256_storeu_si256((__m256i *) (f + 32), f0); - _mm256_storeu_si256((__m256i *) (f + 48), f2); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - - f1 = _mm256_loadu_si256((__m256i *) (f + 16)); - f3 = _mm256_loadu_si256((__m256i *) (f + 48)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 32)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f2 = add_x16(g2, g3); - f3 = sub_x16(g2, g3); - f2 = reduce_x16(qdata, f2); - f3 = reduce_x16(qdata, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f0 = reduce_x16(qdata, f0); - - h0 = f0; - h1 = f1; - h2 = f2; - h3 = f3; - - f1 = _mm256_loadu_si256((__m256i *) (f + 80)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 64)); - f2 = _mm256_loadu_si256((__m256i *) (f + 96)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv8_x16, zetainv8_x16_qinv); - f2 = mulmod_x16_scaled(qdata, f2, zeta8_x16, zeta8_x16_qinv); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta4_x16, zeta4_x16_qinv); - f0 = reduce_x16(qdata, f0); - - g0 = add_x16(h0, f0); - g1 = add_x16(h1, f1); - g2 = add_x16(h2, f2); - g3 = add_x16(h3, f3); - _mm256_storeu_si256((__m256i *) (f + 0), g0); - _mm256_storeu_si256((__m256i *) (f + 16), g1); - _mm256_storeu_si256((__m256i *) (f + 32), g2); - _mm256_storeu_si256((__m256i *) (f + 48), g3); - g0 = sub_x16(h0, f0); - g1 = sub_x16(h1, f1); - g2 = sub_x16(h2, f2); - g3 = sub_x16(h3, f3); - _mm256_storeu_si256((__m256i *) (f + 64), g0); - _mm256_storeu_si256((__m256i *) (f + 80), g1); - _mm256_storeu_si256((__m256i *) (f + 96), g2); - _mm256_storeu_si256((__m256i *) (f + 112), g3); - f += 128; - } -} - -static void ntt512(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3; /* [-Werror=unused-variable] */ /* ,h0,h1,h2,h3; */ - int16 *origf = f; - int rep; - __m256i zetainv_512[8]; - __m256i zetainv_qinv_512[8]; - int i; - for (i = 0; i < 8; ++i) { - zetainv_512[i] = zetainv(512, i); - } - for (i = 0; i < 8; ++i) { - zetainv_qinv_512[i] = zetainv_qinv(512, i); - } - for (rep = 0; rep < reps; ++rep) { - for (i = 0; i < 8; ++i) { - f1 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 128)); - f3 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 384)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16 * i)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 256)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_512[i], zetainv_qinv_512[i]); - f2 = mulmod_x16_scaled(qdata, f2, zeta(512, i), zeta_qinv(512, i)); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta(256, i), zeta_qinv(256, i)); - f0 = reduce_x16(qdata, f0); - - _mm256_storeu_si256((__m256i *) (f + 16 * i + 384), f3); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 256), f2); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 128), f1); - _mm256_storeu_si256((__m256i *) (f + 16 * i), f0); - - } - f += 512; - } - f = origf; - ntt128(f, reps * 4, qdata); -} - -void PQCLEAN_SNTRUP653_AVX2_ntt512_7681(int16 *f, int reps) { - ntt512(f, reps, (const __m256i *) qdata_7681.data); -} - -void PQCLEAN_SNTRUP653_AVX2_ntt512_10753(int16 *f, int reps) { - ntt512(f, reps, (const __m256i *) qdata_10753.data); -} - -static void invntt128(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3, h0, h1, h2, h3; - int16 *origf = f; - int rep; - __m256i zetainv_x4_16_0 = zetainv_x4(16, 0); - __m256i zetainv_x4_qinv_16_0 = zetainv_x4_qinv(16, 0); - __m256i zetainv_x4_32_0 = zetainv_x4(32, 0); - __m256i zetainv_x4_qinv_32_0 = zetainv_x4_qinv(32, 0); - __m256i zetainv_64_0 = zetainv(64, 0); - __m256i zetainv_qinv_64_0 = zetainv_qinv(64, 0); - __m256i zetainv_128_0 = zetainv(128, 0); - __m256i zetainv_qinv_128_0 = zetainv_qinv(128, 0); - __m256i zetainv_x4_16_1 = zetainv_x4(16, 1); - __m256i zetainv_x4_qinv_16_1 = zetainv_x4_qinv(16, 1); - __m256i zetainv_x4_32_1 = zetainv_x4(32, 1); - __m256i zetainv_x4_qinv_32_1 = zetainv_x4_qinv(32, 1); - __m256i zetainv_64_1 = zetainv(64, 1); - __m256i zetainv_qinv_64_1 = zetainv_qinv(64, 1); - __m256i zetainv_128_1 = zetainv(128, 1); - __m256i zetainv_qinv_128_1 = zetainv_qinv(128, 1); - for (rep = 0; rep < reps; ++rep) { - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f1 = _mm256_loadu_si256((__m256i *) (f + 64)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16)); - f3 = _mm256_loadu_si256((__m256i *) (f + 80)); - g0 = _mm256_loadu_si256((__m256i *) (f + 32)); - g1 = _mm256_loadu_si256((__m256i *) (f + 96)); - g2 = _mm256_loadu_si256((__m256i *) (f + 48)); - g3 = _mm256_loadu_si256((__m256i *) (f + 112)); - - h1 = sub_x16(f0, f1); - h1 = reduce_x16(qdata, h1); - h0 = add_x16(f0, f1); - h3 = sub_x16(f2, f3); - h3 = mulmod_x16_scaled(qdata, h3, zeta4_x16, zeta4_x16_qinv); - h2 = add_x16(f2, f3); - f1 = sub_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zetainv8_x16, zetainv8_x16_qinv); - f0 = add_x16(g0, g1); - f3 = sub_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zeta8_x16, zeta8_x16_qinv); - f2 = add_x16(g2, g3); - - g0 = add_x16(h0, h2); - g0 = reduce_x16(qdata, g0); - g2 = sub_x16(h0, h2); - g2 = reduce_x16(qdata, g2); - g1 = sub_x16(h1, h3); - g3 = add_x16(h1, h3); - h2 = sub_x16(f0, f2); - h2 = mulmod_x16_scaled(qdata, h2, zeta4_x16, zeta4_x16_qinv); - h0 = add_x16(f0, f2); - h3 = add_x16(f1, f3); - h3 = mulmod_x16_scaled(qdata, h3, zeta4_x16, zeta4_x16_qinv); - h1 = sub_x16(f1, f3); - - f0 = add_x16(g0, h0); - g0 = sub_x16(g0, h0); - f1 = add_x16(g1, h1); - g1 = sub_x16(g1, h1); - f2 = sub_x16(g2, h2); - g2 = add_x16(g2, h2); - f3 = sub_x16(g3, h3); - g3 = add_x16(g3, h3); - - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 32), g0); - _mm256_storeu_si256((__m256i *) (f + 64), f1); - _mm256_storeu_si256((__m256i *) (f + 96), g1); - _mm256_storeu_si256((__m256i *) (f + 16), f2); - _mm256_storeu_si256((__m256i *) (f + 48), g2); - _mm256_storeu_si256((__m256i *) (f + 80), f3); - _mm256_storeu_si256((__m256i *) (f + 112), g3); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f1 = _mm256_loadu_si256((__m256i *) (f + 64)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16)); - f3 = _mm256_loadu_si256((__m256i *) (f + 80)); - - g0 = _mm256_unpacklo_epi64(f0, f1); - g1 = _mm256_unpacklo_epi64(f2, f3); - g2 = _mm256_unpackhi_epi64(f0, f1); - g3 = _mm256_unpackhi_epi64(f2, f3); - f2 = _mm256_permute2x128_si256(g0, g1, 0x31); - f3 = _mm256_permute2x128_si256(g2, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g1, 0x20); - f1 = _mm256_permute2x128_si256(g2, g3, 0x20); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_x4_32_0, zetainv_x4_qinv_32_0); - f3 = mulmod_x16_scaled(qdata, f3, zeta_x4(32, 0), zeta_x4_qinv(32, 0)); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g2 = sub_x16(f3, f2); - - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_x4_16_0, zetainv_x4_qinv_16_0); - - g1 = add_x16(f0, f1); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 64), f1); - _mm256_storeu_si256((__m256i *) (f + 80), f3); - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 16), f2); - - f0 = _mm256_loadu_si256((__m256i *) (f + 32)); - f1 = _mm256_loadu_si256((__m256i *) (f + 96)); - f2 = _mm256_loadu_si256((__m256i *) (f + 48)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - - g0 = _mm256_unpacklo_epi64(f0, f1); - g1 = _mm256_unpacklo_epi64(f2, f3); - g2 = _mm256_unpackhi_epi64(f0, f1); - g3 = _mm256_unpackhi_epi64(f2, f3); - f2 = _mm256_permute2x128_si256(g0, g1, 0x31); - f3 = _mm256_permute2x128_si256(g2, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g1, 0x20); - f1 = _mm256_permute2x128_si256(g2, g3, 0x20); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_x4_32_1, zetainv_x4_qinv_32_1); - f3 = mulmod_x16_scaled(qdata, f3, zeta_x4(32, 1), zeta_x4_qinv(32, 1)); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g2 = sub_x16(f3, f2); - - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_x4_16_1, zetainv_x4_qinv_16_1); - - g1 = add_x16(f0, f1); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 96), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - _mm256_storeu_si256((__m256i *) (f + 32), f0); - _mm256_storeu_si256((__m256i *) (f + 48), f2); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 64)); - f1 = _mm256_loadu_si256((__m256i *) (f + 32)); - f3 = _mm256_loadu_si256((__m256i *) (f + 96)); - - g0 = _mm256_permute2x128_si256(f0, f2, 0x20); - g2 = _mm256_permute2x128_si256(f0, f2, 0x31); - f0 = _mm256_unpacklo_epi16(g0, g2); - f2 = _mm256_unpackhi_epi16(g0, g2); - g1 = _mm256_permute2x128_si256(f1, f3, 0x20); - g3 = _mm256_permute2x128_si256(f1, f3, 0x31); - f1 = _mm256_unpacklo_epi16(g1, g3); - f3 = _mm256_unpackhi_epi16(g1, g3); - g1 = _mm256_unpackhi_epi16(f0, f2); - g0 = _mm256_unpacklo_epi16(f0, f2); - g3 = _mm256_unpackhi_epi16(f1, f3); - g2 = _mm256_unpacklo_epi16(f1, f3); - f2 = _mm256_unpacklo_epi64(g1, g3); - f3 = _mm256_unpackhi_epi64(g1, g3); - f0 = _mm256_unpacklo_epi64(g0, g2); - f1 = _mm256_unpackhi_epi64(g0, g2); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_128_0, zetainv_qinv_128_0); - f3 = mulmod_x16_scaled(qdata, f3, zeta(128, 0), zeta_qinv(128, 0)); - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_64_0, zetainv_qinv_64_0); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f0, f1); - g2 = sub_x16(f3, f2); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 32), f1); - _mm256_storeu_si256((__m256i *) (f + 96), f3); - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 64), f2); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16)); - f2 = _mm256_loadu_si256((__m256i *) (f + 80)); - f1 = _mm256_loadu_si256((__m256i *) (f + 48)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - - g0 = _mm256_permute2x128_si256(f0, f2, 0x20); - g2 = _mm256_permute2x128_si256(f0, f2, 0x31); - f0 = _mm256_unpacklo_epi16(g0, g2); - f2 = _mm256_unpackhi_epi16(g0, g2); - g1 = _mm256_permute2x128_si256(f1, f3, 0x20); - g3 = _mm256_permute2x128_si256(f1, f3, 0x31); - f1 = _mm256_unpacklo_epi16(g1, g3); - f3 = _mm256_unpackhi_epi16(g1, g3); - g1 = _mm256_unpackhi_epi16(f0, f2); - g0 = _mm256_unpacklo_epi16(f0, f2); - g3 = _mm256_unpackhi_epi16(f1, f3); - g2 = _mm256_unpacklo_epi16(f1, f3); - f2 = _mm256_unpacklo_epi64(g1, g3); - f3 = _mm256_unpackhi_epi64(g1, g3); - f0 = _mm256_unpacklo_epi64(g0, g2); - f1 = _mm256_unpackhi_epi64(g0, g2); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_128_1, zetainv_qinv_128_1); - f3 = mulmod_x16_scaled(qdata, f3, zeta(128, 1), zeta_qinv(128, 1)); - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_64_1, zetainv_qinv_64_1); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f0, f1); - g2 = sub_x16(f3, f2); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 48), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - _mm256_storeu_si256((__m256i *) (f + 16), f0); - _mm256_storeu_si256((__m256i *) (f + 80), f2); - - f += 128; - } -} - -static void invntt512(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3; /* [-Werror=unused-variable] */ /* ,h0,h1,h2,h3; */ - /* [-Werror=unused-variable] */ /* int16 *origf = f; */ - int rep; - __m256i zetainv_512[8]; - __m256i zetainv_qinv_512[8]; - __m256i zetainv_256[8]; - __m256i zetainv_qinv_256[8]; - int i; - for (i = 0; i < 8; ++i) { - zetainv_512[i] = zetainv(512, i); - } - for (i = 0; i < 8; ++i) { - zetainv_qinv_512[i] = zetainv_qinv(512, i); - } - for (i = 0; i < 8; ++i) { - zetainv_256[i] = zetainv(256, i); - } - for (i = 0; i < 8; ++i) { - zetainv_qinv_256[i] = zetainv_qinv(256, i); - } - invntt128(f, 4 * reps, qdata); - for (rep = 0; rep < reps; ++rep) { - for (i = 0; i < 8; ++i) { - f2 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 256)); - f3 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 384)); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_512[i], zetainv_qinv_512[i]); - f3 = mulmod_x16_scaled(qdata, f3, zeta(512, i), zeta_qinv(512, i)); - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g2 = sub_x16(f3, f2); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 0)); - f1 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 128)); - - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_256[i], zetainv_qinv_256[i]); - g1 = add_x16(f0, f1); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 16 * i + 128), f1); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 384), f3); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 256), f2); - } - f += 512; - } -} - -void PQCLEAN_SNTRUP653_AVX2_invntt512_7681(int16 *f, int reps) { - invntt512(f, reps, (const __m256i *) qdata_7681.data); -} - -void PQCLEAN_SNTRUP653_AVX2_invntt512_10753(int16 *f, int reps) { - invntt512(f, reps, (const __m256i *) qdata_10753.data); -} diff --git a/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653_ntt.h b/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653_ntt.h deleted file mode 100644 index 44fff973..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_multsntrup653_ntt.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef ntt_H -#define ntt_H - -#include - - - -extern void PQCLEAN_SNTRUP653_AVX2_ntt512_7681(int16_t *f, int reps); -extern void PQCLEAN_SNTRUP653_AVX2_ntt512_10753(int16_t *f, int reps); -extern void PQCLEAN_SNTRUP653_AVX2_invntt512_7681(int16_t *f, int reps); -extern void PQCLEAN_SNTRUP653_AVX2_invntt512_10753(int16_t *f, int reps); - -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_core_scale3sntrup653.c b/crypto_kem/sntrup653/avx2/crypto_core_scale3sntrup653.c deleted file mode 100644 index fbbd1f0f..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_scale3sntrup653.c +++ /dev/null @@ -1,47 +0,0 @@ -#include "crypto_core_scale3sntrup653.h" -#include "crypto_decode_653xint16.h" -#include "crypto_encode_653xint16.h" -#include - -#define p 653 -#define q 4621 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xint16 - -typedef int16_t Fq; - -/* out = 3*in in Rq */ -int PQCLEAN_SNTRUP653_AVX2_crypto_core_scale3sntrup653(unsigned char *outbytes, const unsigned char *inbytes) { - int i = p - 16; - - __m256i save = _mm256_loadu_si256((__m256i *) (inbytes + 2 * i)); - /* in case outbytes = inbytes */ - - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) inbytes); - __m256i xneg; - x = _mm256_mullo_epi16(x, _mm256_set1_epi16(3)); - x = _mm256_sub_epi16(x, _mm256_set1_epi16((q + 1) / 2)); - xneg = _mm256_srai_epi16(x, 15); - x = _mm256_add_epi16(x, _mm256_set1_epi16(q)&xneg); - xneg = _mm256_srai_epi16(x, 15); - x = _mm256_add_epi16(x, _mm256_set1_epi16(q)&xneg); - x = _mm256_sub_epi16(x, _mm256_set1_epi16((q - 1) / 2)); - _mm256_storeu_si256((__m256i *) outbytes, x); - - inbytes += 32; - outbytes += 32; - i -= 16; - } while (i >= 0); - if (i <= -16) { - break; - } - inbytes += 2 * i; - outbytes += 2 * i; - _mm256_storeu_si256((__m256i *) outbytes, save); - } - - return 0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_core_scale3sntrup653.h b/crypto_kem/sntrup653/avx2/crypto_core_scale3sntrup653.h deleted file mode 100644 index 057afaf1..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_scale3sntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_SCALE3SNTRUP653_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_SCALE3SNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_scale3sntrup653_OUTPUTBYTES 1306 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_scale3sntrup653_INPUTBYTES 1306 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_scale3sntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_scale3sntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_scale3sntrup653(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_core_weightsntrup653.c b/crypto_kem/sntrup653/avx2/crypto_core_weightsntrup653.c deleted file mode 100644 index b7ef33de..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_weightsntrup653.c +++ /dev/null @@ -1,45 +0,0 @@ -#include "crypto_core_weightsntrup653.h" -#include "crypto_encode_int16.h" -#include "params.h" -#include - -#define int8 int8_t -#define int16 int16_t - - -/* out = little-endian weight of bottom bits of in */ -int PQCLEAN_SNTRUP653_AVX2_crypto_core_weightsntrup653(unsigned char *outbytes, const unsigned char *inbytes) { - int8 *in = (void *) inbytes; - int i; - __m256i sum, sumhi; - int16 weight; - - sum = _mm256_loadu_si256((__m256i *) (in + p - 32)); - sum &= _mm256_set_epi8(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); - - for (i = p - 32; i >= 0; i -= 32) { - __m256i bits = _mm256_loadu_si256((__m256i *) in); - bits &= _mm256_set1_epi8(1); - sum = _mm256_add_epi8(sum, bits); - in += 32; - } - - /* sum is 32xint8; want to add these int8 */ - sumhi = _mm256_srli_epi16(sum, 8); - sum &= _mm256_set1_epi16(0xff); - sum = _mm256_add_epi16(sum, sumhi); - - /* sum is 16xint16; want to add these int16 */ - sum = _mm256_hadd_epi16(sum, sum); - /* want sum[0]+sum[1]+sum[2]+sum[3]+sum[8]+sum[9]+sum[10]+sum[11] */ - sum = _mm256_hadd_epi16(sum, sum); - /* want sum[0]+sum[1]+sum[8]+sum[9] */ - sum = _mm256_hadd_epi16(sum, sum); - /* want sum[0]+sum[8] */ - - weight = (int16) _mm256_extract_epi16(sum, 0); - weight += (int16) _mm256_extract_epi16(sum, 8); - - PQCLEAN_SNTRUP653_AVX2_crypto_encode_int16(outbytes, &weight); - return 0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_core_weightsntrup653.h b/crypto_kem/sntrup653/avx2/crypto_core_weightsntrup653.h deleted file mode 100644 index 99fa8769..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_weightsntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_WEIGHTSNTRUP653_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_WEIGHTSNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_weightsntrup653_OUTPUTBYTES 2 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_weightsntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_weightsntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_weightsntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_weightsntrup653(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_core_wforcesntrup653.c b/crypto_kem/sntrup653/avx2/crypto_core_wforcesntrup653.c deleted file mode 100644 index 63636176..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_wforcesntrup653.c +++ /dev/null @@ -1,61 +0,0 @@ -#include "crypto_core_wforcesntrup653.h" -#include "crypto_decode_int16.h" -#include "params.h" -#include - -#define int16 int16_t - - -/* out = in if bottom bits of in have weight w */ -/* otherwise out = (1,1,...,1,0,0,...,0) */ -int PQCLEAN_SNTRUP653_AVX2_crypto_core_wforcesntrup653(unsigned char *out, const unsigned char *in) { - int16 weight; - int16 mask; - __m256i maskvec; - int i; - - crypto_core_weight((unsigned char *) &weight, in); - PQCLEAN_SNTRUP653_AVX2_crypto_decode_int16(&weight, (unsigned char *) &weight); - - mask = (int16) ((weight - w) | (w - weight)); - mask >>= 15; - maskvec = _mm256_set1_epi16((short) ~mask); - - i = w - 32; - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) in); - x ^= _mm256_set1_epi8(1); - x &= maskvec; - x ^= _mm256_set1_epi8(1); - _mm256_storeu_si256((__m256i *) out, x); - in += 32; - out += 32; - i -= 32; - } while (i >= 0); - if (i <= -32) { - break; - } - in += i; - out += i; - } - - i = p - w - 32; - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) in); - x &= maskvec; - _mm256_storeu_si256((__m256i *) out, x); - in += 32; - out += 32; - i -= 32; - } while (i >= 0); - if (i <= -32) { - break; - } - in += i; - out += i; - } - - return 0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_core_wforcesntrup653.h b/crypto_kem/sntrup653/avx2/crypto_core_wforcesntrup653.h deleted file mode 100644 index 2e4d78c4..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_core_wforcesntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_WFORCESNTRUP653_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_CORE_WFORCESNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_wforcesntrup653_OUTPUTBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_wforcesntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_wforcesntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_AVX2_crypto_core_wforcesntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_AVX2_crypto_core_wforcesntrup653(unsigned char *out, const unsigned char *in); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653x1541.c b/crypto_kem/sntrup653/avx2/crypto_decode_653x1541.c deleted file mode 100644 index 2d3973f0..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653x1541.c +++ /dev/null @@ -1,404 +0,0 @@ -#include "crypto_decode_653x1541.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define int32 int32_t - -static inline int16 mullo(int16 x, int16 y) { - return x * y; -} - -static inline int16 mulhi(int16 x, int16 y) { - return (int16) ((x * (int32)y) >> 16); -} - -static inline __m256i add(__m256i x, __m256i y) { - return _mm256_add_epi16(x, y); -} - -static inline __m256i sub(__m256i x, __m256i y) { - return _mm256_sub_epi16(x, y); -} - -static inline __m256i shiftleftconst(__m256i x, int16 y) { - return _mm256_slli_epi16(x, y); -} - -static inline __m256i signedshiftrightconst(__m256i x, int16 y) { - return _mm256_srai_epi16(x, y); -} - -static inline __m256i subconst(__m256i x, int16 y) { - return sub(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulloconst(__m256i x, int16 y) { - return _mm256_mullo_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulhiconst(__m256i x, int16 y) { - return _mm256_mulhi_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i ifgesubconst(__m256i x, int16 y) { - __m256i y16 = _mm256_set1_epi16(y); - __m256i top16 = _mm256_set1_epi16((int16)(y - 1)); - return sub(x, _mm256_cmpgt_epi16(x, top16) & y16); -} - -static inline __m256i ifnegaddconst(__m256i x, int16 y) { - return add(x, signedshiftrightconst(x, 15) & _mm256_set1_epi16(y)); -} - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x1541(void *v, const unsigned char *s) { - int16 *R0 = v; - int16 R1[327], R2[164], R3[82], R4[41], R5[21], R6[11], R7[6], R8[3], R9[2], R10[1]; - long long i; - int16 a0, a1, a2; - __m256i A0, A1, A2, S0, S1, B0, B1, C0, C1; - - s += PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x1541_STRBYTES; - a1 = 0; - a1 += *--s; /* 0...255 */ - a1 = mulhi(a1, -48) - mulhi(mullo(a1, -6433), 2608); - a1 += *--s; /* -1304...1558 */ - a1 += (a1 >> 15) & 2608; /* 0...2607 */ - R10[0] = a1; - - /* R10 ------> R9: reconstruct mod 1*[71]+[9402] */ - - i = 0; - s -= 1; - a2 = a0 = R10[0]; - a0 = mulhi(a0, -13) - mulhi(mullo(a0, 25845), 71); /* -39...35 */ - a0 += s[1 * i + 0]; /* -39...290 */ - a0 = mulhi(a0, 3) - mulhi(mullo(a0, -923), 71); /* -36...35 */ - a0 += (a0 >> 15) & 71; /* 0...70 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, -22153); - - /* invalid inputs might need reduction mod 9402 */ - a1 -= 9402; - a1 += (a1 >> 15) & 9402; - - R9[0] = a0; - R9[1] = a1; - s -= 0; - - /* R9 ------> R8: reconstruct mod 2*[134]+[9402] */ - - R8[2] = R9[1]; - s -= 1; - for (i = 0; i >= 0; --i) { - a2 = a0 = R9[i]; - a0 = mulhi(a0, 14) - mulhi(mullo(a0, 5869), 134); /* -67...70 */ - a0 += s[1 * i + 0]; /* -67...325 */ - a0 = mulhi(a0, 10) - mulhi(mullo(a0, -489), 134); /* -68...67 */ - a0 += (a0 >> 15) & 134; /* 0...133 */ - a1 = (int16) ((a2 << 7) + ((s[i] - a0) >> 1)); - a1 = mullo(a1, 19563); - - /* invalid inputs might need reduction mod 134 */ - a1 -= 134; - a1 += (a1 >> 15) & 134; - - R8[2 * i] = a0; - R8[2 * i + 1] = a1; - } - - /* R8 ------> R7: reconstruct mod 5*[2953]+[815] */ - - i = 0; - s -= 1; - a2 = a0 = R8[2]; - a0 = mulhi(a0, 1223) - mulhi(mullo(a0, -5681), 2953); /* -1477...1782 */ - a0 += s[1 * i + 0]; /* -1477...2037 */ - a0 += (a0 >> 15) & 2953; /* 0...2952 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, -9543); - - /* invalid inputs might need reduction mod 815 */ - a1 -= 815; - a1 += (a1 >> 15) & 815; - - R7[4] = a0; - R7[5] = a1; - s -= 4; - for (i = 1; i >= 0; --i) { - a0 = R8[i]; - a0 = mulhi(a0, 1223) - mulhi(mullo(a0, -5681), 2953); /* -1477...1782 */ - a0 += s[2 * i + 1]; /* -1477...2037 */ - a0 = mulhi(a0, 1223) - mulhi(mullo(a0, -5681), 2953); /* -1505...1514 */ - a0 += s[2 * i + 0]; /* -1505...1769 */ - a0 += (a0 >> 15) & 2953; /* 0...2952 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, -9543); - - /* invalid inputs might need reduction mod 2953 */ - a1 -= 2953; - a1 += (a1 >> 15) & 2953; - - R7[2 * i] = a0; - R7[2 * i + 1] = a1; - } - - /* R7 ------> R6: reconstruct mod 10*[13910]+[815] */ - - R6[10] = R7[5]; - s -= 10; - for (i = 4; i >= 0; --i) { - a2 = a0 = R7[i]; - a0 = mulhi(a0, 1756) - mulhi(mullo(a0, -1206), 13910); /* -6955...7394 */ - a0 += s[2 * i + 1]; /* -6955...7649 */ - a0 = mulhi(a0, 1756) - mulhi(mullo(a0, -1206), 13910); /* -7142...7159 */ - a0 += s[2 * i + 0]; /* -7142...7414 */ - a0 += (a0 >> 15) & 13910; /* 0...13909 */ - a1 = (int16) ((a2 << 15) + (s[2 * i + 1] << 7) + ((s[2 * i] - a0) >> 1)); - a1 = mullo(a1, -13437); - - /* invalid inputs might need reduction mod 13910 */ - a1 -= 13910; - a1 += (a1 >> 15) & 13910; - - R6[2 * i] = a0; - R6[2 * i + 1] = a1; - } - - /* R6 ------> R5: reconstruct mod 20*[1887]+[815] */ - - R5[20] = R6[10]; - s -= 10; - for (i = 9; i >= 0; --i) { - a2 = a0 = R6[i]; - a0 = mulhi(a0, -101) - mulhi(mullo(a0, -8891), 1887); /* -969...943 */ - a0 += s[1 * i + 0]; /* -969...1198 */ - a0 += (a0 >> 15) & 1887; /* 0...1886 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, 5279); - - /* invalid inputs might need reduction mod 1887 */ - a1 -= 1887; - a1 += (a1 >> 15) & 1887; - - R5[2 * i] = a0; - R5[2 * i + 1] = a1; - } - - /* R5 ------> R4: reconstruct mod 40*[695]+[815] */ - - R4[40] = R5[20]; - s -= 20; - i = 4; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R5[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, -84), mulhiconst(mulloconst(A0, -24140), 695)); /* -369...347 */ - A0 = add(A0, S0); /* -369...602 */ - A0 = ifnegaddconst(A0, 695); /* 0...694 */ - A1 = add(shiftleftconst(A2, 8), sub(S0, A0)); - A1 = mulloconst(A1, 31495); - - /* invalid inputs might need reduction mod 695 */ - A1 = ifgesubconst(A1, 695); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R4[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R4[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R4 ------> R3: reconstruct mod 81*[6745]+[7910] */ - - i = 0; - s -= 2; - a0 = R4[40]; - a0 = mulhi(a0, 2401) - mulhi(mullo(a0, -2487), 6745); /* -3373...3972 */ - a0 += s[2 * i + 1]; /* -3373...4227 */ - a0 = mulhi(a0, 2401) - mulhi(mullo(a0, -2487), 6745); /* -3497...3527 */ - a0 += s[2 * i + 0]; /* -3497...3782 */ - a0 += (a0 >> 15) & 6745; /* 0...6744 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, -29207); - - /* invalid inputs might need reduction mod 7910 */ - a1 -= 7910; - a1 += (a1 >> 15) & 7910; - - R3[80] = a0; - R3[81] = a1; - s -= 80; - i = 24; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R4[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, 2401), mulhiconst(mulloconst(A0, -2487), 6745)); /* -3373...3972 */ - A0 = add(A0, S1); /* -3373...4227 */ - A0 = sub(mulhiconst(A0, 2401), mulhiconst(mulloconst(A0, -2487), 6745)); /* -3497...3527 */ - A0 = add(A0, S0); /* -3497...3782 */ - A0 = ifnegaddconst(A0, 6745); /* 0...6744 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, -29207); - - /* invalid inputs might need reduction mod 6745 */ - A1 = ifgesubconst(A1, 6745); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R3[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R3[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R3 ------> R2: reconstruct mod 163*[1314]+[1541] */ - - i = 0; - s -= 1; - a2 = a0 = R3[81]; - a0 = mulhi(a0, 64) - mulhi(mullo(a0, -12768), 1314); /* -657...673 */ - a0 += s[1 * i + 0]; /* -657...928 */ - a0 += (a0 >> 15) & 1314; /* 0...1313 */ - a1 = (int16) ((a2 << 7) + ((s[i] - a0) >> 1)); - a1 = mullo(a1, -399); - - /* invalid inputs might need reduction mod 1541 */ - a1 -= 1541; - a1 += (a1 >> 15) & 1541; - - R2[162] = a0; - R2[163] = a1; - s -= 81; - i = 65; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R3[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 64), mulhiconst(mulloconst(A0, -12768), 1314)); /* -657...673 */ - A0 = add(A0, S0); /* -657...928 */ - A0 = ifnegaddconst(A0, 1314); /* 0...1313 */ - A1 = add(shiftleftconst(A2, 7), signedshiftrightconst(sub(S0, A0), 1)); - A1 = mulloconst(A1, -399); - - /* invalid inputs might need reduction mod 1314 */ - A1 = ifgesubconst(A1, 1314); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R2[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R2[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R2 ------> R1: reconstruct mod 326*[9277]+[1541] */ - - R1[326] = R2[163]; - s -= 326; - i = 147; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R2[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, 4400), mulhiconst(mulloconst(A0, -1808), 9277)); /* -4639...5738 */ - A0 = add(A0, S1); /* -4639...5993 */ - A0 = sub(mulhiconst(A0, 4400), mulhiconst(mulloconst(A0, -1808), 9277)); /* -4950...5040 */ - A0 = add(A0, S0); /* -4950...5295 */ - A0 = ifnegaddconst(A0, 9277); /* 0...9276 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, -27883); - - /* invalid inputs might need reduction mod 9277 */ - A1 = ifgesubconst(A1, 9277); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R1[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R1[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R1 ------> R0: reconstruct mod 653*[1541] */ - - R0[652] = (int16) (3 * R1[326] - 2310); - s -= 326; - i = 310; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R1[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 349), mulhiconst(mulloconst(A0, -10887), 1541)); /* -771...857 */ - A0 = add(A0, S0); /* -771...1112 */ - A0 = ifnegaddconst(A0, 1541); /* 0...1540 */ - A1 = add(shiftleftconst(A2, 8), sub(S0, A0)); - A1 = mulloconst(A1, -10547); - - /* invalid inputs might need reduction mod 1541 */ - A1 = ifgesubconst(A1, 1541); - - A0 = mulloconst(A0, 3); - A1 = mulloconst(A1, 3); - A0 = subconst(A0, 2310); - A1 = subconst(A1, 2310); - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R0[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R0[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } -} diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653x1541.h b/crypto_kem/sntrup653/avx2/crypto_decode_653x1541.h deleted file mode 100644 index 5827b644..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653x1541.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653X1541_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653X1541_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x1541_STRBYTES 865 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x1541_ITEMS 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x1541_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x1541(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653x3.c b/crypto_kem/sntrup653/avx2/crypto_decode_653x3.c deleted file mode 100644 index 8e3ec8d9..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653x3.c +++ /dev/null @@ -1,65 +0,0 @@ -#include "crypto_decode_653x3.h" -#include -#define uint8 uint8_t - -#define p 653 -#define loops 6 -#define overshoot 29 - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x3(void *v, const unsigned char *s) { - uint8 *f = v; - int loop; - uint8 *nextf = f + 128 - 4 * overshoot; - const unsigned char *nexts = s + 32 - overshoot; - - for (loop = loops; loop > 0; --loop) { - __m256i s0 = _mm256_loadu_si256((const __m256i *) s); - s = nexts; - nexts += 32; - - __m256i s1 = _mm256_srli_epi16(s0 & _mm256_set1_epi8(-16), 4); - s0 &= _mm256_set1_epi8(15); - - __m256i a0 = _mm256_unpacklo_epi8(s0, s1); - /* 0 0>>4 1 1>>4 2 2>>4 3 3>>4 4 4>>4 5 5>>4 6 6>>4 7 7>>4 */ - /* 16 16>>4 ... */ - __m256i a1 = _mm256_unpackhi_epi8(s0, s1); - /* 8 8>>4 9 9>>4 10 10>>4 ... */ - /* 24 24>>4 ... */ - - __m256i a2 = _mm256_srli_epi16(a0 & _mm256_set1_epi8(12), 2); - __m256i a3 = _mm256_srli_epi16(a1 & _mm256_set1_epi8(12), 2); - a0 &= _mm256_set1_epi8(3); - a1 &= _mm256_set1_epi8(3); - - __m256i b0 = _mm256_unpacklo_epi8(a0, a2); - /* 0 0>>2 0>>4 0>>6 1 1>>2 1>>4 1>>6 */ - /* 2 2>>2 2>>4 2>>6 3 3>>2 3>>4 3>.6 */ - /* 16 16>>2 16>>4 16>>6 ... */ - __m256i b2 = _mm256_unpackhi_epi8(a0, a2); - /* 4 4>>2 ... */ - __m256i b1 = _mm256_unpacklo_epi8(a1, a3); - /* 8 8>>2 ... */ - __m256i b3 = _mm256_unpackhi_epi8(a1, a3); - /* 12 12>>2 ... */ - - __m256i f0 = _mm256_permute2x128_si256(b0, b2, 0x20); - __m256i f2 = _mm256_permute2x128_si256(b0, b2, 0x31); - __m256i f1 = _mm256_permute2x128_si256(b1, b3, 0x20); - __m256i f3 = _mm256_permute2x128_si256(b1, b3, 0x31); - - f0 = _mm256_add_epi8(f0, _mm256_set1_epi8(-1)); - f1 = _mm256_add_epi8(f1, _mm256_set1_epi8(-1)); - f2 = _mm256_add_epi8(f2, _mm256_set1_epi8(-1)); - f3 = _mm256_add_epi8(f3, _mm256_set1_epi8(-1)); - - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 32), f1); - _mm256_storeu_si256((__m256i *) (f + 64), f2); - _mm256_storeu_si256((__m256i *) (f + 96), f3); - f = nextf; - nextf += 128; - } - - *f = (uint8) ((*s & 3) - 1); -} diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653x3.h b/crypto_kem/sntrup653/avx2/crypto_decode_653x3.h deleted file mode 100644 index c331d9cc..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653X3_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653X3_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x3_STRBYTES 164 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x3_ITEMS 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x3(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653x4621.c b/crypto_kem/sntrup653/avx2/crypto_decode_653x4621.c deleted file mode 100644 index e3d30bf5..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653x4621.c +++ /dev/null @@ -1,404 +0,0 @@ -#include "crypto_decode_653x4621.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define int32 int32_t - -static inline int16 mullo(int16 x, int16 y) { - return x * y; -} - -static inline int16 mulhi(int16 x, int16 y) { - return (int16) ((x * (int32)y) >> 16); -} - -static inline __m256i add(__m256i x, __m256i y) { - return _mm256_add_epi16(x, y); -} - -static inline __m256i sub(__m256i x, __m256i y) { - return _mm256_sub_epi16(x, y); -} - -static inline __m256i shiftleftconst(__m256i x, int16 y) { - return _mm256_slli_epi16(x, y); -} - -static inline __m256i signedshiftrightconst(__m256i x, int16 y) { - return _mm256_srai_epi16(x, y); -} - -static inline __m256i subconst(__m256i x, int16 y) { - return sub(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulloconst(__m256i x, int16 y) { - return _mm256_mullo_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulhiconst(__m256i x, int16 y) { - return _mm256_mulhi_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i ifgesubconst(__m256i x, int16 y) { - __m256i y16 = _mm256_set1_epi16(y); - __m256i top16 = _mm256_set1_epi16((int16)(y - 1)); - return sub(x, _mm256_cmpgt_epi16(x, top16) & y16); -} - -static inline __m256i ifnegaddconst(__m256i x, int16 y) { - return add(x, signedshiftrightconst(x, 15) & _mm256_set1_epi16(y)); -} - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x4621(void *v, const unsigned char *s) { - int16 *R0 = v; - int16 R1[327], R2[164], R3[82], R4[41], R5[21], R6[11], R7[6], R8[3], R9[2], R10[1]; - long long i; - int16 a0, a1, a2; - __m256i A0, A1, A2, S0, S1, B0, B1, C0, C1; - - s += PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x4621_STRBYTES; - a1 = 0; - a1 += *--s; /* 0...255 */ - a1 -= 86; /* -86...169 */ - a1 -= 86; /* -172...83 */ - a1 += (a1 >> 15) & 86; /* -86...85 */ - a1 += (a1 >> 15) & 86; /* 0...85 */ - R10[0] = a1; - - /* R10 ------> R9: reconstruct mod 1*[835]+[6708] */ - - i = 0; - s -= 2; - a0 = R10[0]; - a0 = mulhi(a0, 396) - mulhi(mullo(a0, -20092), 835); /* -418...516 */ - a0 += s[2 * i + 1]; /* -418...771 */ - a0 = mulhi(a0, 396) - mulhi(mullo(a0, -20092), 835); /* -421...422 */ - a0 += s[2 * i + 0]; /* -421...677 */ - a0 += (a0 >> 15) & 835; /* 0...834 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, 8555); - - /* invalid inputs might need reduction mod 6708 */ - a1 -= 6708; - a1 += (a1 >> 15) & 6708; - - R9[0] = a0; - R9[1] = a1; - s -= 0; - - /* R9 ------> R8: reconstruct mod 2*[7396]+[6708] */ - - R8[2] = R9[1]; - s -= 2; - for (i = 0; i >= 0; --i) { - a2 = a0 = R9[i]; - a0 = mulhi(a0, 3088) - mulhi(mullo(a0, -2268), 7396); /* -3698...4470 */ - a0 += s[2 * i + 1]; /* -3698...4725 */ - a0 = mulhi(a0, 3088) - mulhi(mullo(a0, -2268), 7396); /* -3873...3920 */ - a0 += s[2 * i + 0]; /* -3873...4175 */ - a0 += (a0 >> 15) & 7396; /* 0...7395 */ - a1 = (int16) ((a2 << 14) + (s[2 * i + 1] << 6) + ((s[2 * i] - a0) >> 2)); - a1 = mullo(a1, -18679); - - /* invalid inputs might need reduction mod 7396 */ - a1 -= 7396; - a1 += (a1 >> 15) & 7396; - - R8[2 * i] = a0; - R8[2 * i + 1] = a1; - } - - /* R8 ------> R7: reconstruct mod 5*[86]+[78] */ - - s -= 0; - a2 = a0 = R8[2]; - a0 = mulhi(a0, 4) - mulhi(mullo(a0, -762), 86); /* -43...44 */ - a0 += (a0 >> 15) & 86; /* 0...85 */ - a1 = (int16) ((a2 - a0) >> 1); - a1 = mullo(a1, -16765); - - /* invalid inputs might need reduction mod 78 */ - a1 -= 78; - a1 += (a1 >> 15) & 78; - - R7[4] = a0; - R7[5] = a1; - s -= 0; - for (i = 1; i >= 0; --i) { - a2 = a0 = R8[i]; - a0 = mulhi(a0, 4) - mulhi(mullo(a0, -762), 86); /* -43...44 */ - a0 += (a0 >> 15) & 86; /* 0...85 */ - a1 = (int16) ((a2 - a0) >> 1); - a1 = mullo(a1, -16765); - - /* invalid inputs might need reduction mod 86 */ - a1 -= 86; - a1 += (a1 >> 15) & 86; - - R7[2 * i] = a0; - R7[2 * i + 1] = a1; - } - - /* R7 ------> R6: reconstruct mod 10*[2370]+[78] */ - - R6[10] = R7[5]; - s -= 10; - for (i = 4; i >= 0; --i) { - a2 = a0 = R7[i]; - a0 = mulhi(a0, -14) - mulhi(mullo(a0, -7079), 2370); /* -1189...1185 */ - a0 += s[2 * i + 1]; /* -1189...1440 */ - a0 = mulhi(a0, -14) - mulhi(mullo(a0, -7079), 2370); /* -1186...1185 */ - a0 += s[2 * i + 0]; /* -1186...1440 */ - a0 += (a0 >> 15) & 2370; /* 0...2369 */ - a1 = (int16) ((a2 << 15) + (s[2 * i + 1] << 7) + ((s[2 * i] - a0) >> 1)); - a1 = mullo(a1, -8351); - - /* invalid inputs might need reduction mod 2370 */ - a1 -= 2370; - a1 += (a1 >> 15) & 2370; - - R6[2 * i] = a0; - R6[2 * i + 1] = a1; - } - - /* R6 ------> R5: reconstruct mod 20*[12461]+[78] */ - - R5[20] = R6[10]; - s -= 20; - for (i = 9; i >= 0; --i) { - a0 = R6[i]; - a0 = mulhi(a0, 4710) - mulhi(mullo(a0, -1346), 12461); /* -6231...7408 */ - a0 += s[2 * i + 1]; /* -6231...7663 */ - a0 = mulhi(a0, 4710) - mulhi(mullo(a0, -1346), 12461); /* -6679...6781 */ - a0 += s[2 * i + 0]; /* -6679...7036 */ - a0 += (a0 >> 15) & 12461; /* 0...12460 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, -19675); - - /* invalid inputs might need reduction mod 12461 */ - a1 -= 12461; - a1 += (a1 >> 15) & 12461; - - R5[2 * i] = a0; - R5[2 * i + 1] = a1; - } - - /* R5 ------> R4: reconstruct mod 40*[1786]+[78] */ - - R4[40] = R5[20]; - s -= 20; - i = 4; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R5[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, -468), mulhiconst(mulloconst(A0, -9394), 1786)); /* -1010...893 */ - A0 = add(A0, S0); /* -1010...1148 */ - A0 = ifnegaddconst(A0, 1786); /* 0...1785 */ - A1 = add(shiftleftconst(A2, 7), signedshiftrightconst(sub(S0, A0), 1)); - A1 = mulloconst(A1, -12843); - - /* invalid inputs might need reduction mod 1786 */ - A1 = ifgesubconst(A1, 1786); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R4[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R4[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R4 ------> R3: reconstruct mod 81*[676]+[7510] */ - - i = 0; - s -= 2; - a2 = a0 = R4[40]; - a0 = mulhi(a0, 248) - mulhi(mullo(a0, -24818), 676); /* -338...400 */ - a0 += s[2 * i + 1]; /* -338...655 */ - a0 = mulhi(a0, 248) - mulhi(mullo(a0, -24818), 676); /* -340...340 */ - a0 += s[2 * i + 0]; /* -340...595 */ - a0 += (a0 >> 15) & 676; /* 0...675 */ - a1 = (int16) ((a2 << 14) + (s[2 * i + 1] << 6) + ((s[2 * i] - a0) >> 2)); - a1 = mullo(a1, -23655); - - /* invalid inputs might need reduction mod 7510 */ - a1 -= 7510; - a1 += (a1 >> 15) & 7510; - - R3[80] = a0; - R3[81] = a1; - s -= 40; - i = 24; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R4[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 248), mulhiconst(mulloconst(A0, -24818), 676)); /* -338...400 */ - A0 = add(A0, S0); /* -338...655 */ - A0 = ifnegaddconst(A0, 676); /* 0...675 */ - A1 = add(shiftleftconst(A2, 6), signedshiftrightconst(sub(S0, A0), 2)); - A1 = mulloconst(A1, -23655); - - /* invalid inputs might need reduction mod 676 */ - A1 = ifgesubconst(A1, 676); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R3[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R3[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R3 ------> R2: reconstruct mod 163*[416]+[4621] */ - - i = 0; - s -= 1; - a2 = a0 = R3[81]; - a0 = mulhi(a0, -64) - mulhi(mullo(a0, 25206), 416); /* -224...208 */ - a0 += s[1 * i + 0]; /* -224...463 */ - a0 -= 416; /* -640..>47 */ - a0 += (a0 >> 15) & 416; /* -224...415 */ - a0 += (a0 >> 15) & 416; /* 0...415 */ - a1 = (int16) ((a2 << 3) + ((s[i] - a0) >> 5)); - a1 = mullo(a1, 20165); - - /* invalid inputs might need reduction mod 4621 */ - a1 -= 4621; - a1 += (a1 >> 15) & 4621; - - R2[162] = a0; - R2[163] = a1; - s -= 81; - i = 65; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R3[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, -64), mulhiconst(mulloconst(A0, 25206), 416)); /* -224...208 */ - A0 = add(A0, S0); /* -224...463 */ - A0 = subconst(A0, 416); /* -640...47 */ - A0 = ifnegaddconst(A0, 416); /* -224...415 */ - A0 = ifnegaddconst(A0, 416); /* 0...415 */ - A1 = add(shiftleftconst(A2, 3), signedshiftrightconst(sub(S0, A0), 5)); - A1 = mulloconst(A1, 20165); - - /* invalid inputs might need reduction mod 416 */ - A1 = ifgesubconst(A1, 416); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R2[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R2[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R2 ------> R1: reconstruct mod 326*[326]+[4621] */ - - R1[326] = R2[163]; - s -= 163; - i = 147; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R2[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, -48), mulhiconst(mulloconst(A0, 14072), 326)); /* -175...163 */ - A0 = add(A0, S0); /* -175...418 */ - A0 = subconst(A0, 326); /* -501...92 */ - A0 = ifnegaddconst(A0, 326); /* -175...325 */ - A0 = ifnegaddconst(A0, 326); /* 0...325 */ - A1 = add(shiftleftconst(A2, 7), signedshiftrightconst(sub(S0, A0), 1)); - A1 = mulloconst(A1, -19701); - - /* invalid inputs might need reduction mod 326 */ - A1 = ifgesubconst(A1, 326); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R1[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R1[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R1 ------> R0: reconstruct mod 653*[4621] */ - - R0[652] = R1[326] - 2310; - s -= 652; - i = 310; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R1[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, -1635), mulhiconst(mulloconst(A0, -3631), 4621)); /* -2720...2310 */ - A0 = add(A0, S1); /* -2720...2565 */ - A0 = sub(mulhiconst(A0, -1635), mulhiconst(mulloconst(A0, -3631), 4621)); /* -2375...2378 */ - A0 = add(A0, S0); /* -2375...2633 */ - A0 = ifnegaddconst(A0, 4621); /* 0...4620 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, -29499); - - /* invalid inputs might need reduction mod 4621 */ - A1 = ifgesubconst(A1, 4621); - - A0 = subconst(A0, 2310); - A1 = subconst(A1, 2310); - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R0[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R0[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } -} diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653x4621.h b/crypto_kem/sntrup653/avx2/crypto_decode_653x4621.h deleted file mode 100644 index cb2a0a18..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653x4621.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653X4621_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653X4621_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x4621_STRBYTES 994 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x4621_ITEMS 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x4621_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x4621(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653xint16.c b/crypto_kem/sntrup653/avx2/crypto_decode_653xint16.c deleted file mode 100644 index d297f24c..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653xint16.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_decode_653xint16.h" - - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint16(void *v, const unsigned char *s) { - uint16_t *x = v; - int i; - - for (i = 0; i < 653; ++i) { - uint16_t u0 = s[0]; - uint16_t u1 = s[1]; - *x = (uint16_t) (u0 | (u1 << 8)); - x += 1; - s += 2; - } -} diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653xint16.h b/crypto_kem/sntrup653/avx2/crypto_decode_653xint16.h deleted file mode 100644 index 42e759a9..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653XINT16_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653XINT16_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint16_STRBYTES 1306 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint16_ITEMS 653 - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint16(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653xint32.c b/crypto_kem/sntrup653/avx2/crypto_decode_653xint32.c deleted file mode 100644 index cbd3252f..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653xint32.c +++ /dev/null @@ -1,20 +0,0 @@ -#include "crypto_decode_653xint32.h" - - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint32(void *v, const unsigned char *s) { - uint32_t *x = v; - int i; - - for (i = 0; i < 653; ++i) { - uint32_t u0 = s[0]; - uint32_t u1 = s[1]; - uint32_t u2 = s[2]; - uint32_t u3 = s[3]; - u1 <<= 8; - u2 <<= 16; - u3 <<= 24; - *x = u0 | u1 | u2 | u3; - x += 1; - s += 4; - } -} diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_653xint32.h b/crypto_kem/sntrup653/avx2/crypto_decode_653xint32.h deleted file mode 100644 index 5da882d6..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_653xint32.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653XINT32_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_653XINT32_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint32_STRBYTES 2612 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint32_ITEMBYTES 4 -#define PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint32_ITEMS 653 - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint32(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_int16.c b/crypto_kem/sntrup653/avx2/crypto_decode_int16.c deleted file mode 100644 index b798013c..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_int16.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "crypto_decode_int16.h" - - -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_int16(void *x, const unsigned char *s) { - uint16_t u0 = s[0]; - uint16_t u1 = s[1]; - u1 = (uint16_t) (u1 << 8); - *(uint16_t *) x = u0 | u1; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_decode_int16.h b/crypto_kem/sntrup653/avx2/crypto_decode_int16.h deleted file mode 100644 index 58e7279e..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_decode_int16.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_INT16_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_DECODE_INT16_H - -#include -#define crypto_core_multsntrup857_STRBYTES 2 -#define crypto_core_multsntrup857_ITEMBYTES 2 -#define crypto_core_multsntrup857_ITEMS 1 -void PQCLEAN_SNTRUP653_AVX2_crypto_decode_int16(void *x, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653x1541.c b/crypto_kem/sntrup653/avx2/crypto_encode_653x1541.c deleted file mode 100644 index c4c1c9c8..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653x1541.c +++ /dev/null @@ -1,286 +0,0 @@ -#include "crypto_encode_653x1541.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[327]; - long i; - const uint16 *reading; - uint16 *writing; - uint16 r0, r1; - uint32 r2; - uint32 s0; - - reading = (uint16 *) R0; - writing = R; - i = 41; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 4; - writing -= 2; - out -= 2; - } - x = _mm256_loadu_si256((__m256i *) reading); - x = _mm256_add_epi16(x, _mm256_set1_epi16(2310)); - x &= _mm256_set1_epi16(16383); - x = _mm256_mulhi_epi16(x, _mm256_set1_epi16(21846)); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1541)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[326] = (uint16) ((((R0[652] + 2310) & 16383) * 10923) >> 15); - - reading = (uint16 *) R; - writing = R; - i = 11; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 26; - writing -= 13; - out -= 26; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(9277)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(9277)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[163] = R[326]; - - reading = (uint16 *) R; - writing = R; - i = 11; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 12; - writing -= 6; - out -= 6; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1314)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 14; - writing -= 7; - out -= 14; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(6745)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(6745)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(695)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[20] = R[40]; - - for (i = 0; i < 10; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1887; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[10] = R[20]; - - for (i = 0; i < 5; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)13910; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[5] = R[10]; - - for (i = 0; i < 2; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)2953; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[4]; - r1 = R[5]; - r2 = r0 + r1 * (uint32)2953; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[2] = (uint16) r2; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)134; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)71; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653x1541.h b/crypto_kem/sntrup653/avx2/crypto_encode_653x1541.h deleted file mode 100644 index 6319c0a0..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653x1541.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653X1541_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653X1541_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541_STRBYTES 865 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541_ITEMS 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653x1541round.c b/crypto_kem/sntrup653/avx2/crypto_encode_653x1541round.c deleted file mode 100644 index cccf060e..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653x1541round.c +++ /dev/null @@ -1,288 +0,0 @@ -#include "crypto_encode_653x1541round.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541round(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[327]; - long i; - const uint16 *reading; - uint16 *writing; - uint16 r0, r1; - uint32 r2; - uint32 s0; - - reading = (uint16 *) R0; - writing = R; - i = 41; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 4; - writing -= 2; - out -= 2; - } - x = _mm256_loadu_si256((__m256i *) reading); - x = _mm256_mulhrs_epi16(x, _mm256_set1_epi16(10923)); - x = _mm256_add_epi16(x, _mm256_add_epi16(x, x)); - x = _mm256_add_epi16(x, _mm256_set1_epi16(2310)); - x &= _mm256_set1_epi16(16383); - x = _mm256_mulhi_epi16(x, _mm256_set1_epi16(21846)); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1541)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[326] = (uint16) ((((3 * ((10923 * R0[652] + 16384) >> 15) + 2310) & 16383) * 10923) >> 15); - - reading = (uint16 *) R; - writing = R; - i = 11; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 26; - writing -= 13; - out -= 26; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(9277)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(9277)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[163] = R[326]; - - reading = (uint16 *) R; - writing = R; - i = 11; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 12; - writing -= 6; - out -= 6; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1314)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 14; - writing -= 7; - out -= 14; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(6745)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(6745)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(695)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[20] = R[40]; - - for (i = 0; i < 10; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1887; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[10] = R[20]; - - for (i = 0; i < 5; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)13910; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[5] = R[10]; - - for (i = 0; i < 2; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)2953; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[4]; - r1 = R[5]; - r2 = r0 + r1 * (uint32)2953; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[2] = (uint16) r2; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)134; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)71; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653x1541round.h b/crypto_kem/sntrup653/avx2/crypto_encode_653x1541round.h deleted file mode 100644 index 03640612..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653x1541round.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653X1541ROUND_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653X1541ROUND_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541round_STRBYTES 865 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541round_ITEMS 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541round_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541round(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653x3.c b/crypto_kem/sntrup653/avx2/crypto_encode_653x3.c deleted file mode 100644 index c4b4b5e0..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653x3.c +++ /dev/null @@ -1,64 +0,0 @@ -#include "crypto_encode_653x3.h" -#include -#define uint8 uint8_t - -#define p 653 -#define loops 6 -#define overshoot 29 - -static const union { - uint8 init[32]; - __m256i val; -} lobytes_buf = { .init = { - 255, 0, 255, 0, 255, 0, 255, 0, - 255, 0, 255, 0, 255, 0, 255, 0, - 255, 0, 255, 0, 255, 0, 255, 0, - 255, 0, 255, 0, 255, 0, 255, 0, - } -}; -#define lobytes (lobytes_buf.val) - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x3(unsigned char *s, const void *v) { - const uint8 *f = v; - int loop; - const uint8 *nextf = f + 128 - 4 * overshoot; - unsigned char *nexts = s + 32 - overshoot; - - for (loop = loops; loop > 0; --loop) { - __m256i f0 = _mm256_loadu_si256((const __m256i *) (f + 0)); - __m256i f1 = _mm256_loadu_si256((const __m256i *) (f + 32)); - __m256i f2 = _mm256_loadu_si256((const __m256i *) (f + 64)); - __m256i f3 = _mm256_loadu_si256((const __m256i *) (f + 96)); - f = nextf; - nextf += 128; - - __m256i a0 = _mm256_packus_epi16(f0 & lobytes, f1 & lobytes); - /* 0 2 4 6 8 10 12 14 32 34 36 38 40 42 44 46 */ - /* 16 18 20 22 24 26 28 30 48 50 52 54 56 58 60 62 */ - __m256i a1 = _mm256_packus_epi16(_mm256_srli_epi16(f0, 8), _mm256_srli_epi16(f1, 8)); - /* 1 3 ... */ - __m256i a2 = _mm256_packus_epi16(f2 & lobytes, f3 & lobytes); - __m256i a3 = _mm256_packus_epi16(_mm256_srli_epi16(f2, 8), _mm256_srli_epi16(f3, 8)); - - a0 = _mm256_add_epi8(a0, _mm256_slli_epi16(a1 & _mm256_set1_epi8(63), 2)); - a2 = _mm256_add_epi8(a2, _mm256_slli_epi16(a3 & _mm256_set1_epi8(63), 2)); - - __m256i b0 = _mm256_packus_epi16(a0 & lobytes, a2 & lobytes); - /* 0 4 8 12 32 36 40 44 64 68 72 76 96 100 104 108 */ - /* 16 20 24 28 48 52 56 60 80 84 88 92 112 116 120 124 */ - __m256i b2 = _mm256_packus_epi16(_mm256_srli_epi16(a0, 8), _mm256_srli_epi16(a2, 8)); - /* 2 6 ... */ - - b0 = _mm256_add_epi8(b0, _mm256_slli_epi16(b2 & _mm256_set1_epi8(15), 4)); - - b0 = _mm256_permutevar8x32_epi32(b0, _mm256_set_epi32(7, 3, 6, 2, 5, 1, 4, 0)); - - b0 = _mm256_add_epi8(b0, _mm256_set1_epi8(85)); - - _mm256_storeu_si256((__m256i *) s, b0); - s = nexts; - nexts += 32; - } - - *s++ = *f++ + 1; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653x3.h b/crypto_kem/sntrup653/avx2/crypto_encode_653x3.h deleted file mode 100644 index 029ce76f..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653X3_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653X3_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x3_STRBYTES 164 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x3_ITEMS 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653x4621.c b/crypto_kem/sntrup653/avx2/crypto_encode_653x4621.c deleted file mode 100644 index de000f6e..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653x4621.c +++ /dev/null @@ -1,288 +0,0 @@ -#include "crypto_encode_653x4621.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x4621(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[327]; - long i; - const uint16 *reading; - uint16 *writing; - uint16 r0, r1; - uint32 r2; - uint32 s0; - - reading = (uint16 *) R0; - writing = R; - i = 21; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 20; - writing -= 10; - out -= 20; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - x = _mm256_add_epi16(x, _mm256_set1_epi16(2310)); - x2 = _mm256_add_epi16(x2, _mm256_set1_epi16(2310)); - x &= _mm256_set1_epi16(16383); - x2 &= _mm256_set1_epi16(16383); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(4621)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(4621)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[326] = (uint16) (((R0[652] + 2310) & 16383)); - - reading = (uint16 *) R; - writing = R; - i = 21; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 10; - writing -= 5; - out -= 5; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(326)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[163] = R[326]; - - reading = (uint16 *) R; - writing = R; - i = 11; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 12; - writing -= 6; - out -= 6; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(416)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - - reading = (uint16 *) R; - writing = R; - i = 5; - while (i > 0) { - __m256i x, y; - --i; - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(676)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - r0 = R[80]; - r1 = R[81]; - r2 = r0 + r1 * (uint32)676; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[40] = (uint16) r2; - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1786)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[20] = R[40]; - - for (i = 0; i < 10; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)12461; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[10] = R[20]; - - for (i = 0; i < 5; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)2370; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[5] = R[10]; - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)86; - R[i] = (uint16) r2; - } - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)7396; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)835; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653x4621.h b/crypto_kem/sntrup653/avx2/crypto_encode_653x4621.h deleted file mode 100644 index f56bb49f..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653x4621.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653X4621_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653X4621_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x4621_STRBYTES 994 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x4621_ITEMS 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x4621_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x4621(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653xfreeze3.c b/crypto_kem/sntrup653/avx2/crypto_encode_653xfreeze3.c deleted file mode 100644 index dedece25..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653xfreeze3.c +++ /dev/null @@ -1,31 +0,0 @@ -#include "crypto_encode_653xfreeze3.h" -#include -#define int16 int16_t - -#define p 653 - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xfreeze3(unsigned char *s, const void *v) { - const int16 *r = v; - - int i = p - 16; - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) r); - __m256i y = _mm256_mulhrs_epi16(x, _mm256_set1_epi16(10923)); - x = _mm256_sub_epi16(x, y); - y = _mm256_add_epi16(y, y); - x = _mm256_sub_epi16(x, y); - __m128i x0 = _mm256_extractf128_si256(x, 0); - __m128i x1 = _mm256_extractf128_si256(x, 1); - _mm_storeu_si128((__m128i *) s, _mm_packs_epi16(x0, x1)); - i -= 16; - r += 16; - s += 16; - } while (i >= 0); - if (i <= -16) { - break; - } - r += i; - s += i; - } -} diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653xfreeze3.h b/crypto_kem/sntrup653/avx2/crypto_encode_653xfreeze3.h deleted file mode 100644 index e4e8102c..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653xfreeze3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653XFREEZE3_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653XFREEZE3_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xfreeze3_STRBYTES 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xfreeze3_ITEMS 653 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xfreeze3_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xfreeze3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653xint16.c b/crypto_kem/sntrup653/avx2/crypto_encode_653xint16.c deleted file mode 100644 index 28c79250..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653xint16.c +++ /dev/null @@ -1,13 +0,0 @@ -#include "crypto_encode_653xint16.h" - - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xint16(unsigned char *s, const void *v) { - const uint16_t *x = v; - int i; - - for (i = 0; i < 653; ++i) { - uint16_t u = *x++; - *s++ = (unsigned char) u; - *s++ = (unsigned char) (u >> 8); - } -} diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_653xint16.h b/crypto_kem/sntrup653/avx2/crypto_encode_653xint16.h deleted file mode 100644 index 17130d4f..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_653xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653XINT16_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_653XINT16_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xint16_STRBYTES 1306 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xint16_ITEMS 653 - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xint16(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_int16.c b/crypto_kem/sntrup653/avx2/crypto_encode_int16.c deleted file mode 100644 index b69b49dd..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_int16.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "crypto_encode_int16.h" - -#define uint16 uint16_t - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_int16(unsigned char *s, const void *x) { - uint16 u = *(const uint16 *) x; - s[0] = (unsigned char) u; - s[1] = (unsigned char) (u >> 8); -} diff --git a/crypto_kem/sntrup653/avx2/crypto_encode_int16.h b/crypto_kem/sntrup653/avx2/crypto_encode_int16.h deleted file mode 100644 index 553e8ee4..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_encode_int16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_INT16_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_ENCODE_INT16_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_int16_STRBYTES 2 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_int16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP653_AVX2_crypto_encode_int16_ITEMS 1 - -void PQCLEAN_SNTRUP653_AVX2_crypto_encode_int16(unsigned char *s, const void *x); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_sort_int32.c b/crypto_kem/sntrup653/avx2/crypto_sort_int32.c deleted file mode 100644 index 289bc6b0..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_sort_int32.c +++ /dev/null @@ -1,1215 +0,0 @@ -#include "crypto_sort_int32.h" -#include - -#define int32 int32_t - -typedef __m256i int32x8; -#define int32x8_load(z) _mm256_loadu_si256((__m256i *) (z)) -#define int32x8_store(z,i) _mm256_storeu_si256((__m256i *) (z),(i)) -#define int32x8_min _mm256_min_epi32 -#define int32x8_max _mm256_max_epi32 - -#define int32x8_MINMAX(a,b) \ - do { \ - int32x8 c = int32x8_min((a),(b)); \ - (b) = int32x8_max((a),(b)); \ - (a) = c; \ - } while(0) - -static inline void int32_MINMAX(int32 *a, int32 *b) { - int32 ab = *b ^ *a; - int32 c = (int32)((int64_t) * b - (int64_t) * a); - c ^= ab & (c ^ *b); - c >>= 31; - c &= ab; - *a ^= c; - *b ^= c; -} - -static void minmax_vector(int32 *x, int32 *y, long long n) { - if (n < 8) { - while (n > 0) { - int32_MINMAX(x, y); - ++x; - ++y; - --n; - } - return; - } - if (n & 7) { - int32x8 x0 = int32x8_load(x + n - 8); - int32x8 y0 = int32x8_load(y + n - 8); - int32x8_MINMAX(x0, y0); - int32x8_store(x + n - 8, x0); - int32x8_store(y + n - 8, y0); - n &= ~7; - } - do { - int32x8 x0 = int32x8_load(x); - int32x8 y0 = int32x8_load(y); - int32x8_MINMAX(x0, y0); - int32x8_store(x, x0); - int32x8_store(y, y0); - x += 8; - y += 8; - n -= 8; - } while (n); -} - -/* stages 8,4,2,1 of size-16 bitonic merging */ -static void merge16_finish(int32 *x, int32x8 x0, int32x8 x1, int flagdown) { - int32x8 b0, b1, c0, c1, mask; - - int32x8_MINMAX(x0, x1); - - b0 = _mm256_permute2x128_si256(x0, x1, 0x20); /* A0123B0123 */ - b1 = _mm256_permute2x128_si256(x0, x1, 0x31); /* A4567B4567 */ - - int32x8_MINMAX(b0, b1); - - c0 = _mm256_unpacklo_epi64(b0, b1); /* A0145B0145 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* A2367B2367 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A0213B0213 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A4657B4657 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* A0246B0246 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* A1357B1357 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A0123B0123 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A4567B4567 */ - - x0 = _mm256_permute2x128_si256(b0, b1, 0x20); /* A01234567 */ - x1 = _mm256_permute2x128_si256(b0, b1, 0x31); /* A01234567 */ - - if (flagdown) { - mask = _mm256_set1_epi32(-1); - x0 ^= mask; - x1 ^= mask; - } - - int32x8_store(&x[0], x0); - int32x8_store(&x[8], x1); -} - -/* stages 64,32 of bitonic merging; n is multiple of 128 */ -static void int32_twostages_32(int32 *x, long long n) { - long long i; - - while (n > 0) { - for (i = 0; i < 32; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + 32]); - int32x8 x2 = int32x8_load(&x[i + 64]); - int32x8 x3 = int32x8_load(&x[i + 96]); - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + 32], x1); - int32x8_store(&x[i + 64], x2); - int32x8_store(&x[i + 96], x3); - } - x += 128; - n -= 128; - } -} - -/* stages 4q,2q,q of bitonic merging */ -static long long int32_threestages(int32 *x, long long n, long long q) { - long long k, i; - - for (k = 0; k + 8 * q <= n; k += 8 * q) { - for (i = k; i < k + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - } - - return k; -} - -/* n is a power of 2; n >= 8; if n == 8 then flagdown */ -// NOLINTNEXTLINE(google-readability-function-size) -static void int32_sort_2power(int32 *x, long long n, int flagdown) { - long long p, q, i, j, k; - int32x8 mask; - - if (n == 8) { - int32 x0 = x[0]; - int32 x1 = x[1]; - int32 x2 = x[2]; - int32 x3 = x[3]; - int32 x4 = x[4]; - int32 x5 = x[5]; - int32 x6 = x[6]; - int32 x7 = x[7]; - - /* odd-even sort instead of bitonic sort */ - - int32_MINMAX(&x1, &x0); - int32_MINMAX(&x3, &x2); - int32_MINMAX(&x2, &x0); - int32_MINMAX(&x3, &x1); - int32_MINMAX(&x2, &x1); - - int32_MINMAX(&x5, &x4); - int32_MINMAX(&x7, &x6); - int32_MINMAX(&x6, &x4); - int32_MINMAX(&x7, &x5); - int32_MINMAX(&x6, &x5); - - int32_MINMAX(&x4, &x0); - int32_MINMAX(&x6, &x2); - int32_MINMAX(&x4, &x2); - - int32_MINMAX(&x5, &x1); - int32_MINMAX(&x7, &x3); - int32_MINMAX(&x5, &x3); - - int32_MINMAX(&x2, &x1); - int32_MINMAX(&x4, &x3); - int32_MINMAX(&x6, &x5); - - x[0] = x0; - x[1] = x1; - x[2] = x2; - x[3] = x3; - x[4] = x4; - x[5] = x5; - x[6] = x6; - x[7] = x7; - return; - } - - if (n == 16) { - int32x8 x0, x1, b0, b1, c0, c1; - - x0 = int32x8_load(&x[0]); - x1 = int32x8_load(&x[8]); - - mask = _mm256_set_epi32(0, 0, -1, -1, 0, 0, -1, -1); - - x0 ^= mask; /* A01234567 */ - x1 ^= mask; /* B01234567 */ - - b0 = _mm256_unpacklo_epi32(x0, x1); /* AB0AB1AB4AB5 */ - b1 = _mm256_unpackhi_epi32(x0, x1); /* AB2AB3AB6AB7 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* AB0AB2AB4AB6 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* AB1AB3AB5AB7 */ - - int32x8_MINMAX(c0, c1); - - mask = _mm256_set_epi32(0, 0, -1, -1, -1, -1, 0, 0); - c0 ^= mask; - c1 ^= mask; - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A01B01A45B45 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A23B23A67B67 */ - - int32x8_MINMAX(b0, b1); - - x0 = _mm256_unpacklo_epi64(b0, b1); /* A01234567 */ - x1 = _mm256_unpackhi_epi64(b0, b1); /* B01234567 */ - - b0 = _mm256_unpacklo_epi32(x0, x1); /* AB0AB1AB4AB5 */ - b1 = _mm256_unpackhi_epi32(x0, x1); /* AB2AB3AB6AB7 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* AB0AB2AB4AB6 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* AB1AB3AB5AB7 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A01B01A45B45 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A23B23A67B67 */ - - b0 ^= mask; - b1 ^= mask; - - c0 = _mm256_permute2x128_si256(b0, b1, 0x20); /* A01B01A23B23 */ - c1 = _mm256_permute2x128_si256(b0, b1, 0x31); /* A45B45A67B67 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_permute2x128_si256(c0, c1, 0x20); /* A01B01A45B45 */ - b1 = _mm256_permute2x128_si256(c0, c1, 0x31); /* A23B23A67B67 */ - - int32x8_MINMAX(b0, b1); - - x0 = _mm256_unpacklo_epi64(b0, b1); /* A01234567 */ - x1 = _mm256_unpackhi_epi64(b0, b1); /* B01234567 */ - - b0 = _mm256_unpacklo_epi32(x0, x1); /* AB0AB1AB4AB5 */ - b1 = _mm256_unpackhi_epi32(x0, x1); /* AB2AB3AB6AB7 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* AB0AB2AB4AB6 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* AB1AB3AB5AB7 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A01B01A45B45 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A23B23A67B67 */ - - x0 = _mm256_unpacklo_epi64(b0, b1); /* A01234567 */ - x1 = _mm256_unpackhi_epi64(b0, b1); /* B01234567 */ - - mask = _mm256_set1_epi32(-1); - if (flagdown) { - x1 ^= mask; - } else { - x0 ^= mask; - } - - merge16_finish(x, x0, x1, flagdown); - return; - } - - if (n == 32) { - int32x8 x0, x1, x2, x3; - - int32_sort_2power(x, 16, 1); - int32_sort_2power(x + 16, 16, 0); - - x0 = int32x8_load(&x[0]); - x1 = int32x8_load(&x[8]); - x2 = int32x8_load(&x[16]); - x3 = int32x8_load(&x[24]); - - if (flagdown) { - mask = _mm256_set1_epi32(-1); - x0 ^= mask; - x1 ^= mask; - x2 ^= mask; - x3 ^= mask; - } - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - - merge16_finish(x, x0, x1, flagdown); - merge16_finish(x + 16, x2, x3, flagdown); - return; - } - - p = n >> 3; - for (i = 0; i < p; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x2 = int32x8_load(&x[i + 2 * p]); - int32x8 x4 = int32x8_load(&x[i + 4 * p]); - int32x8 x6 = int32x8_load(&x[i + 6 * p]); - - /* odd-even stage instead of bitonic stage */ - - int32x8_MINMAX(x4, x0); - int32x8_MINMAX(x6, x2); - int32x8_MINMAX(x2, x0); - int32x8_MINMAX(x6, x4); - int32x8_MINMAX(x2, x4); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + 2 * p], x2); - int32x8_store(&x[i + 4 * p], x4); - int32x8_store(&x[i + 6 * p], x6); - - int32x8 x1 = int32x8_load(&x[i + p]); - int32x8 x3 = int32x8_load(&x[i + 3 * p]); - int32x8 x5 = int32x8_load(&x[i + 5 * p]); - int32x8 x7 = int32x8_load(&x[i + 7 * p]); - - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x5, x3); - - int32x8_store(&x[i + p], x1); - int32x8_store(&x[i + 3 * p], x3); - int32x8_store(&x[i + 5 * p], x5); - int32x8_store(&x[i + 7 * p], x7); - } - - if (n >= 128) { - int flip, flipflip; - - mask = _mm256_set1_epi32(-1); - - for (j = 0; j < n; j += 32) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 16]); - x0 ^= mask; - x1 ^= mask; - int32x8_store(&x[j], x0); - int32x8_store(&x[j + 16], x1); - } - - p = 8; - for (;;) { /* for p in [8, 16, ..., n/16] */ - q = p >> 1; - while (q >= 128) { - int32_threestages(x, n, q >> 2); - q >>= 3; - } - if (q == 64) { - int32_twostages_32(x, n); - q = 16; - } - if (q == 32) { - q = 8; - for (k = 0; k < n; k += 8 * q) { - for (i = k; i < k + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - } - q = 4; - } - if (q == 16) { - q = 8; - for (k = 0; k < n; k += 4 * q) { - for (i = k; i < k + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - } - } - q = 4; - } - if (q == 8) { - for (k = 0; k < n; k += q + q) { - int32x8 x0 = int32x8_load(&x[k]); - int32x8 x1 = int32x8_load(&x[k + q]); - - int32x8_MINMAX(x0, x1); - - int32x8_store(&x[k], x0); - int32x8_store(&x[k + q], x1); - } - } - - q = n >> 3; - flip = 0; - if (p << 1 == q) { - flip = 1; - } - flipflip = 1 - flip; - for (j = 0; j < q; j += p + p) { - for (k = j; k < j + p + p; k += p) { - for (i = k; i < k + p; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - - if (flip) { - x0 ^= mask; - x1 ^= mask; - x2 ^= mask; - x3 ^= mask; - x4 ^= mask; - x5 ^= mask; - x6 ^= mask; - x7 ^= mask; - } - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - flip ^= 1; - } - flip ^= flipflip; - } - - if (p << 4 == n) { - break; - } - p <<= 1; - } - } - - for (p = 4; p >= 1; p >>= 1) { - int32 *z = x; - int32 *target = x + n; - if (p == 4) { - mask = _mm256_set_epi32(0, 0, 0, 0, -1, -1, -1, -1); - while (z != target) { - int32x8 x0 = int32x8_load(&z[0]); - int32x8 x1 = int32x8_load(&z[8]); - x0 ^= mask; - x1 ^= mask; - int32x8_store(&z[0], x0); - int32x8_store(&z[8], x1); - z += 16; - } - } else if (p == 2) { - mask = _mm256_set_epi32(0, 0, -1, -1, -1, -1, 0, 0); - while (z != target) { - int32x8 x0 = int32x8_load(&z[0]); - int32x8 x1 = int32x8_load(&z[8]); - x0 ^= mask; - x1 ^= mask; - int32x8 b0 = _mm256_permute2x128_si256(x0, x1, 0x20); - int32x8 b1 = _mm256_permute2x128_si256(x0, x1, 0x31); - int32x8_MINMAX(b0, b1); - int32x8 c0 = _mm256_permute2x128_si256(b0, b1, 0x20); - int32x8 c1 = _mm256_permute2x128_si256(b0, b1, 0x31); - int32x8_store(&z[0], c0); - int32x8_store(&z[8], c1); - z += 16; - } - } else { /* p == 1 */ - mask = _mm256_set_epi32(0, -1, -1, 0, 0, -1, -1, 0); - while (z != target) { - int32x8 x0 = int32x8_load(&z[0]); - int32x8 x1 = int32x8_load(&z[8]); - x0 ^= mask; - x1 ^= mask; - int32x8 b0 = _mm256_permute2x128_si256(x0, x1, 0x20); /* A0123B0123 */ - int32x8 b1 = _mm256_permute2x128_si256(x0, x1, 0x31); /* A4567B4567 */ - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); /* A0145B0145 */ - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); /* A2367B2367 */ - int32x8_MINMAX(c0, c1); - int32x8 d0 = _mm256_unpacklo_epi64(c0, c1); /* A0123B0123 */ - int32x8 d1 = _mm256_unpackhi_epi64(c0, c1); /* A4567B4567 */ - int32x8_MINMAX(d0, d1); - int32x8 e0 = _mm256_permute2x128_si256(d0, d1, 0x20); - int32x8 e1 = _mm256_permute2x128_si256(d0, d1, 0x31); - int32x8_store(&z[0], e0); - int32x8_store(&z[8], e1); - z += 16; - } - } - - q = n >> 4; - while (q >= 128 || q == 32) { - int32_threestages(x, n, q >> 2); - q >>= 3; - } - while (q >= 16) { - q >>= 1; - for (j = 0; j < n; j += 4 * q) { - for (k = j; k < j + q; k += 8) { - int32x8 x0 = int32x8_load(&x[k]); - int32x8 x1 = int32x8_load(&x[k + q]); - int32x8 x2 = int32x8_load(&x[k + 2 * q]); - int32x8 x3 = int32x8_load(&x[k + 3 * q]); - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - - int32x8_store(&x[k], x0); - int32x8_store(&x[k + q], x1); - int32x8_store(&x[k + 2 * q], x2); - int32x8_store(&x[k + 3 * q], x3); - } - } - q >>= 1; - } - if (q == 8) { - for (j = 0; j < n; j += 2 * q) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + q]); - - int32x8_MINMAX(x0, x1); - - int32x8_store(&x[j], x0); - int32x8_store(&x[j + q], x1); - } - } - - q = n >> 3; - for (k = 0; k < q; k += 8) { - int32x8 x0 = int32x8_load(&x[k]); - int32x8 x1 = int32x8_load(&x[k + q]); - int32x8 x2 = int32x8_load(&x[k + 2 * q]); - int32x8 x3 = int32x8_load(&x[k + 3 * q]); - int32x8 x4 = int32x8_load(&x[k + 4 * q]); - int32x8 x5 = int32x8_load(&x[k + 5 * q]); - int32x8 x6 = int32x8_load(&x[k + 6 * q]); - int32x8 x7 = int32x8_load(&x[k + 7 * q]); - - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - - int32x8_store(&x[k], x0); - int32x8_store(&x[k + q], x1); - int32x8_store(&x[k + 2 * q], x2); - int32x8_store(&x[k + 3 * q], x3); - int32x8_store(&x[k + 4 * q], x4); - int32x8_store(&x[k + 5 * q], x5); - int32x8_store(&x[k + 6 * q], x6); - int32x8_store(&x[k + 7 * q], x7); - } - } - - /* everything is still masked with _mm256_set_epi32(0,-1,0,-1,0,-1,0,-1); */ - mask = _mm256_set1_epi32(-1); - - for (i = 0; i < n; i += 64) { - int32x8 a0 = int32x8_load(&x[i]); - int32x8 a1 = int32x8_load(&x[i + 8]); - int32x8 a2 = int32x8_load(&x[i + 16]); - int32x8 a3 = int32x8_load(&x[i + 24]); - int32x8 a4 = int32x8_load(&x[i + 32]); - int32x8 a5 = int32x8_load(&x[i + 40]); - int32x8 a6 = int32x8_load(&x[i + 48]); - int32x8 a7 = int32x8_load(&x[i + 56]); - - int32x8 b0 = _mm256_unpacklo_epi32(a0, a1); /* AB0AB1AB4AB5 */ - int32x8 b1 = _mm256_unpackhi_epi32(a0, a1); /* AB2AB3AB6AB7 */ - int32x8 b2 = _mm256_unpacklo_epi32(a2, a3); /* CD0CD1CD4CD5 */ - int32x8 b3 = _mm256_unpackhi_epi32(a2, a3); /* CD2CD3CD6CD7 */ - int32x8 b4 = _mm256_unpacklo_epi32(a4, a5); /* EF0EF1EF4EF5 */ - int32x8 b5 = _mm256_unpackhi_epi32(a4, a5); /* EF2EF3EF6EF7 */ - int32x8 b6 = _mm256_unpacklo_epi32(a6, a7); /* GH0GH1GH4GH5 */ - int32x8 b7 = _mm256_unpackhi_epi32(a6, a7); /* GH2GH3GH6GH7 */ - - int32x8 c0 = _mm256_unpacklo_epi64(b0, b2); /* ABCD0ABCD4 */ - int32x8 c1 = _mm256_unpacklo_epi64(b1, b3); /* ABCD2ABCD6 */ - int32x8 c2 = _mm256_unpackhi_epi64(b0, b2); /* ABCD1ABCD5 */ - int32x8 c3 = _mm256_unpackhi_epi64(b1, b3); /* ABCD3ABCD7 */ - int32x8 c4 = _mm256_unpacklo_epi64(b4, b6); /* EFGH0EFGH4 */ - int32x8 c5 = _mm256_unpacklo_epi64(b5, b7); /* EFGH2EFGH6 */ - int32x8 c6 = _mm256_unpackhi_epi64(b4, b6); /* EFGH1EFGH5 */ - int32x8 c7 = _mm256_unpackhi_epi64(b5, b7); /* EFGH3EFGH7 */ - - if (flagdown) { - c2 ^= mask; - c3 ^= mask; - c6 ^= mask; - c7 ^= mask; - } else { - c0 ^= mask; - c1 ^= mask; - c4 ^= mask; - c5 ^= mask; - } - - int32x8 d0 = _mm256_permute2x128_si256(c0, c4, 0x20); /* ABCDEFGH0 */ - int32x8 d1 = _mm256_permute2x128_si256(c2, c6, 0x20); /* ABCDEFGH1 */ - int32x8 d2 = _mm256_permute2x128_si256(c1, c5, 0x20); /* ABCDEFGH2 */ - int32x8 d3 = _mm256_permute2x128_si256(c3, c7, 0x20); /* ABCDEFGH5 */ - int32x8 d4 = _mm256_permute2x128_si256(c0, c4, 0x31); /* ABCDEFGH4 */ - int32x8 d5 = _mm256_permute2x128_si256(c2, c6, 0x31); /* ABCDEFGH3 */ - int32x8 d6 = _mm256_permute2x128_si256(c1, c5, 0x31); /* ABCDEFGH6 */ - int32x8 d7 = _mm256_permute2x128_si256(c3, c7, 0x31); /* ABCDEFGH7 */ - - int32x8_MINMAX(d0, d1); - int32x8_MINMAX(d2, d3); - int32x8_MINMAX(d4, d5); - int32x8_MINMAX(d6, d7); - int32x8_MINMAX(d0, d2); - int32x8_MINMAX(d1, d3); - int32x8_MINMAX(d4, d6); - int32x8_MINMAX(d5, d7); - int32x8_MINMAX(d0, d4); - int32x8_MINMAX(d1, d5); - int32x8_MINMAX(d2, d6); - int32x8_MINMAX(d3, d7); - - int32x8 e0 = _mm256_unpacklo_epi32(d0, d1); - int32x8 e1 = _mm256_unpackhi_epi32(d0, d1); - int32x8 e2 = _mm256_unpacklo_epi32(d2, d3); - int32x8 e3 = _mm256_unpackhi_epi32(d2, d3); - int32x8 e4 = _mm256_unpacklo_epi32(d4, d5); - int32x8 e5 = _mm256_unpackhi_epi32(d4, d5); - int32x8 e6 = _mm256_unpacklo_epi32(d6, d7); - int32x8 e7 = _mm256_unpackhi_epi32(d6, d7); - - int32x8 f0 = _mm256_unpacklo_epi64(e0, e2); - int32x8 f1 = _mm256_unpacklo_epi64(e1, e3); - int32x8 f2 = _mm256_unpackhi_epi64(e0, e2); - int32x8 f3 = _mm256_unpackhi_epi64(e1, e3); - int32x8 f4 = _mm256_unpacklo_epi64(e4, e6); - int32x8 f5 = _mm256_unpacklo_epi64(e5, e7); - int32x8 f6 = _mm256_unpackhi_epi64(e4, e6); - int32x8 f7 = _mm256_unpackhi_epi64(e5, e7); - - int32x8 g0 = _mm256_permute2x128_si256(f0, f4, 0x20); - int32x8 g1 = _mm256_permute2x128_si256(f2, f6, 0x20); - int32x8 g2 = _mm256_permute2x128_si256(f1, f5, 0x20); - int32x8 g3 = _mm256_permute2x128_si256(f3, f7, 0x20); - int32x8 g4 = _mm256_permute2x128_si256(f0, f4, 0x31); - int32x8 g5 = _mm256_permute2x128_si256(f2, f6, 0x31); - int32x8 g6 = _mm256_permute2x128_si256(f1, f5, 0x31); - int32x8 g7 = _mm256_permute2x128_si256(f3, f7, 0x31); - - int32x8_store(&x[i], g0); - int32x8_store(&x[i + 8], g1); - int32x8_store(&x[i + 16], g2); - int32x8_store(&x[i + 24], g3); - int32x8_store(&x[i + 32], g4); - int32x8_store(&x[i + 40], g5); - int32x8_store(&x[i + 48], g6); - int32x8_store(&x[i + 56], g7); - } - - q = n >> 4; - while (q >= 128 || q == 32) { - q >>= 2; - for (j = 0; j < n; j += 8 * q) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - } - q >>= 1; - } - while (q >= 16) { - q >>= 1; - for (j = 0; j < n; j += 4 * q) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - } - } - q >>= 1; - } - if (q == 8) { - for (j = 0; j < n; j += q + q) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + q]); - int32x8_MINMAX(x0, x1); - int32x8_store(&x[j], x0); - int32x8_store(&x[j + q], x1); - } - } - - q = n >> 3; - for (i = 0; i < q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - - int32x8 b0 = _mm256_unpacklo_epi32(x0, x4); /* AE0AE1AE4AE5 */ - int32x8 b1 = _mm256_unpackhi_epi32(x0, x4); /* AE2AE3AE6AE7 */ - int32x8 b2 = _mm256_unpacklo_epi32(x1, x5); /* BF0BF1BF4BF5 */ - int32x8 b3 = _mm256_unpackhi_epi32(x1, x5); /* BF2BF3BF6BF7 */ - int32x8 b4 = _mm256_unpacklo_epi32(x2, x6); /* CG0CG1CG4CG5 */ - int32x8 b5 = _mm256_unpackhi_epi32(x2, x6); /* CG2CG3CG6CG7 */ - int32x8 b6 = _mm256_unpacklo_epi32(x3, x7); /* DH0DH1DH4DH5 */ - int32x8 b7 = _mm256_unpackhi_epi32(x3, x7); /* DH2DH3DH6DH7 */ - - int32x8 c0 = _mm256_unpacklo_epi64(b0, b4); /* AECG0AECG4 */ - int32x8 c1 = _mm256_unpacklo_epi64(b1, b5); /* AECG2AECG6 */ - int32x8 c2 = _mm256_unpackhi_epi64(b0, b4); /* AECG1AECG5 */ - int32x8 c3 = _mm256_unpackhi_epi64(b1, b5); /* AECG3AECG7 */ - int32x8 c4 = _mm256_unpacklo_epi64(b2, b6); /* BFDH0BFDH4 */ - int32x8 c5 = _mm256_unpacklo_epi64(b3, b7); /* BFDH2BFDH6 */ - int32x8 c6 = _mm256_unpackhi_epi64(b2, b6); /* BFDH1BFDH5 */ - int32x8 c7 = _mm256_unpackhi_epi64(b3, b7); /* BFDH3BFDH7 */ - - int32x8 d0 = _mm256_permute2x128_si256(c0, c4, 0x20); /* AECGBFDH0 */ - int32x8 d1 = _mm256_permute2x128_si256(c1, c5, 0x20); /* AECGBFDH2 */ - int32x8 d2 = _mm256_permute2x128_si256(c2, c6, 0x20); /* AECGBFDH1 */ - int32x8 d3 = _mm256_permute2x128_si256(c3, c7, 0x20); /* AECGBFDH3 */ - int32x8 d4 = _mm256_permute2x128_si256(c0, c4, 0x31); /* AECGBFDH4 */ - int32x8 d5 = _mm256_permute2x128_si256(c1, c5, 0x31); /* AECGBFDH6 */ - int32x8 d6 = _mm256_permute2x128_si256(c2, c6, 0x31); /* AECGBFDH5 */ - int32x8 d7 = _mm256_permute2x128_si256(c3, c7, 0x31); /* AECGBFDH7 */ - - if (flagdown) { - d0 ^= mask; - d1 ^= mask; - d2 ^= mask; - d3 ^= mask; - d4 ^= mask; - d5 ^= mask; - d6 ^= mask; - d7 ^= mask; - } - - int32x8_store(&x[i], d0); - int32x8_store(&x[i + q], d4); - int32x8_store(&x[i + 2 * q], d1); - int32x8_store(&x[i + 3 * q], d5); - int32x8_store(&x[i + 4 * q], d2); - int32x8_store(&x[i + 5 * q], d6); - int32x8_store(&x[i + 6 * q], d3); - int32x8_store(&x[i + 7 * q], d7); - } -} - -static void int32_sort(int32 *x, long long n) { - long long q, i, j; - - if (n <= 8) { - if (n == 8) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - int32_MINMAX(&x[4], &x[5]); - int32_MINMAX(&x[5], &x[6]); - int32_MINMAX(&x[6], &x[7]); - } - if (n >= 7) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - int32_MINMAX(&x[4], &x[5]); - int32_MINMAX(&x[5], &x[6]); - } - if (n >= 6) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - int32_MINMAX(&x[4], &x[5]); - } - if (n >= 5) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - } - if (n >= 4) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - } - if (n >= 3) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - } - if (n >= 2) { - int32_MINMAX(&x[0], &x[1]); - } - return; - } - - if (!(n & (n - 1))) { - int32_sort_2power(x, n, 0); - return; - } - - q = 8; - while (q < n - q) { - q += q; - } - /* n > q >= 8 */ - - if (q <= 128) { /* n <= 256 */ - int32x8 y[32]; - for (i = q >> 3; i < q >> 2; ++i) { - y[i] = _mm256_set1_epi32(0x7fffffff); - } - for (i = 0; i < n; ++i) { - ((int32 *) y)[i] = x[i]; - } - int32_sort_2power((int32 *) y, 2 * q, 0); - for (i = 0; i < n; ++i) { - x[i] = ((int32 *) y)[i]; - } - return; - } - - int32_sort_2power(x, q, 1); - int32_sort(x + q, n - q); - - while (q >= 64) { - q >>= 2; - j = int32_threestages(x, n, q); - minmax_vector(x + j, x + j + 4 * q, n - 4 * q - j); - if (j + 4 * q <= n) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - } - j += 4 * q; - } - minmax_vector(x + j, x + j + 2 * q, n - 2 * q - j); - if (j + 2 * q <= n) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8_MINMAX(x0, x1); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - } - j += 2 * q; - } - minmax_vector(x + j, x + j + q, n - q - j); - q >>= 1; - } - if (q == 32) { - j = 0; - for (; j + 64 <= n; j += 64) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 8]); - int32x8 x2 = int32x8_load(&x[j + 16]); - int32x8 x3 = int32x8_load(&x[j + 24]); - int32x8 x4 = int32x8_load(&x[j + 32]); - int32x8 x5 = int32x8_load(&x[j + 40]); - int32x8 x6 = int32x8_load(&x[j + 48]); - int32x8 x7 = int32x8_load(&x[j + 56]); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8 a0 = _mm256_permute2x128_si256(x0, x1, 0x20); - int32x8 a1 = _mm256_permute2x128_si256(x0, x1, 0x31); - int32x8 a2 = _mm256_permute2x128_si256(x2, x3, 0x20); - int32x8 a3 = _mm256_permute2x128_si256(x2, x3, 0x31); - int32x8 a4 = _mm256_permute2x128_si256(x4, x5, 0x20); - int32x8 a5 = _mm256_permute2x128_si256(x4, x5, 0x31); - int32x8 a6 = _mm256_permute2x128_si256(x6, x7, 0x20); - int32x8 a7 = _mm256_permute2x128_si256(x6, x7, 0x31); - int32x8_MINMAX(a0, a1); - int32x8_MINMAX(a2, a3); - int32x8_MINMAX(a4, a5); - int32x8_MINMAX(a6, a7); - int32x8 b0 = _mm256_permute2x128_si256(a0, a1, 0x20); - int32x8 b1 = _mm256_permute2x128_si256(a0, a1, 0x31); - int32x8 b2 = _mm256_permute2x128_si256(a2, a3, 0x20); - int32x8 b3 = _mm256_permute2x128_si256(a2, a3, 0x31); - int32x8 b4 = _mm256_permute2x128_si256(a4, a5, 0x20); - int32x8 b5 = _mm256_permute2x128_si256(a4, a5, 0x31); - int32x8 b6 = _mm256_permute2x128_si256(a6, a7, 0x20); - int32x8 b7 = _mm256_permute2x128_si256(a6, a7, 0x31); - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); - int32x8 c2 = _mm256_unpacklo_epi64(b2, b3); - int32x8 c3 = _mm256_unpackhi_epi64(b2, b3); - int32x8 c4 = _mm256_unpacklo_epi64(b4, b5); - int32x8 c5 = _mm256_unpackhi_epi64(b4, b5); - int32x8 c6 = _mm256_unpacklo_epi64(b6, b7); - int32x8 c7 = _mm256_unpackhi_epi64(b6, b7); - int32x8_MINMAX(c0, c1); - int32x8_MINMAX(c2, c3); - int32x8_MINMAX(c4, c5); - int32x8_MINMAX(c6, c7); - int32x8 d0 = _mm256_unpacklo_epi32(c0, c1); - int32x8 d1 = _mm256_unpackhi_epi32(c0, c1); - int32x8 d2 = _mm256_unpacklo_epi32(c2, c3); - int32x8 d3 = _mm256_unpackhi_epi32(c2, c3); - int32x8 d4 = _mm256_unpacklo_epi32(c4, c5); - int32x8 d5 = _mm256_unpackhi_epi32(c4, c5); - int32x8 d6 = _mm256_unpacklo_epi32(c6, c7); - int32x8 d7 = _mm256_unpackhi_epi32(c6, c7); - int32x8 e0 = _mm256_unpacklo_epi64(d0, d1); - int32x8 e1 = _mm256_unpackhi_epi64(d0, d1); - int32x8 e2 = _mm256_unpacklo_epi64(d2, d3); - int32x8 e3 = _mm256_unpackhi_epi64(d2, d3); - int32x8 e4 = _mm256_unpacklo_epi64(d4, d5); - int32x8 e5 = _mm256_unpackhi_epi64(d4, d5); - int32x8 e6 = _mm256_unpacklo_epi64(d6, d7); - int32x8 e7 = _mm256_unpackhi_epi64(d6, d7); - int32x8_MINMAX(e0, e1); - int32x8_MINMAX(e2, e3); - int32x8_MINMAX(e4, e5); - int32x8_MINMAX(e6, e7); - int32x8 f0 = _mm256_unpacklo_epi32(e0, e1); - int32x8 f1 = _mm256_unpackhi_epi32(e0, e1); - int32x8 f2 = _mm256_unpacklo_epi32(e2, e3); - int32x8 f3 = _mm256_unpackhi_epi32(e2, e3); - int32x8 f4 = _mm256_unpacklo_epi32(e4, e5); - int32x8 f5 = _mm256_unpackhi_epi32(e4, e5); - int32x8 f6 = _mm256_unpacklo_epi32(e6, e7); - int32x8 f7 = _mm256_unpackhi_epi32(e6, e7); - int32x8_store(&x[j], f0); - int32x8_store(&x[j + 8], f1); - int32x8_store(&x[j + 16], f2); - int32x8_store(&x[j + 24], f3); - int32x8_store(&x[j + 32], f4); - int32x8_store(&x[j + 40], f5); - int32x8_store(&x[j + 48], f6); - int32x8_store(&x[j + 56], f7); - } - minmax_vector(x + j, x + j + 32, n - 32 - j); - goto continue16; - } - if (q == 16) { - j = 0; -continue16: - for (; j + 32 <= n; j += 32) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 8]); - int32x8 x2 = int32x8_load(&x[j + 16]); - int32x8 x3 = int32x8_load(&x[j + 24]); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8 a0 = _mm256_permute2x128_si256(x0, x1, 0x20); - int32x8 a1 = _mm256_permute2x128_si256(x0, x1, 0x31); - int32x8 a2 = _mm256_permute2x128_si256(x2, x3, 0x20); - int32x8 a3 = _mm256_permute2x128_si256(x2, x3, 0x31); - int32x8_MINMAX(a0, a1); - int32x8_MINMAX(a2, a3); - int32x8 b0 = _mm256_permute2x128_si256(a0, a1, 0x20); - int32x8 b1 = _mm256_permute2x128_si256(a0, a1, 0x31); - int32x8 b2 = _mm256_permute2x128_si256(a2, a3, 0x20); - int32x8 b3 = _mm256_permute2x128_si256(a2, a3, 0x31); - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); - int32x8 c2 = _mm256_unpacklo_epi64(b2, b3); - int32x8 c3 = _mm256_unpackhi_epi64(b2, b3); - int32x8_MINMAX(c0, c1); - int32x8_MINMAX(c2, c3); - int32x8 d0 = _mm256_unpacklo_epi32(c0, c1); - int32x8 d1 = _mm256_unpackhi_epi32(c0, c1); - int32x8 d2 = _mm256_unpacklo_epi32(c2, c3); - int32x8 d3 = _mm256_unpackhi_epi32(c2, c3); - int32x8 e0 = _mm256_unpacklo_epi64(d0, d1); - int32x8 e1 = _mm256_unpackhi_epi64(d0, d1); - int32x8 e2 = _mm256_unpacklo_epi64(d2, d3); - int32x8 e3 = _mm256_unpackhi_epi64(d2, d3); - int32x8_MINMAX(e0, e1); - int32x8_MINMAX(e2, e3); - int32x8 f0 = _mm256_unpacklo_epi32(e0, e1); - int32x8 f1 = _mm256_unpackhi_epi32(e0, e1); - int32x8 f2 = _mm256_unpacklo_epi32(e2, e3); - int32x8 f3 = _mm256_unpackhi_epi32(e2, e3); - int32x8_store(&x[j], f0); - int32x8_store(&x[j + 8], f1); - int32x8_store(&x[j + 16], f2); - int32x8_store(&x[j + 24], f3); - } - minmax_vector(x + j, x + j + 16, n - 16 - j); - goto continue8; - } - /* q == 8 */ - j = 0; -continue8: - for (; j + 16 <= n; j += 16) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 8]); - int32x8_MINMAX(x0, x1); - int32x8_store(&x[j], x0); - int32x8_store(&x[j + 8], x1); - int32x8 a0 = _mm256_permute2x128_si256(x0, x1, 0x20); /* x0123y0123 */ - int32x8 a1 = _mm256_permute2x128_si256(x0, x1, 0x31); /* x4567y4567 */ - int32x8_MINMAX(a0, a1); - int32x8 b0 = _mm256_permute2x128_si256(a0, a1, 0x20); /* x01234567 */ - int32x8 b1 = _mm256_permute2x128_si256(a0, a1, 0x31); /* y01234567 */ - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); /* x01y01x45y45 */ - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); /* x23y23x67y67 */ - int32x8_MINMAX(c0, c1); - int32x8 d0 = _mm256_unpacklo_epi32(c0, c1); /* x02x13x46x57 */ - int32x8 d1 = _mm256_unpackhi_epi32(c0, c1); /* y02y13y46y57 */ - int32x8 e0 = _mm256_unpacklo_epi64(d0, d1); /* x02y02x46y46 */ - int32x8 e1 = _mm256_unpackhi_epi64(d0, d1); /* x13y13x57y57 */ - int32x8_MINMAX(e0, e1); - int32x8 f0 = _mm256_unpacklo_epi32(e0, e1); /* x01234567 */ - int32x8 f1 = _mm256_unpackhi_epi32(e0, e1); /* y01234567 */ - int32x8_store(&x[j], f0); - int32x8_store(&x[j + 8], f1); - } - minmax_vector(x + j, x + j + 8, n - 8 - j); - if (j + 8 <= n) { - int32_MINMAX(&x[j], &x[j + 4]); - int32_MINMAX(&x[j + 1], &x[j + 5]); - int32_MINMAX(&x[j + 2], &x[j + 6]); - int32_MINMAX(&x[j + 3], &x[j + 7]); - int32_MINMAX(&x[j], &x[j + 2]); - int32_MINMAX(&x[j + 1], &x[j + 3]); - int32_MINMAX(&x[j], &x[j + 1]); - int32_MINMAX(&x[j + 2], &x[j + 3]); - int32_MINMAX(&x[j + 4], &x[j + 6]); - int32_MINMAX(&x[j + 5], &x[j + 7]); - int32_MINMAX(&x[j + 4], &x[j + 5]); - int32_MINMAX(&x[j + 6], &x[j + 7]); - j += 8; - } - minmax_vector(x + j, x + j + 4, n - 4 - j); - if (j + 4 <= n) { - int32_MINMAX(&x[j], &x[j + 2]); - int32_MINMAX(&x[j + 1], &x[j + 3]); - int32_MINMAX(&x[j], &x[j + 1]); - int32_MINMAX(&x[j + 2], &x[j + 3]); - j += 4; - } - if (j + 3 <= n) { - int32_MINMAX(&x[j], &x[j + 2]); - } - if (j + 2 <= n) { - int32_MINMAX(&x[j], &x[j + 1]); - } -} - -void PQCLEAN_SNTRUP653_AVX2_crypto_sort_int32(void *array, long long n) { - int32_sort(array, n); -} diff --git a/crypto_kem/sntrup653/avx2/crypto_sort_int32.h b/crypto_kem/sntrup653/avx2/crypto_sort_int32.h deleted file mode 100644 index 29ec4e4d..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_sort_int32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_SORT_INT32_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_SORT_INT32_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_sort_int32_BYTES 4 - -void PQCLEAN_SNTRUP653_AVX2_crypto_sort_int32(void *array, long long n); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_sort_uint32.c b/crypto_kem/sntrup653/avx2/crypto_sort_uint32.c deleted file mode 100644 index de47a24e..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_sort_uint32.c +++ /dev/null @@ -1,18 +0,0 @@ -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" - - -/* can save time by vectorizing xor loops */ -/* can save time by integrating xor loops with int32_sort */ - -void PQCLEAN_SNTRUP653_AVX2_crypto_sort_uint32(void *array, long long n) { - uint32_t *x = array; - long long j; - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } - PQCLEAN_SNTRUP653_AVX2_crypto_sort_int32((int32_t *)array, n); - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } -} diff --git a/crypto_kem/sntrup653/avx2/crypto_sort_uint32.h b/crypto_kem/sntrup653/avx2/crypto_sort_uint32.h deleted file mode 100644 index b9208e7b..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_sort_uint32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_SORT_UINT32_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_SORT_UINT32_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_sort_uint32_BYTES 4 - -void PQCLEAN_SNTRUP653_AVX2_crypto_sort_uint32(void *array, long long n); -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_stream_aes256ctr.c b/crypto_kem/sntrup653/avx2/crypto_stream_aes256ctr.c deleted file mode 100644 index ad8eccf9..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_stream_aes256ctr.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_stream_aes256ctr.h" - - -int PQCLEAN_SNTRUP653_AVX2_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]) { - - aes256ctx state; - aes256_ctr_keyexp(&state, key); - aes256_ctr(out, outlen, nonce, &state); - aes256_ctx_release(&state); - return 0; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_stream_aes256ctr.h b/crypto_kem/sntrup653/avx2/crypto_stream_aes256ctr.h deleted file mode 100644 index f4a2d133..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_stream_aes256ctr.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_STREAM_AES256CTR_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_STREAM_AES256CTR_H -#include "aes.h" -#include -#include - - - -int PQCLEAN_SNTRUP653_AVX2_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]); - -#endif diff --git a/crypto_kem/sntrup653/avx2/crypto_verify_897.c b/crypto_kem/sntrup653/avx2/crypto_verify_897.c deleted file mode 100644 index 10cffa5b..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_verify_897.c +++ /dev/null @@ -1,36 +0,0 @@ -#include "crypto_verify_897.h" -#include - -int PQCLEAN_SNTRUP653_AVX2_crypto_verify_897(const unsigned char *x, const unsigned char *y) { - __m256i diff = _mm256_set1_epi8(0); - unsigned int differentbits = 0; - int i = PQCLEAN_SNTRUP653_AVX2_crypto_verify_897_BYTES; - - i -= 32; - for (;;) { - do { - __m256i x0 = _mm256_loadu_si256((__m256i *) x); - __m256i y0 = _mm256_loadu_si256((__m256i *) y); - diff |= x0 ^ y0; - i -= 32; - x += 32; - y += 32; - } while (i >= 0); - if (i <= -32) { - break; - } - x += i; - y += i; - } - - diff |= _mm256_srli_epi16(diff, 8); - diff |= _mm256_srli_epi32(diff, 16); - diff |= _mm256_srli_epi64(diff, 32); - - differentbits = (unsigned int) _mm256_extract_epi8(diff, 0); - differentbits |= (unsigned int) _mm256_extract_epi8(diff, 8); - differentbits |= (unsigned int) _mm256_extract_epi8(diff, 16); - differentbits |= (unsigned int) _mm256_extract_epi8(diff, 24); - - return (int) (1 & ((differentbits - 1) >> 8)) - 1; -} diff --git a/crypto_kem/sntrup653/avx2/crypto_verify_897.h b/crypto_kem/sntrup653/avx2/crypto_verify_897.h deleted file mode 100644 index 4d3f4260..00000000 --- a/crypto_kem/sntrup653/avx2/crypto_verify_897.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_AVX2_CRYPTO_VERIFY_897_H -#define PQCLEAN_SNTRUP653_AVX2_CRYPTO_VERIFY_897_H - -#include -#define PQCLEAN_SNTRUP653_AVX2_crypto_verify_897_BYTES 897 - -int PQCLEAN_SNTRUP653_AVX2_crypto_verify_897(const unsigned char *x, const unsigned char *y); -#endif diff --git a/crypto_kem/sntrup653/avx2/kem.c b/crypto_kem/sntrup653/avx2/kem.c deleted file mode 100644 index 3c9a11e7..00000000 --- a/crypto_kem/sntrup653/avx2/kem.c +++ /dev/null @@ -1,247 +0,0 @@ -#include "api.h" -#include "crypto_sort_uint32.h" -#include "params.h" -#include "randombytes.h" -#include "sha2.h" - - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - -/* ----- arithmetic mod 3 */ - -typedef int8 small; -/* F3 is always represented as -1,0,1 */ - -/* ----- arithmetic mod q */ - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* ----- small polynomials */ - -/* R3_fromR(R_fromRq(r)) */ -static void R3_fromRq(small *out, const Fq *r) { - crypto_encode_pxfreeze3((unsigned char *) out, (unsigned char *) r); -} - -/* h = f*g in the ring R3 */ -static void R3_mult(small *h, const small *f, const small *g) { - crypto_core_mult3((unsigned char *) h, (const unsigned char *) f, (const unsigned char *) g); -} - -/* ----- polynomials mod q */ - -/* h = h*g in the ring Rq */ -static void Rq_mult_small(Fq *h, const small *g) { - crypto_encode_pxint16((unsigned char *) h, h); - crypto_core_mult((unsigned char *) h, (const unsigned char *) h, (const unsigned char *) g); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* h = 3f in Rq */ -static void Rq_mult3(Fq *h, const Fq *f) { - crypto_encode_pxint16((unsigned char *) h, f); - crypto_core_scale3((unsigned char *) h, (const unsigned char *) h); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* out = 1/(3*in) in Rq */ -/* caller must have 2p+1 bytes free in out, not just 2p */ -static void Rq_recip3(Fq *out, const small *in) { - crypto_core_inv((unsigned char *) out, (const unsigned char *) in); - /* could check byte 2*p for failure; but, in context, inv always works */ - crypto_decode_pxint16(out, (unsigned char *) out); -} - -/* ----- underlying hash function */ - -#define Hash_bytes 32 - -static void Hash(unsigned char *out, const unsigned char *in, int inlen) { - unsigned char h[64]; - int i; - sha512(h, in, (size_t) inlen); - for (i = 0; i < 32; ++i) { - out[i] = h[i]; - } -} - -/* ----- higher-level randomness */ - -static void Short_random(small *out) { - uint32 L[ppadsort]; - int i; - - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < w; ++i) { - L[i] = L[i] & (uint32) - 2; - } - for (i = w; i < p; ++i) { - L[i] = (L[i] & (uint32) - 3) | 1; - } - for (i = p; i < ppadsort; ++i) { - L[i] = 0xffffffff; - } - PQCLEAN_SNTRUP653_AVX2_crypto_sort_uint32(L, ppadsort); - for (i = 0; i < p; ++i) { - out[i] = (small) ((L[i] & 3) - 1); - } -} - -static void Small_random(small *out) { - uint32 L[p]; - int i; - - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < p; ++i) { - out[i] = (small) ((((L[i] & 0x3fffffff) * 3) >> 30) - 1); - } -} - -/* ----- Streamlined NTRU Prime */ - -typedef small Inputs[p]; /* passed by reference */ -#define Ciphertexts_bytes Rounded_bytes -#define SecretKeys_bytes (2*Small_bytes) -#define PublicKeys_bytes Rq_bytes -#define Confirm_bytes 32 - -/* c,r_enc[1:] = Hide(r,pk,cache); cache is Hash4(pk) */ -/* also set r_enc[0]=3 */ -/* also set x[0]=2, and x[1:1+Hash_bytes] = Hash3(r_enc) */ -/* also overwrite x[1+Hash_bytes:1+2*Hash_bytes] */ -static void Hide(unsigned char *x, unsigned char *c, unsigned char *r_enc, const Inputs r, const unsigned char *pk, const unsigned char *cache) { - Fq h[p]; - int i; - - Small_encode(r_enc + 1, r); - Rq_decode(h, pk); - Rq_mult_small(h, r); - Round_and_encode(c, h); - r_enc[0] = 3; - Hash(x + 1, r_enc, 1 + Small_bytes); - for (i = 0; i < Hash_bytes; ++i) { - x[1 + Hash_bytes + i] = cache[i]; - } - x[0] = 2; - Hash(c + Ciphertexts_bytes, x, 1 + Hash_bytes * 2); -} - - -int PQCLEAN_SNTRUP653_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - small g[p]; - for (;;) { - Small_random(g); - { - small v[p + 1]; - crypto_core_inv3((unsigned char *) v, (const unsigned char *) g); - if (v[p] == 0) { - Small_encode(sk + Small_bytes, v); - break; - } - } - } - { - small f[p]; - Short_random(f); - Small_encode(sk, f); - { - Fq h[p + 1]; - Rq_recip3(h, f); /* always works */ - Rq_mult_small(h, g); - Rq_encode(pk, h); - } - } - { - int i; - unsigned char sksave = sk[SecretKeys_bytes - 1]; - for (i = 0; i < PublicKeys_bytes; ++i) { - sk[SecretKeys_bytes + i] = pk[i]; - } - sk[SecretKeys_bytes - 1] = 4; - Hash(sk + SecretKeys_bytes + PublicKeys_bytes + Small_bytes, sk + SecretKeys_bytes - 1, 1 + PublicKeys_bytes); - sk[SecretKeys_bytes - 1] = sksave; - randombytes(sk + SecretKeys_bytes + PublicKeys_bytes, Small_bytes); - } - return 0; -} - -int PQCLEAN_SNTRUP653_AVX2_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk) { - unsigned char cache[Hash_bytes]; - int i; - { - unsigned char y[1 + PublicKeys_bytes]; /* XXX: can eliminate with incremental hashing */ - for (i = 0; i < PublicKeys_bytes; ++i) { - y[1 + i] = pk[i]; - } - y[0] = 4; - Hash(cache, y, sizeof y); - } - { - Inputs r; - Short_random(r); - { - unsigned char r_enc[Small_bytes + 1]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - Hide(x, c, r_enc, r, pk, cache); - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = 1; - Hash(k, x, sizeof x); - } - } - return 0; -} - -int PQCLEAN_SNTRUP653_AVX2_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) { - const unsigned char *pk = sk + SecretKeys_bytes; - const unsigned char *rho = pk + PublicKeys_bytes; - const unsigned char *cache = rho + Small_bytes; - int mask, i; - Inputs r; - { - Fq d[p]; - Rounded_decode(d, c); - { - small f[p]; - Small_decode(f, sk); - Rq_mult_small(d, f); - Rq_mult3(d, d); - } - { - small e[p]; - small v[p]; - R3_fromRq(e, d); - Small_decode(v, sk + Small_bytes); - R3_mult(r, e, v); - } - crypto_core_wforce((unsigned char *) r, (unsigned char *) r); - } - { - unsigned char r_enc[1 + Small_bytes]; - unsigned char cnew[Ciphertexts_bytes + Confirm_bytes]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - /* XXX: can use incremental hashing to reduce x size */ - - Hide(x, cnew, r_enc, r, pk, cache); - mask = crypto_verify_clen(c, cnew); - for (i = 0; i < Small_bytes; ++i) { - r_enc[i + 1] ^= (unsigned char) (mask & (r_enc[i + 1] ^ rho[i])); - } - Hash(x + 1, r_enc, 1 + Small_bytes); /* XXX: can instead do cmov on cached hash of rho */ - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = (unsigned char) (1 + mask); - Hash(k, x, sizeof x); - } - return 0; -} diff --git a/crypto_kem/sntrup653/avx2/params.h b/crypto_kem/sntrup653/avx2/params.h deleted file mode 100644 index 646a4943..00000000 --- a/crypto_kem/sntrup653/avx2/params.h +++ /dev/null @@ -1,73 +0,0 @@ -#ifndef params_H -#define params_H -#include "crypto_core_inv3sntrup653.h" -#include "crypto_core_invsntrup653.h" -#include "crypto_core_mult3sntrup653.h" -#include "crypto_core_multsntrup653.h" -#include "crypto_core_scale3sntrup653.h" -#include "crypto_core_weightsntrup653.h" -#include "crypto_core_wforcesntrup653.h" -#include "crypto_decode_653x1541.h" -#include "crypto_decode_653x3.h" -#include "crypto_decode_653x4621.h" -#include "crypto_decode_653xint16.h" -#include "crypto_decode_653xint32.h" -#include "crypto_encode_653x1541.h" -#include "crypto_encode_653x1541round.h" -#include "crypto_encode_653x3.h" -#include "crypto_encode_653x4621.h" -#include "crypto_encode_653xfreeze3.h" -#include "crypto_encode_653xint16.h" -#include "crypto_encode_int16.h" -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" -#include "crypto_verify_897.h" - - -#define qinv (-29499) /* reciprocal of q mod 2^16 */ -#define q27 29045 /* closest integer to 2^27/q */ -#define q18 57 /* closest integer to 2^18/q */ -#define ppad 657 -#define crypto_core_weight PQCLEAN_SNTRUP653_AVX2_crypto_core_weightsntrup653 -#define p 653 -#define q 4621 -#define w 288 - -#define ppadsort 653 - -#define crypto_verify_clen PQCLEAN_SNTRUP653_AVX2_crypto_verify_897 - -#define Rq_bytes PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x4621_STRBYTES -#define Rq_encode PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x4621 -#define Rq_decode PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x4621 - -#define Rounded_bytes PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x1541_STRBYTES -#define Rounded_decode PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x1541 - -#define Round_and_encode PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x1541round - -#define Small_bytes PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x3_STRBYTES -#define Small_encode PQCLEAN_SNTRUP653_AVX2_crypto_encode_653x3 -#define Small_decode PQCLEAN_SNTRUP653_AVX2_crypto_decode_653x3 - -#define crypto_encode_pxfreeze3 PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xfreeze3 - -#define crypto_decode_pxint32 PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint32 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP653_AVX2_crypto_decode_653xint16 - -#define crypto_encode_pxint16 PQCLEAN_SNTRUP653_AVX2_crypto_encode_653xint16 - -#define crypto_core_wforce PQCLEAN_SNTRUP653_AVX2_crypto_core_wforcesntrup653 - -#define crypto_core_scale3 PQCLEAN_SNTRUP653_AVX2_crypto_core_scale3sntrup653 - -#define crypto_core_inv PQCLEAN_SNTRUP653_AVX2_crypto_core_invsntrup653 - -#define crypto_core_inv3 PQCLEAN_SNTRUP653_AVX2_crypto_core_inv3sntrup653 - -#define crypto_core_mult PQCLEAN_SNTRUP653_AVX2_crypto_core_multsntrup653 - -#define crypto_core_mult3 PQCLEAN_SNTRUP653_AVX2_crypto_core_mult3sntrup653 - -#endif diff --git a/crypto_kem/sntrup653/clean/LICENSE b/crypto_kem/sntrup653/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/sntrup653/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/sntrup653/clean/Makefile.Microsoft_nmake b/crypto_kem/sntrup653/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 5d595797..00000000 --- a/crypto_kem/sntrup653/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsntrup653_clean.lib -OBJECTS=crypto_core_inv3sntrup653.obj crypto_core_invsntrup653.obj crypto_core_mult3sntrup653.obj crypto_core_multsntrup653.obj crypto_core_scale3sntrup653.obj crypto_core_weightsntrup653.obj crypto_core_wforcesntrup653.obj crypto_decode_653x1541.obj crypto_decode_653x3.obj crypto_decode_653x4621.obj crypto_decode_653xint16.obj crypto_decode_653xint32.obj crypto_encode_653x1541.obj crypto_encode_653x1541round.obj crypto_encode_653x3.obj crypto_encode_653x4621.obj crypto_encode_653xfreeze3.obj crypto_encode_653xint16.obj crypto_encode_int16.obj crypto_sort_int32.obj crypto_sort_uint32.obj crypto_stream_aes256ctr.obj crypto_verify_897.obj kem.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/sntrup653/clean/api.h b/crypto_kem/sntrup653/clean/api.h deleted file mode 100644 index 641b2079..00000000 --- a/crypto_kem/sntrup653/clean/api.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_API_H -#define PQCLEAN_SNTRUP653_CLEAN_API_H - - - -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ALGNAME "sntrup653" - -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_SECRETKEYBYTES 1518 -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_PUBLICKEYBYTES 994 -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CIPHERTEXTBYTES 897 -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_BYTES 32 - -int PQCLEAN_SNTRUP653_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_SNTRUP653_CLEAN_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk); -int PQCLEAN_SNTRUP653_CLEAN_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_core_inv3sntrup653.c b/crypto_kem/sntrup653/clean/crypto_core_inv3sntrup653.c deleted file mode 100644 index d63459a5..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_inv3sntrup653.c +++ /dev/null @@ -1,110 +0,0 @@ -#include "crypto_core_inv3sntrup653.h" -#include "params.h" - - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - -/* ----- masks */ - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* return -1 if x<0; otherwise return 0 */ -static int int16_negative_mask(int16 x) { - uint16 u = (uint16) x; - u >>= 15; - return -(int) u; - /* alternative with gcc -fwrapv: */ - /* x>>15 compiles to CPU's arithmetic right shift */ -} - -/* ----- arithmetic mod 3 */ - -typedef int8 small; -/* F3 is always represented as -1,0,1 */ - -/* works for -16384 <= x < 16384 */ -static small F3_freeze(int16 x) { - return (small) (x - 3 * ((10923 * x + 16384) >> 15)); -} - -/* byte p of output is 0 if recip succeeded; else -1 */ -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_inv3sntrup653(unsigned char *outbytes, const unsigned char *inbytes) { - small *out = (void *) outbytes; - small *in = (void *) inbytes; - small f[p + 1], g[p + 1], v[p + 1], r[p + 1]; - int i, loop, delta; - int sign, swap, t; - - for (i = 0; i < p + 1; ++i) { - v[i] = 0; - } - for (i = 0; i < p + 1; ++i) { - r[i] = 0; - } - r[0] = 1; - for (i = 0; i < p; ++i) { - f[i] = 0; - } - f[0] = 1; - f[p - 1] = f[p] = -1; - for (i = 0; i < p; ++i) { - small i1 = in[i] & 1; - g[p - 1 - i] = (small) (i1 - (in[i] & (i1 << 1))); - } - g[p] = 0; - - delta = 1; - - for (loop = 0; loop < 2 * p - 1; ++loop) { - for (i = p; i > 0; --i) { - v[i] = v[i - 1]; - } - v[0] = 0; - - sign = -g[0] * f[0]; - swap = int16_negative_mask((int16) - delta) & int16_nonzero_mask(g[0]); - delta ^= swap & (delta ^ -delta); - delta += 1; - - for (i = 0; i < p + 1; ++i) { - t = swap & (f[i] ^ g[i]); - f[i] ^= (small) t; - g[i] ^= (small) t; - t = swap & (v[i] ^ r[i]); - v[i] ^= (small) t; - r[i] ^= (small) t; - } - - for (i = 0; i < p + 1; ++i) { - g[i] = F3_freeze((int16) (g[i] + sign * f[i])); - } - for (i = 0; i < p + 1; ++i) { - r[i] = F3_freeze((int16) (r[i] + sign * v[i])); - } - - for (i = 0; i < p; ++i) { - g[i] = g[i + 1]; - } - g[p] = 0; - } - - sign = f[0]; - for (i = 0; i < p; ++i) { - out[i] = (small) (sign * v[p - 1 - i]); - } - - out[p] = (small) int16_nonzero_mask((int16) delta); - return 0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_core_inv3sntrup653.h b/crypto_kem/sntrup653/clean/crypto_core_inv3sntrup653.h deleted file mode 100644 index 3e0d817e..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_inv3sntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_INV3SNTRUP653_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_INV3SNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_inv3sntrup653_OUTPUTBYTES 654 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_inv3sntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_inv3sntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_inv3sntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_inv3sntrup653(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_core_invsntrup653.c b/crypto_kem/sntrup653/clean/crypto_core_invsntrup653.c deleted file mode 100644 index 98705b0f..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_invsntrup653.c +++ /dev/null @@ -1,130 +0,0 @@ -#include "crypto_core_invsntrup653.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - - -/* ----- masks */ - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* return -1 if x<0; otherwise return 0 */ -static int int16_negative_mask(int16 x) { - uint16 u = (uint16) x; - u >>= 15; - return -(int) u; - /* alternative with gcc -fwrapv: */ - /* x>>15 compiles to CPU's arithmetic right shift */ -} - -/* ----- arithmetic mod q */ - -typedef int8 small; - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* works for -14000000 < x < 14000000 if q in 4591, 4621, 5167 */ -static Fq Fq_freeze(int32 x) { - x -= q * ((q18 * x) >> 18); - x -= q * ((q27 * x + 67108864) >> 27); - return (Fq) x; -} - -static Fq Fq_recip(Fq a1) { - int i = 1; - Fq ai = a1; - - while (i < q - 2) { - ai = Fq_freeze(a1 * (int32)ai); - i += 1; - } - return ai; -} - -/* ----- polynomials mod q */ - -/* out = 1/(3*in) in Rq */ -/* outbytes[2*p] is 0 if recip succeeded; else -1 */ -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_invsntrup653(unsigned char *outbytes, const unsigned char *inbytes) { - small *in = (void *) inbytes; - Fq out[p], f[p + 1], g[p + 1], v[p + 1], r[p + 1]; - int i, loop, delta; - int swap, t; - int32 f0, g0; - Fq scale; - - for (i = 0; i < p + 1; ++i) { - v[i] = 0; - } - for (i = 0; i < p + 1; ++i) { - r[i] = 0; - } - r[0] = Fq_recip(3); - for (i = 0; i < p; ++i) { - f[i] = 0; - } - f[0] = 1; - f[p - 1] = f[p] = -1; - for (i = 0; i < p; ++i) { - g[p - 1 - i] = in[i]; - } - g[p] = 0; - - delta = 1; - - for (loop = 0; loop < 2 * p - 1; ++loop) { - for (i = p; i > 0; --i) { - v[i] = v[i - 1]; - } - v[0] = 0; - - swap = int16_negative_mask((int16) - delta) & int16_nonzero_mask(g[0]); - delta ^= swap & (delta ^ -delta); - delta += 1; - - for (i = 0; i < p + 1; ++i) { - t = swap & (f[i] ^ g[i]); - f[i] ^= (Fq) t; - g[i] ^= (Fq) t; - t = swap & (v[i] ^ r[i]); - v[i] ^= (Fq) t; - r[i] ^= (Fq) t; - } - - f0 = f[0]; - g0 = g[0]; - for (i = 0; i < p + 1; ++i) { - g[i] = Fq_freeze(f0 * g[i] - g0 * f[i]); - } - for (i = 0; i < p + 1; ++i) { - r[i] = Fq_freeze(f0 * r[i] - g0 * v[i]); - } - - for (i = 0; i < p; ++i) { - g[i] = g[i + 1]; - } - g[p] = 0; - } - - scale = Fq_recip(f[0]); - for (i = 0; i < p; ++i) { - out[i] = Fq_freeze(scale * (int32)v[p - 1 - i]); - } - - crypto_encode_pxint16(outbytes, out); - outbytes[2 * p] = (unsigned char) int16_nonzero_mask((int16) delta); - return 0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_core_invsntrup653.h b/crypto_kem/sntrup653/clean/crypto_core_invsntrup653.h deleted file mode 100644 index ab7301fd..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_invsntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_INVSNTRUP653_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_INVSNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_invsntrup653_OUTPUTBYTES 1307 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_invsntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_invsntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_invsntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_invsntrup653(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_core_mult3sntrup653.c b/crypto_kem/sntrup653/clean/crypto_core_mult3sntrup653.c deleted file mode 100644 index 7d0d4636..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_mult3sntrup653.c +++ /dev/null @@ -1,57 +0,0 @@ -#include "crypto_core_mult3sntrup653.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -typedef int8 small; - -/* works for -16384 <= x < 16384 */ -static small F3_freeze(int16 x) { - return (small) (x - 3 * ((10923 * x + 16384) >> 15)); -} - -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_mult3sntrup653(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - small *h = (void *) outbytes; - small f[p]; - small g[p]; - small fg[p + p - 1]; - int16 result; - int i, j; - - for (i = 0; i < p; ++i) { - small fi = (small) inbytes[i]; - small fi0 = fi & 1; - f[i] = (small) (fi0 - (fi & (fi0 << 1))); - } - for (i = 0; i < p; ++i) { - small gi = (small) kbytes[i]; - small gi0 = gi & 1; - g[i] = (small) (gi0 - (gi & (gi0 << 1))); - } - - for (i = 0; i < p; ++i) { - result = 0; - for (j = 0; j <= i; ++j) { - result += (small) (f[j] * g[i - j]); - } - fg[i] = F3_freeze(result); - } - for (i = p; i < p + p - 1; ++i) { - result = 0; - for (j = i - p + 1; j < p; ++j) { - result += (small) (f[j] * g[i - j]); - } - fg[i] = F3_freeze(result); - } - - for (i = p + p - 2; i >= p; --i) { - fg[i - p] = F3_freeze(fg[i - p] + fg[i]); - fg[i - p + 1] = F3_freeze(fg[i - p + 1] + fg[i]); - } - - for (i = 0; i < p; ++i) { - h[i] = fg[i]; - } - return 0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_core_mult3sntrup653.h b/crypto_kem/sntrup653/clean/crypto_core_mult3sntrup653.h deleted file mode 100644 index 0a944710..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_mult3sntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_MULT3SNTRUP653_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_MULT3SNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_mult3sntrup653_OUTPUTBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_mult3sntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_mult3sntrup653_KEYBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_mult3sntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_mult3sntrup653(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_core_multsntrup653.c b/crypto_kem/sntrup653/clean/crypto_core_multsntrup653.c deleted file mode 100644 index d44aedae..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_multsntrup653.c +++ /dev/null @@ -1,60 +0,0 @@ -#include "crypto_core_multsntrup653.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -typedef int8 small; - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* works for -14000000 < x < 14000000 if q in 4591, 4621, 5167 */ -static Fq Fq_freeze(int32 x) { - x -= q * ((q18 * x) >> 18); - x -= q * ((q27 * x + 67108864) >> 27); - return (Fq) x; -} - -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_multsntrup653(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - Fq f[p]; - small g[p]; - Fq fg[p + p - 1]; - int32 result; - int i, j; - - crypto_decode_pxint16(f, inbytes); - for (i = 0; i < p; ++i) { - f[i] = Fq_freeze(f[i]); - } - - for (i = 0; i < p; ++i) { - small gi = (small) kbytes[i]; - small gi0 = gi & 1; - g[i] = (small) (gi0 - (gi & (gi0 << 1))); - } - - for (i = 0; i < p; ++i) { - result = 0; - for (j = 0; j <= i; ++j) { - result += f[j] * (int32)g[i - j]; - } - fg[i] = Fq_freeze(result); - } - for (i = p; i < p + p - 1; ++i) { - result = 0; - for (j = i - p + 1; j < p; ++j) { - result += f[j] * (int32)g[i - j]; - } - fg[i] = Fq_freeze(result); - } - - for (i = p + p - 2; i >= p; --i) { - fg[i - p] = Fq_freeze(fg[i - p] + fg[i]); - fg[i - p + 1] = Fq_freeze(fg[i - p + 1] + fg[i]); - } - - crypto_encode_pxint16(outbytes, fg); - return 0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_core_multsntrup653.h b/crypto_kem/sntrup653/clean/crypto_core_multsntrup653.h deleted file mode 100644 index 44f4715b..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_multsntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_MULTSNTRUP653_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_MULTSNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_multsntrup653_OUTPUTBYTES 1306 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_multsntrup653_INPUTBYTES 1306 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_multsntrup653_KEYBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_multsntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_multsntrup653(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_core_scale3sntrup653.c b/crypto_kem/sntrup653/clean/crypto_core_scale3sntrup653.c deleted file mode 100644 index edac527b..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_scale3sntrup653.c +++ /dev/null @@ -1,32 +0,0 @@ -#include "crypto_core_scale3sntrup653.h" -#include "crypto_decode_653xint16.h" -#include "crypto_encode_653xint16.h" - - -#define p 653 -#define q 4621 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xint16 - -typedef int16_t Fq; - -/* out = 3*in in Rq */ -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_scale3sntrup653(unsigned char *outbytes, const unsigned char *inbytes) { - Fq f[p]; - int i; - - crypto_decode_pxint16(f, inbytes); - for (i = 0; i < p; ++i) { - Fq x = f[i]; - x *= 3; /* (-3q+3)/2 ... (3q-3)/2 */ - x -= (q + 1) / 2; /* -2q+1 ... q-2 */ - x += q & (x >> 15); /* -q+1 ... q-1 */ - x += q & (x >> 15); /* 0 ... q-1 */ - x -= (q - 1) / 2; /* -(q-1)/2 ... (q-1)/2 */ - f[i] = x; - } - crypto_encode_pxint16(outbytes, f); - - return 0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_core_scale3sntrup653.h b/crypto_kem/sntrup653/clean/crypto_core_scale3sntrup653.h deleted file mode 100644 index 70493195..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_scale3sntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_SCALE3SNTRUP653_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_SCALE3SNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_scale3sntrup653_OUTPUTBYTES 1306 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_scale3sntrup653_INPUTBYTES 1306 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_scale3sntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_scale3sntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_scale3sntrup653(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_core_weightsntrup653.c b/crypto_kem/sntrup653/clean/crypto_core_weightsntrup653.c deleted file mode 100644 index 737816f0..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_weightsntrup653.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "crypto_core_weightsntrup653.h" -#include "crypto_encode_int16.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t - - -/* out = little-endian weight of bottom bits of in */ -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_weightsntrup653(unsigned char *outbytes, const unsigned char *inbytes) { - int8 *in = (void *) inbytes; - int16 weight = 0; - int i; - - for (i = 0; i < p; ++i) { - weight += in[i] & 1; - } - PQCLEAN_SNTRUP653_CLEAN_crypto_encode_int16(outbytes, &weight); - return 0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_core_weightsntrup653.h b/crypto_kem/sntrup653/clean/crypto_core_weightsntrup653.h deleted file mode 100644 index 244ca54c..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_weightsntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_WEIGHTSNTRUP653_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_WEIGHTSNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_weightsntrup653_OUTPUTBYTES 2 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_weightsntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_weightsntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_weightsntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_weightsntrup653(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_core_wforcesntrup653.c b/crypto_kem/sntrup653/clean/crypto_core_wforcesntrup653.c deleted file mode 100644 index 4c3e616b..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_wforcesntrup653.c +++ /dev/null @@ -1,48 +0,0 @@ -#include "crypto_core_wforcesntrup653.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -typedef int8 small; - - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* 0 if Weightw_is(r), else -1 */ -static int Weightw_mask(const small *r) { - int weight = 0; - int i; - - for (i = 0; i < p; ++i) { - weight += r[i] & 1; - } - return int16_nonzero_mask((int16) (weight - w)); -} - -/* out = in if bottom bits of in have weight w */ -/* otherwise out = (1,1,...,1,0,0,...,0) */ -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_wforcesntrup653(unsigned char *outbytes, const unsigned char *inbytes) { - small *out = (void *) outbytes; - const small *in = (const void *) inbytes; - int i, mask; - - mask = Weightw_mask(in); /* 0 if weight w, else -1 */ - for (i = 0; i < w; ++i) { - out[i] = (small) (((in[i] ^ 1) & ~mask) ^ 1); - } - for (i = w; i < p; ++i) { - out[i] = (small) (in[i] & ~mask); - } - return 0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_core_wforcesntrup653.h b/crypto_kem/sntrup653/clean/crypto_core_wforcesntrup653.h deleted file mode 100644 index 3ba291e2..00000000 --- a/crypto_kem/sntrup653/clean/crypto_core_wforcesntrup653.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_WFORCESNTRUP653_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_CORE_WFORCESNTRUP653_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_wforcesntrup653_OUTPUTBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_wforcesntrup653_INPUTBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_wforcesntrup653_KEYBYTES 0 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_core_wforcesntrup653_CONSTBYTES 0 - -int PQCLEAN_SNTRUP653_CLEAN_crypto_core_wforcesntrup653(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653x1541.c b/crypto_kem/sntrup653/clean/crypto_decode_653x1541.c deleted file mode 100644 index 3c5f24ac..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653x1541.c +++ /dev/null @@ -1,200 +0,0 @@ -#include "crypto_decode_653x1541.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t -#define uint64 uint64_t - -/* -CPU division instruction typically takes time depending on x. -This software is designed to take time independent of x. -Time still varies depending on m; user must ensure that m is constant. -Time also varies on CPUs where multiplication is variable-time. -There could be more CPU issues. -There could also be compiler issues. -*/ - -static void uint32_divmod_uint14(uint32 *q, uint16 *r, uint32 x, uint16 m) { - uint32 v = 0x80000000; - uint32 qpart; - uint32 mask; - - v /= m; - - /* caller guarantees m > 0 */ - /* caller guarantees m < 16384 */ - /* vm <= 2^31 <= vm+m-1 */ - /* xvm <= 2^31 x <= xvm+x(m-1) */ - - *q = 0; - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 2^31 qpart <= xv <= 2^31 qpart + 2^31-1 */ - /* 2^31 qpart m <= xvm <= 2^31 qpart m + (2^31-1)m */ - /* 2^31 qpart m <= 2^31 x <= 2^31 qpart m + (2^31-1)m + x(m-1) */ - /* 0 <= 2^31 newx <= (2^31-1)m + x(m-1) */ - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= (1-1/2^31)(2^14-1) + (2^32-1)((2^14-1)-1)/2^31 */ - - x -= qpart * m; - *q += qpart; - /* x <= 49146 */ - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= m + 49146(2^14-1)/2^31 */ - /* 0 <= newx <= m + 0.4 */ - /* 0 <= newx <= m */ - - x -= qpart * m; - *q += qpart; - /* x <= m */ - - x -= m; - *q += 1; - mask = (~(x >> 31) + 1); - x += mask & (uint32)m; - *q += mask; - /* x < m */ - - *r = (uint16) x; -} - -static uint16 uint32_mod_uint14(uint32 x, uint16 m) { - uint32 q; - uint16 r; - uint32_divmod_uint14(&q, &r, x, m); - return r; -} - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x1541(void *v, const unsigned char *s) { - int16 *R0 = v; - uint16 R1[327], R2[164], R3[82], R4[41], R5[21], R6[11], R7[6], R8[3], R9[2], R10[1]; - long long i; - uint16 r0; - uint32 r1, r2; - - s += PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x1541_STRBYTES; - r1 = 0; - r1 = (r1 << 8) | *--s; - r1 = (r1 << 8) | *--s; - r1 = uint32_mod_uint14(r1, 2608); /* needed only for invalid inputs */ - R10[0] = (uint16) r1; - - r2 = R10[0]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 71); - R9[0] = r0; - r1 = uint32_mod_uint14(r1, 9402); /* needed only for invalid inputs */ - R9[1] = (uint16) r1; - - R8[2] = R9[1]; - r2 = R9[0]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 134); - R8[0] = r0; - r1 = uint32_mod_uint14(r1, 134); /* needed only for invalid inputs */ - R8[1] = (uint16) r1; - - r2 = R8[2]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 2953); - R7[4] = r0; - r1 = uint32_mod_uint14(r1, 815); /* needed only for invalid inputs */ - R7[5] = (uint16) r1; - for (i = 1; i >= 0; --i) { - r2 = R8[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 2953); - R7[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 2953); /* needed only for invalid inputs */ - R7[2 * i + 1] = (uint16) r1; - } - - R6[10] = R7[5]; - for (i = 4; i >= 0; --i) { - r2 = R7[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 13910); - R6[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 13910); /* needed only for invalid inputs */ - R6[2 * i + 1] = (uint16) r1; - } - - R5[20] = R6[10]; - for (i = 9; i >= 0; --i) { - r2 = R6[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1887); - R5[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1887); /* needed only for invalid inputs */ - R5[2 * i + 1] = (uint16) r1; - } - - R4[40] = R5[20]; - for (i = 19; i >= 0; --i) { - r2 = R5[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 695); - R4[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 695); /* needed only for invalid inputs */ - R4[2 * i + 1] = (uint16) r1; - } - - r2 = R4[40]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 6745); - R3[80] = r0; - r1 = uint32_mod_uint14(r1, 7910); /* needed only for invalid inputs */ - R3[81] = (uint16) r1; - for (i = 39; i >= 0; --i) { - r2 = R4[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 6745); - R3[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 6745); /* needed only for invalid inputs */ - R3[2 * i + 1] = (uint16) r1; - } - - r2 = R3[81]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1314); - R2[162] = r0; - r1 = uint32_mod_uint14(r1, 1541); /* needed only for invalid inputs */ - R2[163] = (uint16) r1; - for (i = 80; i >= 0; --i) { - r2 = R3[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1314); - R2[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1314); /* needed only for invalid inputs */ - R2[2 * i + 1] = (uint16) r1; - } - - R1[326] = R2[163]; - for (i = 162; i >= 0; --i) { - r2 = R2[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 9277); - R1[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 9277); /* needed only for invalid inputs */ - R1[2 * i + 1] = (uint16) r1; - } - - R0[652] = (int16) (3 * R1[326] - 2310); - for (i = 325; i >= 0; --i) { - r2 = R1[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1541); - R0[2 * i] = (int16) (3 * r0 - 2310); - r1 = uint32_mod_uint14(r1, 1541); /* needed only for invalid inputs */ - R0[2 * i + 1] = (int16) (3 * r1 - 2310); - } -} diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653x1541.h b/crypto_kem/sntrup653/clean/crypto_decode_653x1541.h deleted file mode 100644 index 1af235df..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653x1541.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653X1541_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653X1541_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x1541_STRBYTES 865 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x1541_ITEMS 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x1541_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x1541(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653x3.c b/crypto_kem/sntrup653/clean/crypto_decode_653x3.c deleted file mode 100644 index a5e0641c..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653x3.c +++ /dev/null @@ -1,24 +0,0 @@ -#include "crypto_decode_653x3.h" - -#define uint8 uint8_t - -#define p 653 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x3(void *v, const unsigned char *s) { - uint8 *f = v; - uint8 x; - int i; - - for (i = 0; i < p / 4; ++i) { - x = *s++; - *f++ = (uint8) ((x & 3) - 1); - x >>= 2; - *f++ = (uint8) ((x & 3) - 1); - x >>= 2; - *f++ = (uint8) ((x & 3) - 1); - x >>= 2; - *f++ = (uint8) ((x & 3) - 1); - } - x = *s++; - *f++ = (uint8) ((x & 3) - 1); -} diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653x3.h b/crypto_kem/sntrup653/clean/crypto_decode_653x3.h deleted file mode 100644 index ded47a1f..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653X3_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653X3_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x3_STRBYTES 164 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x3_ITEMS 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x3(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653x4621.c b/crypto_kem/sntrup653/clean/crypto_decode_653x4621.c deleted file mode 100644 index 4a942293..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653x4621.c +++ /dev/null @@ -1,198 +0,0 @@ -#include "crypto_decode_653x4621.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t -#define uint64 uint64_t - -/* -CPU division instruction typically takes time depending on x. -This software is designed to take time independent of x. -Time still varies depending on m; user must ensure that m is constant. -Time also varies on CPUs where multiplication is variable-time. -There could be more CPU issues. -There could also be compiler issues. -*/ - -static void uint32_divmod_uint14(uint32 *q, uint16 *r, uint32 x, uint16 m) { - uint32 v = 0x80000000; - uint32 qpart; - uint32 mask; - - v /= m; - - /* caller guarantees m > 0 */ - /* caller guarantees m < 16384 */ - /* vm <= 2^31 <= vm+m-1 */ - /* xvm <= 2^31 x <= xvm+x(m-1) */ - - *q = 0; - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 2^31 qpart <= xv <= 2^31 qpart + 2^31-1 */ - /* 2^31 qpart m <= xvm <= 2^31 qpart m + (2^31-1)m */ - /* 2^31 qpart m <= 2^31 x <= 2^31 qpart m + (2^31-1)m + x(m-1) */ - /* 0 <= 2^31 newx <= (2^31-1)m + x(m-1) */ - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= (1-1/2^31)(2^14-1) + (2^32-1)((2^14-1)-1)/2^31 */ - - x -= qpart * m; - *q += qpart; - /* x <= 49146 */ - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= m + 49146(2^14-1)/2^31 */ - /* 0 <= newx <= m + 0.4 */ - /* 0 <= newx <= m */ - - x -= qpart * m; - *q += qpart; - /* x <= m */ - - x -= m; - *q += 1; - mask = (~(x >> 31) + 1); - x += mask & (uint32)m; - *q += mask; - /* x < m */ - - *r = (uint16) x; -} - -static uint16 uint32_mod_uint14(uint32 x, uint16 m) { - uint32 q; - uint16 r; - uint32_divmod_uint14(&q, &r, x, m); - return r; -} - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x4621(void *v, const unsigned char *s) { - int16 *R0 = v; - uint16 R1[327], R2[164], R3[82], R4[41], R5[21], R6[11], R7[6], R8[3], R9[2], R10[1]; - long long i; - uint16 r0; - uint32 r1, r2; - - s += PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x4621_STRBYTES; - r1 = 0; - r1 = (r1 << 8) | *--s; - r1 = uint32_mod_uint14(r1, 86); /* needed only for invalid inputs */ - R10[0] = (uint16) r1; - - r2 = R10[0]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 835); - R9[0] = r0; - r1 = uint32_mod_uint14(r1, 6708); /* needed only for invalid inputs */ - R9[1] = (uint16) r1; - - R8[2] = R9[1]; - r2 = R9[0]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 7396); - R8[0] = r0; - r1 = uint32_mod_uint14(r1, 7396); /* needed only for invalid inputs */ - R8[1] = (uint16) r1; - - r2 = R8[2]; - uint32_divmod_uint14(&r1, &r0, r2, 86); - R7[4] = r0; - r1 = uint32_mod_uint14(r1, 78); /* needed only for invalid inputs */ - R7[5] = (uint16) r1; - for (i = 1; i >= 0; --i) { - r2 = R8[i]; - uint32_divmod_uint14(&r1, &r0, r2, 86); - R7[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 86); /* needed only for invalid inputs */ - R7[2 * i + 1] = (uint16) r1; - } - - R6[10] = R7[5]; - for (i = 4; i >= 0; --i) { - r2 = R7[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 2370); - R6[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 2370); /* needed only for invalid inputs */ - R6[2 * i + 1] = (uint16) r1; - } - - R5[20] = R6[10]; - for (i = 9; i >= 0; --i) { - r2 = R6[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 12461); - R5[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 12461); /* needed only for invalid inputs */ - R5[2 * i + 1] = (uint16) r1; - } - - R4[40] = R5[20]; - for (i = 19; i >= 0; --i) { - r2 = R5[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1786); - R4[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1786); /* needed only for invalid inputs */ - R4[2 * i + 1] = (uint16) r1; - } - - r2 = R4[40]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 676); - R3[80] = r0; - r1 = uint32_mod_uint14(r1, 7510); /* needed only for invalid inputs */ - R3[81] = (uint16) r1; - for (i = 39; i >= 0; --i) { - r2 = R4[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 676); - R3[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 676); /* needed only for invalid inputs */ - R3[2 * i + 1] = (uint16) r1; - } - - r2 = R3[81]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 416); - R2[162] = r0; - r1 = uint32_mod_uint14(r1, 4621); /* needed only for invalid inputs */ - R2[163] = (uint16) r1; - for (i = 80; i >= 0; --i) { - r2 = R3[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 416); - R2[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 416); /* needed only for invalid inputs */ - R2[2 * i + 1] = (uint16) r1; - } - - R1[326] = R2[163]; - for (i = 162; i >= 0; --i) { - r2 = R2[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 326); - R1[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 326); /* needed only for invalid inputs */ - R1[2 * i + 1] = (uint16) r1; - } - - R0[652] = (int16) (R1[326] - 2310); - for (i = 325; i >= 0; --i) { - r2 = R1[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 4621); - R0[2 * i] = (int16) (r0 - 2310); - r1 = uint32_mod_uint14(r1, 4621); /* needed only for invalid inputs */ - R0[2 * i + 1] = (int16) (r1 - 2310); - } -} diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653x4621.h b/crypto_kem/sntrup653/clean/crypto_decode_653x4621.h deleted file mode 100644 index e010ce8b..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653x4621.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653X4621_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653X4621_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x4621_STRBYTES 994 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x4621_ITEMS 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x4621_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x4621(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653xint16.c b/crypto_kem/sntrup653/clean/crypto_decode_653xint16.c deleted file mode 100644 index 33aea66a..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653xint16.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_decode_653xint16.h" - - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint16(void *v, const unsigned char *s) { - uint16_t *x = v; - int i; - - for (i = 0; i < 653; ++i) { - uint16_t u0 = s[0]; - uint16_t u1 = s[1]; - *x = (uint16_t) (u0 | (u1 << 8)); - x += 1; - s += 2; - } -} diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653xint16.h b/crypto_kem/sntrup653/clean/crypto_decode_653xint16.h deleted file mode 100644 index 7aa7568c..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653XINT16_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653XINT16_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint16_STRBYTES 1306 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint16_ITEMS 653 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint16(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653xint32.c b/crypto_kem/sntrup653/clean/crypto_decode_653xint32.c deleted file mode 100644 index fc128fdf..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653xint32.c +++ /dev/null @@ -1,20 +0,0 @@ -#include "crypto_decode_653xint32.h" - - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint32(void *v, const unsigned char *s) { - uint32_t *x = v; - int i; - - for (i = 0; i < 653; ++i) { - uint32_t u0 = s[0]; - uint32_t u1 = s[1]; - uint32_t u2 = s[2]; - uint32_t u3 = s[3]; - u1 <<= 8; - u2 <<= 16; - u3 <<= 24; - *x = u0 | u1 | u2 | u3; - x += 1; - s += 4; - } -} diff --git a/crypto_kem/sntrup653/clean/crypto_decode_653xint32.h b/crypto_kem/sntrup653/clean/crypto_decode_653xint32.h deleted file mode 100644 index aa1c19e8..00000000 --- a/crypto_kem/sntrup653/clean/crypto_decode_653xint32.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653XINT32_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_DECODE_653XINT32_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint32_STRBYTES 2612 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint32_ITEMBYTES 4 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint32_ITEMS 653 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint32(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653x1541.c b/crypto_kem/sntrup653/clean/crypto_encode_653x1541.c deleted file mode 100644 index f5b169a0..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653x1541.c +++ /dev/null @@ -1,127 +0,0 @@ -#include "crypto_encode_653x1541.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[327]; - long i; - uint16 r0, r1; - uint32 r2; - - for (i = 0; i < 326; ++i) { - r0 = (uint16) ((((R0[2 * i] + 2310) & 16383) * 10923) >> 15); - r1 = (uint16) ((((R0[2 * i + 1] + 2310) & 16383) * 10923) >> 15); - r2 = r0 + r1 * (uint32)1541; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[326] = (uint16) ((((R0[652] + 2310) & 16383) * 10923) >> 15); - - for (i = 0; i < 163; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)9277; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[163] = R[326]; - - for (i = 0; i < 82; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1314; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 41; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)6745; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 20; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)695; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[20] = R[40]; - - for (i = 0; i < 10; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1887; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[10] = R[20]; - - for (i = 0; i < 5; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)13910; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[5] = R[10]; - - for (i = 0; i < 2; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)2953; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[4]; - r1 = R[5]; - r2 = r0 + r1 * (uint32)2953; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[2] = (uint16) r2; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)134; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)71; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653x1541.h b/crypto_kem/sntrup653/clean/crypto_encode_653x1541.h deleted file mode 100644 index d99ce72f..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653x1541.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653X1541_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653X1541_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541_STRBYTES 865 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541_ITEMS 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653x1541round.c b/crypto_kem/sntrup653/clean/crypto_encode_653x1541round.c deleted file mode 100644 index 34256ac3..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653x1541round.c +++ /dev/null @@ -1,17 +0,0 @@ -#include "crypto_encode_653x1541.h" -#include "crypto_encode_653x1541round.h" - -#define int16 int16_t - -#define p 653 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541round(unsigned char *out, const void *v) { - const int16 *a = v; - int16 x[p]; - int i; - - for (i = 0; i < p; ++i) { - x[i] = (int16) (3 * ((10923 * a[i] + 16384) >> 15)); - } - PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541(out, x); -} diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653x1541round.h b/crypto_kem/sntrup653/clean/crypto_encode_653x1541round.h deleted file mode 100644 index 11595feb..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653x1541round.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653X1541ROUND_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653X1541ROUND_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541round_STRBYTES 865 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541round_ITEMS 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541round_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541round(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653x3.c b/crypto_kem/sntrup653/clean/crypto_encode_653x3.c deleted file mode 100644 index f6628a47..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653x3.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "crypto_encode_653x3.h" - -#define uint8 uint8_t - -#define p 653 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x3(unsigned char *s, const void *v) { - const uint8 *f = v; - uint8 x; - int i; - - for (i = 0; i < p / 4; ++i) { - x = *f++ + 1; - x += (*f++ + 1) << 2; - x += (*f++ + 1) << 4; - x += (*f++ + 1) << 6; - *s++ = x; - } - x = *f++ + 1; - *s++ = x; -} diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653x3.h b/crypto_kem/sntrup653/clean/crypto_encode_653x3.h deleted file mode 100644 index b3340bdd..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653X3_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653X3_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x3_STRBYTES 164 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x3_ITEMS 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653x4621.c b/crypto_kem/sntrup653/clean/crypto_encode_653x4621.c deleted file mode 100644 index 325c5c36..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653x4621.c +++ /dev/null @@ -1,127 +0,0 @@ -#include "crypto_encode_653x4621.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x4621(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[327]; - long i; - uint16 r0, r1; - uint32 r2; - - for (i = 0; i < 326; ++i) { - r0 = (uint16) ((R0[2 * i] + 2310) & 16383); - r1 = (uint16) ((R0[2 * i + 1] + 2310) & 16383); - r2 = r0 + r1 * (uint32)4621; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[326] = (uint16) ((R0[652] + 2310) & 16383); - - for (i = 0; i < 163; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)326; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[163] = R[326]; - - for (i = 0; i < 82; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)416; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 40; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)676; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[80]; - r1 = R[81]; - r2 = r0 + r1 * (uint32)676; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[40] = (uint16) r2; - - for (i = 0; i < 20; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1786; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[20] = R[40]; - - for (i = 0; i < 10; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)12461; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[10] = R[20]; - - for (i = 0; i < 5; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)2370; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[5] = R[10]; - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)86; - R[i] = (uint16) r2; - } - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)7396; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)835; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653x4621.h b/crypto_kem/sntrup653/clean/crypto_encode_653x4621.h deleted file mode 100644 index bc0ffd44..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653x4621.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653X4621_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653X4621_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x4621_STRBYTES 994 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x4621_ITEMS 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x4621_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x4621(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653xfreeze3.c b/crypto_kem/sntrup653/clean/crypto_encode_653xfreeze3.c deleted file mode 100644 index 58ceed32..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653xfreeze3.c +++ /dev/null @@ -1,25 +0,0 @@ -#include "crypto_encode_653xfreeze3.h" - -#define int16 int16_t - -#define p 653 - -/* valid inputs: -16384 <= x < 16384 */ -/* then 3 divides x-F3_freeze(x) */ -/* and F3_freeze(x) is in {-1,0,1} */ - -/* all inputs: 3 divides x-F3_freeze(x) */ -/* and F3_freeze(x) is in {-2,-1,0,1,2} */ - -static inline unsigned char F3_freeze(int16 x) { - return (unsigned char) (x - 3 * ((10923 * x + 16384) >> 15)); -} - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xfreeze3(unsigned char *s, const void *v) { - const int16 *r = v; - - int i; - for (i = 0; i < p; ++i) { - s[i] = F3_freeze(r[i]); - } -} diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653xfreeze3.h b/crypto_kem/sntrup653/clean/crypto_encode_653xfreeze3.h deleted file mode 100644 index 2efc8170..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653xfreeze3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653XFREEZE3_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653XFREEZE3_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xfreeze3_STRBYTES 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xfreeze3_ITEMS 653 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xfreeze3_ITEMBYTES 2 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xfreeze3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653xint16.c b/crypto_kem/sntrup653/clean/crypto_encode_653xint16.c deleted file mode 100644 index d543b0c1..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653xint16.c +++ /dev/null @@ -1,13 +0,0 @@ -#include "crypto_encode_653xint16.h" - - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xint16(unsigned char *s, const void *v) { - const uint16_t *x = v; - int i; - - for (i = 0; i < 653; ++i) { - uint16_t u = *x++; - *s++ = (unsigned char) u; - *s++ = (unsigned char) (u >> 8); - } -} diff --git a/crypto_kem/sntrup653/clean/crypto_encode_653xint16.h b/crypto_kem/sntrup653/clean/crypto_encode_653xint16.h deleted file mode 100644 index a06da0aa..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_653xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653XINT16_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_653XINT16_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xint16_STRBYTES 1306 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xint16_ITEMS 653 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xint16(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_encode_int16.c b/crypto_kem/sntrup653/clean/crypto_encode_int16.c deleted file mode 100644 index 36c5d9b4..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_int16.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "crypto_encode_int16.h" - -#define uint16 uint16_t - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_int16(unsigned char *s, const void *x) { - uint16 u = *(const uint16 *) x; - s[0] = (unsigned char) u; - s[1] = (unsigned char) (u >> 8); -} diff --git a/crypto_kem/sntrup653/clean/crypto_encode_int16.h b/crypto_kem/sntrup653/clean/crypto_encode_int16.h deleted file mode 100644 index 27ce185f..00000000 --- a/crypto_kem/sntrup653/clean/crypto_encode_int16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_INT16_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_ENCODE_INT16_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_int16_STRBYTES 2 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_int16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP653_CLEAN_crypto_encode_int16_ITEMS 1 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_encode_int16(unsigned char *s, const void *x); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_sort_int32.c b/crypto_kem/sntrup653/clean/crypto_sort_int32.c deleted file mode 100644 index e6fc17a5..00000000 --- a/crypto_kem/sntrup653/clean/crypto_sort_int32.c +++ /dev/null @@ -1,84 +0,0 @@ -#include "crypto_sort_int32.h" -#include - -#define int32 int32_t - -#define int32_MINMAX(a,b) \ - do { \ - int32_t ab = (b) ^ (a); \ - int32_t c = (int32_t)((int64_t)(b) - (int64_t)(a)); \ - c ^= ab & (c ^ (b)); \ - c >>= 31; \ - c &= ab; \ - (a) ^= c; \ - (b) ^= c; \ - } while(0) - -/* assume 2 <= n <= 0x40000000 */ -void PQCLEAN_SNTRUP653_CLEAN_crypto_sort_int32(int32_t *x, long long n) { - int32 top, p, q, r, i; - long long j; - - top = 1; - while (top < n - top) { - top += top; - } - - for (p = top; p >= 1; p >>= 1) { - i = 0; - while (i + 2 * p <= n) { - for (j = i; j < i + p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - i += 2 * p; - } - for (j = i; j < n - p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - - i = 0; - j = 0; - for (q = top; q > p; q >>= 1) { - if (j != i) { - for (;;) { - if (j == n - q) { - goto done; - } - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - if (j == i + p) { - i += 2 * p; - break; - } - } - } - while (i + p <= n - q) { - for (j = i; j < i + p; ++j) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - } - i += 2 * p; - } - /* now i + p > n - q */ - j = i; - while (j < n - q) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - } - -done: - ; - } - } -} diff --git a/crypto_kem/sntrup653/clean/crypto_sort_int32.h b/crypto_kem/sntrup653/clean/crypto_sort_int32.h deleted file mode 100644 index 1d3d27c3..00000000 --- a/crypto_kem/sntrup653/clean/crypto_sort_int32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_SORT_INT32_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_SORT_INT32_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_sort_int32_BYTES 4 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_sort_int32(int32_t *x, long long n); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_sort_uint32.c b/crypto_kem/sntrup653/clean/crypto_sort_uint32.c deleted file mode 100644 index bc7bef6b..00000000 --- a/crypto_kem/sntrup653/clean/crypto_sort_uint32.c +++ /dev/null @@ -1,18 +0,0 @@ -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" - - -/* can save time by vectorizing xor loops */ -/* can save time by integrating xor loops with int32_sort */ - -void PQCLEAN_SNTRUP653_CLEAN_crypto_sort_uint32(void *array, long long n) { - uint32_t *x = array; - long long j; - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } - PQCLEAN_SNTRUP653_CLEAN_crypto_sort_int32((int32_t *)array, n); - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } -} diff --git a/crypto_kem/sntrup653/clean/crypto_sort_uint32.h b/crypto_kem/sntrup653/clean/crypto_sort_uint32.h deleted file mode 100644 index 0092808a..00000000 --- a/crypto_kem/sntrup653/clean/crypto_sort_uint32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_SORT_UINT32_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_SORT_UINT32_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_sort_uint32_BYTES 4 - -void PQCLEAN_SNTRUP653_CLEAN_crypto_sort_uint32(void *array, long long n); -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_stream_aes256ctr.c b/crypto_kem/sntrup653/clean/crypto_stream_aes256ctr.c deleted file mode 100644 index 61f66408..00000000 --- a/crypto_kem/sntrup653/clean/crypto_stream_aes256ctr.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_stream_aes256ctr.h" - - -int PQCLEAN_SNTRUP653_CLEAN_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]) { - - aes256ctx state; - aes256_ctr_keyexp(&state, key); - aes256_ctr(out, outlen, nonce, &state); - aes256_ctx_release(&state); - return 0; -} diff --git a/crypto_kem/sntrup653/clean/crypto_stream_aes256ctr.h b/crypto_kem/sntrup653/clean/crypto_stream_aes256ctr.h deleted file mode 100644 index cdd53214..00000000 --- a/crypto_kem/sntrup653/clean/crypto_stream_aes256ctr.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_STREAM_AES256CTR_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_STREAM_AES256CTR_H -#include "aes.h" -#include -#include - - - -int PQCLEAN_SNTRUP653_CLEAN_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]); - -#endif diff --git a/crypto_kem/sntrup653/clean/crypto_verify_897.c b/crypto_kem/sntrup653/clean/crypto_verify_897.c deleted file mode 100644 index 66b2756e..00000000 --- a/crypto_kem/sntrup653/clean/crypto_verify_897.c +++ /dev/null @@ -1,13 +0,0 @@ -#include "crypto_verify_897.h" - - -int PQCLEAN_SNTRUP653_CLEAN_crypto_verify_897(const unsigned char *x, const unsigned char *y) { - unsigned int differentbits = 0; - int i; - - for (i = 0; i < PQCLEAN_SNTRUP653_CLEAN_crypto_verify_897_BYTES; ++i) { - differentbits |= x[i] ^ y[i]; - } - - return (int) (1 & ((differentbits - 1) >> 8)) - 1; -} diff --git a/crypto_kem/sntrup653/clean/crypto_verify_897.h b/crypto_kem/sntrup653/clean/crypto_verify_897.h deleted file mode 100644 index b51896b5..00000000 --- a/crypto_kem/sntrup653/clean/crypto_verify_897.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP653_CLEAN_CRYPTO_VERIFY_897_H -#define PQCLEAN_SNTRUP653_CLEAN_CRYPTO_VERIFY_897_H - -#include -#define PQCLEAN_SNTRUP653_CLEAN_crypto_verify_897_BYTES 897 - -int PQCLEAN_SNTRUP653_CLEAN_crypto_verify_897(const unsigned char *x, const unsigned char *y); -#endif diff --git a/crypto_kem/sntrup653/clean/kem.c b/crypto_kem/sntrup653/clean/kem.c deleted file mode 100644 index c5b3052a..00000000 --- a/crypto_kem/sntrup653/clean/kem.c +++ /dev/null @@ -1,247 +0,0 @@ -#include "api.h" -#include "crypto_sort_uint32.h" -#include "params.h" -#include "randombytes.h" -#include "sha2.h" - - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - -/* ----- arithmetic mod 3 */ - -typedef int8 small; -/* F3 is always represented as -1,0,1 */ - -/* ----- arithmetic mod q */ - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* ----- small polynomials */ - -/* R3_fromR(R_fromRq(r)) */ -static void R3_fromRq(small *out, const Fq *r) { - crypto_encode_pxfreeze3((unsigned char *) out, (unsigned char *) r); -} - -/* h = f*g in the ring R3 */ -static void R3_mult(small *h, const small *f, const small *g) { - crypto_core_mult3((unsigned char *) h, (const unsigned char *) f, (const unsigned char *) g); -} - -/* ----- polynomials mod q */ - -/* h = h*g in the ring Rq */ -static void Rq_mult_small(Fq *h, const small *g) { - crypto_encode_pxint16((unsigned char *) h, h); - crypto_core_mult((unsigned char *) h, (const unsigned char *) h, (const unsigned char *) g); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* h = 3f in Rq */ -static void Rq_mult3(Fq *h, const Fq *f) { - crypto_encode_pxint16((unsigned char *) h, f); - crypto_core_scale3((unsigned char *) h, (const unsigned char *) h); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* out = 1/(3*in) in Rq */ -/* caller must have 2p+1 bytes free in out, not just 2p */ -static void Rq_recip3(Fq *out, const small *in) { - crypto_core_inv((unsigned char *) out, (const unsigned char *) in); - /* could check byte 2*p for failure; but, in context, inv always works */ - crypto_decode_pxint16(out, (unsigned char *) out); -} - -/* ----- underlying hash function */ - -#define Hash_bytes 32 - -static void Hash(unsigned char *out, const unsigned char *in, int inlen) { - unsigned char h[64]; - int i; - sha512(h, in, (size_t) inlen); - for (i = 0; i < 32; ++i) { - out[i] = h[i]; - } -} - -/* ----- higher-level randomness */ - -static void Short_random(small *out) { - uint32 L[ppadsort]; - int i; - - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < w; ++i) { - L[i] = L[i] & (uint32) - 2; - } - for (i = w; i < p; ++i) { - L[i] = (L[i] & (uint32) - 3) | 1; - } - for (i = p; i < ppadsort; ++i) { - L[i] = 0xffffffff; - } - PQCLEAN_SNTRUP653_CLEAN_crypto_sort_uint32(L, ppadsort); - for (i = 0; i < p; ++i) { - out[i] = (small) ((L[i] & 3) - 1); - } -} - -static void Small_random(small *out) { - uint32 L[p]; - int i; - - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < p; ++i) { - out[i] = (small) ((((L[i] & 0x3fffffff) * 3) >> 30) - 1); - } -} - -/* ----- Streamlined NTRU Prime */ - -typedef small Inputs[p]; /* passed by reference */ -#define Ciphertexts_bytes Rounded_bytes -#define SecretKeys_bytes (2*Small_bytes) -#define PublicKeys_bytes Rq_bytes -#define Confirm_bytes 32 - -/* c,r_enc[1:] = Hide(r,pk,cache); cache is Hash4(pk) */ -/* also set r_enc[0]=3 */ -/* also set x[0]=2, and x[1:1+Hash_bytes] = Hash3(r_enc) */ -/* also overwrite x[1+Hash_bytes:1+2*Hash_bytes] */ -static void Hide(unsigned char *x, unsigned char *c, unsigned char *r_enc, const Inputs r, const unsigned char *pk, const unsigned char *cache) { - Fq h[p]; - int i; - - Small_encode(r_enc + 1, r); - Rq_decode(h, pk); - Rq_mult_small(h, r); - Round_and_encode(c, h); - r_enc[0] = 3; - Hash(x + 1, r_enc, 1 + Small_bytes); - for (i = 0; i < Hash_bytes; ++i) { - x[1 + Hash_bytes + i] = cache[i]; - } - x[0] = 2; - Hash(c + Ciphertexts_bytes, x, 1 + Hash_bytes * 2); -} - - -int PQCLEAN_SNTRUP653_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - small g[p]; - for (;;) { - Small_random(g); - { - small v[p + 1]; - crypto_core_inv3((unsigned char *) v, (const unsigned char *) g); - if (v[p] == 0) { - Small_encode(sk + Small_bytes, v); - break; - } - } - } - { - small f[p]; - Short_random(f); - Small_encode(sk, f); - { - Fq h[p + 1]; - Rq_recip3(h, f); /* always works */ - Rq_mult_small(h, g); - Rq_encode(pk, h); - } - } - { - int i; - unsigned char sksave = sk[SecretKeys_bytes - 1]; - for (i = 0; i < PublicKeys_bytes; ++i) { - sk[SecretKeys_bytes + i] = pk[i]; - } - sk[SecretKeys_bytes - 1] = 4; - Hash(sk + SecretKeys_bytes + PublicKeys_bytes + Small_bytes, sk + SecretKeys_bytes - 1, 1 + PublicKeys_bytes); - sk[SecretKeys_bytes - 1] = sksave; - randombytes(sk + SecretKeys_bytes + PublicKeys_bytes, Small_bytes); - } - return 0; -} - -int PQCLEAN_SNTRUP653_CLEAN_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk) { - unsigned char cache[Hash_bytes]; - int i; - { - unsigned char y[1 + PublicKeys_bytes]; /* XXX: can eliminate with incremental hashing */ - for (i = 0; i < PublicKeys_bytes; ++i) { - y[1 + i] = pk[i]; - } - y[0] = 4; - Hash(cache, y, sizeof y); - } - { - Inputs r; - Short_random(r); - { - unsigned char r_enc[Small_bytes + 1]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - Hide(x, c, r_enc, r, pk, cache); - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = 1; - Hash(k, x, sizeof x); - } - } - return 0; -} - -int PQCLEAN_SNTRUP653_CLEAN_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) { - const unsigned char *pk = sk + SecretKeys_bytes; - const unsigned char *rho = pk + PublicKeys_bytes; - const unsigned char *cache = rho + Small_bytes; - int mask, i; - Inputs r; - { - Fq d[p]; - Rounded_decode(d, c); - { - small f[p]; - Small_decode(f, sk); - Rq_mult_small(d, f); - Rq_mult3(d, d); - } - { - small e[p]; - small v[p]; - R3_fromRq(e, d); - Small_decode(v, sk + Small_bytes); - R3_mult(r, e, v); - } - crypto_core_wforce((unsigned char *) r, (unsigned char *) r); - } - { - unsigned char r_enc[1 + Small_bytes]; - unsigned char cnew[Ciphertexts_bytes + Confirm_bytes]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - /* XXX: can use incremental hashing to reduce x size */ - - Hide(x, cnew, r_enc, r, pk, cache); - mask = crypto_verify_clen(c, cnew); - for (i = 0; i < Small_bytes; ++i) { - r_enc[i + 1] ^= (unsigned char) (mask & (r_enc[i + 1] ^ rho[i])); - } - Hash(x + 1, r_enc, 1 + Small_bytes); /* XXX: can instead do cmov on cached hash of rho */ - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = (unsigned char) (1 + mask); - Hash(k, x, sizeof x); - } - return 0; -} diff --git a/crypto_kem/sntrup653/clean/params.h b/crypto_kem/sntrup653/clean/params.h deleted file mode 100644 index b3c31f4e..00000000 --- a/crypto_kem/sntrup653/clean/params.h +++ /dev/null @@ -1,70 +0,0 @@ -#ifndef params_H -#define params_H -#include "crypto_core_inv3sntrup653.h" -#include "crypto_core_invsntrup653.h" -#include "crypto_core_mult3sntrup653.h" -#include "crypto_core_multsntrup653.h" -#include "crypto_core_scale3sntrup653.h" -#include "crypto_core_weightsntrup653.h" -#include "crypto_core_wforcesntrup653.h" -#include "crypto_decode_653x1541.h" -#include "crypto_decode_653x3.h" -#include "crypto_decode_653x4621.h" -#include "crypto_decode_653xint16.h" -#include "crypto_decode_653xint32.h" -#include "crypto_encode_653x1541.h" -#include "crypto_encode_653x1541round.h" -#include "crypto_encode_653x3.h" -#include "crypto_encode_653x4621.h" -#include "crypto_encode_653xfreeze3.h" -#include "crypto_encode_653xint16.h" -#include "crypto_encode_int16.h" -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" -#include "crypto_verify_897.h" - - -#define q27 29045 /* closest integer to 2^27/q */ -#define q18 57 /* closest integer to 2^18/q */ -#define p 653 -#define q 4621 -#define w 288 - -#define ppadsort 653 - -#define crypto_verify_clen PQCLEAN_SNTRUP653_CLEAN_crypto_verify_897 - -#define Rq_bytes PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x4621_STRBYTES -#define Rq_encode PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x4621 -#define Rq_decode PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x4621 - -#define Rounded_bytes PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x1541_STRBYTES -#define Rounded_decode PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x1541 - -#define Round_and_encode PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x1541round - -#define Small_bytes PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x3_STRBYTES -#define Small_encode PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653x3 -#define Small_decode PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653x3 - -#define crypto_encode_pxfreeze3 PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xfreeze3 - -#define crypto_decode_pxint32 PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint32 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP653_CLEAN_crypto_decode_653xint16 - -#define crypto_encode_pxint16 PQCLEAN_SNTRUP653_CLEAN_crypto_encode_653xint16 - -#define crypto_core_wforce PQCLEAN_SNTRUP653_CLEAN_crypto_core_wforcesntrup653 - -#define crypto_core_scale3 PQCLEAN_SNTRUP653_CLEAN_crypto_core_scale3sntrup653 - -#define crypto_core_inv PQCLEAN_SNTRUP653_CLEAN_crypto_core_invsntrup653 - -#define crypto_core_inv3 PQCLEAN_SNTRUP653_CLEAN_crypto_core_inv3sntrup653 - -#define crypto_core_mult PQCLEAN_SNTRUP653_CLEAN_crypto_core_multsntrup653 - -#define crypto_core_mult3 PQCLEAN_SNTRUP653_CLEAN_crypto_core_mult3sntrup653 - -#endif diff --git a/crypto_kem/sntrup761/META.yml b/crypto_kem/sntrup761/META.yml deleted file mode 100644 index 6f383db4..00000000 --- a/crypto_kem/sntrup761/META.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: sntrup761 -type: kem -claimed-nist-level: 3 -claimed-security: IND-CCA2 -length-public-key: 1158 -length-secret-key: 1763 -length-ciphertext: 1039 -length-shared-secret: 32 -nistkat-sha256: afc42c3a5b10f4ef69654250097ebda9b9564570f4086744b24a6daf2bd1f89a -principal-submitters: - - Daniel J. Bernstein - - Chitchanok Chuengsatiansup - - Tanja Lange - - Christine van Vredendaal -implementations: - - name: clean - version: supercop-20200826 - - name: avx2 - version: supercop-20200826 - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - avx2 diff --git a/crypto_kem/sntrup761/avx2/LICENSE b/crypto_kem/sntrup761/avx2/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/sntrup761/avx2/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/sntrup761/avx2/api.h b/crypto_kem/sntrup761/avx2/api.h deleted file mode 100644 index afefdc16..00000000 --- a/crypto_kem/sntrup761/avx2/api.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_API_H -#define PQCLEAN_SNTRUP761_AVX2_API_H - - - -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_ALGNAME "sntrup761" - -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_SECRETKEYBYTES 1763 -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_PUBLICKEYBYTES 1158 -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_CIPHERTEXTBYTES 1039 -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_BYTES 32 - -int PQCLEAN_SNTRUP761_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_SNTRUP761_AVX2_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk); -int PQCLEAN_SNTRUP761_AVX2_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_core_inv3sntrup761.c b/crypto_kem/sntrup761/avx2/crypto_core_inv3sntrup761.c deleted file mode 100644 index 03c327eb..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_inv3sntrup761.c +++ /dev/null @@ -1,542 +0,0 @@ -#include "crypto_core_inv3sntrup761.h" -#include - - -#define int8 int8_t -typedef int8 small; - -#define p 761 -#define ppad 768 -#define numvec 3 - -typedef __m256i vec256; - -/* -This code stores 768-coeff poly as vec256[3]. -Order of 256 coefficients in each vec256 -is optimized in light of costs of vector instructions: - 0,4,...,252 in 64-bit word; - 1,5,...,253 in 64-bit word; - 2,6,...,254 in 64-bit word; - 3,7,...,255 in 64-bit word. -*/ - -static inline void vec256_frombits(vec256 *v, const small *b) { - int i; - - for (i = 0; i < numvec; ++i) { - vec256 b0 = _mm256_loadu_si256((vec256 *) b); - b += 32; /* 0,1,...,31 */ - vec256 b1 = _mm256_loadu_si256((vec256 *) b); - b += 32; /* 32,33,... */ - vec256 b2 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b3 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b4 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b5 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b6 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b7 = _mm256_loadu_si256((vec256 *) b); - b += 32; - - vec256 c0 = _mm256_unpacklo_epi32(b0, b1); /* 0 1 2 3 32 33 34 35 4 5 6 7 36 37 38 39 ... 55 */ - vec256 c1 = _mm256_unpackhi_epi32(b0, b1); /* 8 9 10 11 40 41 42 43 ... 63 */ - vec256 c2 = _mm256_unpacklo_epi32(b2, b3); - vec256 c3 = _mm256_unpackhi_epi32(b2, b3); - vec256 c4 = _mm256_unpacklo_epi32(b4, b5); - vec256 c5 = _mm256_unpackhi_epi32(b4, b5); - vec256 c6 = _mm256_unpacklo_epi32(b6, b7); - vec256 c7 = _mm256_unpackhi_epi32(b6, b7); - - vec256 d0 = c0 | _mm256_slli_epi32(c1, 2); /* 0 8, 1 9, 2 10, 3 11, 32 40, 33 41, ..., 55 63 */ - vec256 d2 = c2 | _mm256_slli_epi32(c3, 2); - vec256 d4 = c4 | _mm256_slli_epi32(c5, 2); - vec256 d6 = c6 | _mm256_slli_epi32(c7, 2); - - vec256 e0 = _mm256_unpacklo_epi64(d0, d2); - vec256 e2 = _mm256_unpackhi_epi64(d0, d2); - vec256 e4 = _mm256_unpacklo_epi64(d4, d6); - vec256 e6 = _mm256_unpackhi_epi64(d4, d6); - - vec256 f0 = e0 | _mm256_slli_epi32(e2, 1); - vec256 f4 = e4 | _mm256_slli_epi32(e6, 1); - - vec256 g0 = _mm256_permute2x128_si256(f0, f4, 0x20); - vec256 g4 = _mm256_permute2x128_si256(f0, f4, 0x31); - - vec256 h = g0 | _mm256_slli_epi32(g4, 4); - -#define TRANSPOSE _mm256_set_epi8( 31,27,23,19, 30,26,22,18, 29,25,21,17, 28,24,20,16, 15,11,7,3, 14,10,6,2, 13,9,5,1, 12,8,4,0 ) - h = _mm256_shuffle_epi8(h, TRANSPOSE); - h = _mm256_permute4x64_epi64(h, 0xd8); - h = _mm256_shuffle_epi32(h, 0xd8); - - *v++ = h; - } -} - -static inline void vec256_tobits(const vec256 *v, small *b) { - int i; - - for (i = 0; i < numvec; ++i) { - vec256 h = *v++; - - h = _mm256_shuffle_epi32(h, 0xd8); - h = _mm256_permute4x64_epi64(h, 0xd8); - h = _mm256_shuffle_epi8(h, TRANSPOSE); - - vec256 g0 = h & _mm256_set1_epi8(15); - vec256 g4 = _mm256_srli_epi32(h, 4) & _mm256_set1_epi8(15); - - vec256 f0 = _mm256_permute2x128_si256(g0, g4, 0x20); - vec256 f4 = _mm256_permute2x128_si256(g0, g4, 0x31); - - vec256 e0 = f0 & _mm256_set1_epi8(5); - vec256 e2 = _mm256_srli_epi32(f0, 1) & _mm256_set1_epi8(5); - vec256 e4 = f4 & _mm256_set1_epi8(5); - vec256 e6 = _mm256_srli_epi32(f4, 1) & _mm256_set1_epi8(5); - - vec256 d0 = _mm256_unpacklo_epi32(e0, e2); - vec256 d2 = _mm256_unpackhi_epi32(e0, e2); - vec256 d4 = _mm256_unpacklo_epi32(e4, e6); - vec256 d6 = _mm256_unpackhi_epi32(e4, e6); - - vec256 c0 = d0 & _mm256_set1_epi8(1); - vec256 c1 = _mm256_srli_epi32(d0, 2) & _mm256_set1_epi8(1); - vec256 c2 = d2 & _mm256_set1_epi8(1); - vec256 c3 = _mm256_srli_epi32(d2, 2) & _mm256_set1_epi8(1); - vec256 c4 = d4 & _mm256_set1_epi8(1); - vec256 c5 = _mm256_srli_epi32(d4, 2) & _mm256_set1_epi8(1); - vec256 c6 = d6 & _mm256_set1_epi8(1); - vec256 c7 = _mm256_srli_epi32(d6, 2) & _mm256_set1_epi8(1); - - vec256 b0 = _mm256_unpacklo_epi64(c0, c1); - vec256 b1 = _mm256_unpackhi_epi64(c0, c1); - vec256 b2 = _mm256_unpacklo_epi64(c2, c3); - vec256 b3 = _mm256_unpackhi_epi64(c2, c3); - vec256 b4 = _mm256_unpacklo_epi64(c4, c5); - vec256 b5 = _mm256_unpackhi_epi64(c4, c5); - vec256 b6 = _mm256_unpacklo_epi64(c6, c7); - vec256 b7 = _mm256_unpackhi_epi64(c6, c7); - - _mm256_storeu_si256((vec256 *) b, b0); - b += 32; - _mm256_storeu_si256((vec256 *) b, b1); - b += 32; - _mm256_storeu_si256((vec256 *) b, b2); - b += 32; - _mm256_storeu_si256((vec256 *) b, b3); - b += 32; - _mm256_storeu_si256((vec256 *) b, b4); - b += 32; - _mm256_storeu_si256((vec256 *) b, b5); - b += 32; - _mm256_storeu_si256((vec256 *) b, b6); - b += 32; - _mm256_storeu_si256((vec256 *) b, b7); - b += 32; - } -} - -static void vec256_init(vec256 *G0, vec256 *G1, const small *s) { - int i; - small srev[ppad + (ppad - p)]; - small si; - small g0[ppad]; - small g1[ppad]; - - for (i = 0; i < p; ++i) { - srev[ppad - 1 - i] = s[i]; - } - for (i = 0; i < ppad - p; ++i) { - srev[i] = 0; - } - for (i = p; i < ppad; ++i) { - srev[i + ppad - p] = 0; - } - - for (i = 0; i < ppad; ++i) { - si = srev[i + ppad - p]; - g0[i] = si & 1; - g1[i] = (si >> 1) & g0[i]; - } - - vec256_frombits(G0, g0); - vec256_frombits(G1, g1); -} - -static void vec256_final(small *out, const vec256 *V0, const vec256 *V1) { - int i; - small v0[ppad]; - small v1[ppad]; - small v[ppad]; - small vrev[ppad + (ppad - p)]; - - vec256_tobits(V0, v0); - vec256_tobits(V1, v1); - - for (i = 0; i < ppad; ++i) { - v[i] = (small) (v0[i] + 2 * v1[i] - 4 * (v0[i] & v1[i])); - } - - for (i = 0; i < ppad; ++i) { - vrev[i] = v[ppad - 1 - i]; - } - for (i = ppad; i < ppad + (ppad - p); ++i) { - vrev[i] = 0; - } - - for (i = 0; i < p; ++i) { - out[i] = vrev[i + ppad - p]; - } -} - -static inline int negative_mask(int x) { - return x >> 31; -} - -static inline void vec256_swap(vec256 *f, vec256 *g, int len, vec256 mask) { - vec256 flip; - int i; - - for (i = 0; i < len; ++i) { - flip = mask & (f[i] ^ g[i]); - f[i] ^= flip; - g[i] ^= flip; - } -} - -static inline void vec256_scale(vec256 *f0, vec256 *f1, const vec256 c0, const vec256 c1) { - int i; - - for (i = 0; i < numvec; ++i) { - vec256 f0i = f0[i]; - vec256 f1i = f1[i]; - - f0i &= c0; - f1i ^= c1; - f1i &= f0i; - - f0[i] = f0i; - f1[i] = f1i; - } -} - -static inline void vec256_eliminate(vec256 *f0, vec256 *f1, vec256 *g0, vec256 *g1, int len, const vec256 c0, const vec256 c1) { - int i; - - for (i = 0; i < len; ++i) { - vec256 f0i = f0[i]; - vec256 f1i = f1[i]; - vec256 g0i = g0[i]; - vec256 g1i = g1[i]; - vec256 t; - - f0i &= c0; - f1i ^= c1; - f1i &= f0i; - - t = g0i ^ f0i; - g0[i] = t | (g1i ^ f1i); - g1[i] = (g1i ^ f0i) & (f1i ^ t); - } -} - -static inline int vec256_bit0mask(vec256 *f) { - return -(_mm_cvtsi128_si32(_mm256_castsi256_si128(f[0])) & 1); -} - -static inline void vec256_divx_1(vec256 *f) { - vec256 f0 = f[0]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - - low0 = low0 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); -} - -static inline void vec256_divx_2(vec256 *f) { - vec256 f0 = f[0]; - vec256 f1 = f[1]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - - low0 = (low0 >> 1) | (low1 << 63); - low1 = low1 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); - f[1] = _mm256_permute4x64_epi64(f1, 0x39); -} - -static inline void vec256_divx_3(vec256 *f) { - vec256 f0 = f[0]; - vec256 f1 = f[1]; - vec256 f2 = f[2]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - unsigned long long low2 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f2)); - - low0 = (low0 >> 1) | (low1 << 63); - low1 = (low1 >> 1) | (low2 << 63); - low2 = low2 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - f2 = _mm256_blend_epi32(f2, _mm256_set_epi64x(0, 0, 0, (long long) low2), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); - f[1] = _mm256_permute4x64_epi64(f1, 0x39); - f[2] = _mm256_permute4x64_epi64(f2, 0x39); -} - -static inline void vec256_timesx_1(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - - low0 = low0 << 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - - f[0] = f0; -} - -static inline void vec256_timesx_2(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - vec256 f1 = _mm256_permute4x64_epi64(f[1], 0x93); - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - - low1 = (low1 << 1) | (low0 >> 63); - low0 = low0 << 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - - f[0] = f0; - f[1] = f1; -} - -static inline void vec256_timesx_3(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - vec256 f1 = _mm256_permute4x64_epi64(f[1], 0x93); - vec256 f2 = _mm256_permute4x64_epi64(f[2], 0x93); - - unsigned long long low0 = *(unsigned long long *) &f0; - unsigned long long low1 = *(unsigned long long *) &f1; - unsigned long long low2 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f2)); - - low2 = (low2 << 1) | (low1 >> 63); - low1 = (low1 << 1) | (low0 >> 63); - low0 = low0 << 1; - - *(unsigned long long *) &f0 = low0; - *(unsigned long long *) &f1 = low1; - f2 = _mm256_blend_epi32(f2, _mm256_set_epi64x(0, 0, 0, (long long) low2), 0x3); - - f[0] = f0; - f[1] = f1; - f[2] = f2; -} - - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_inv3sntrup761(unsigned char *outbytes, const unsigned char *inbytes) { - small *out = (void *) outbytes; - small *in = (void *) inbytes; - vec256 F0[numvec]; - vec256 F1[numvec]; - vec256 G0[numvec]; - vec256 G1[numvec]; - vec256 V0[numvec]; - vec256 V1[numvec]; - vec256 R0[numvec]; - vec256 R1[numvec]; - vec256 c0vec, c1vec; - int loop; - int c0, c1; - int minusdelta = -1; - int swapmask; - vec256 swapvec; - - vec256_init(G0, G1, in); - F0[0] = _mm256_set_epi32(0, 0, 0, 0, 0, 0, 0, 1); - F0[1] = _mm256_set1_epi32(0); - F0[2] = _mm256_set_epi32(0, 0, 0, 0, 1073741824, 0, 1073741824, 0); - F1[0] = _mm256_set1_epi32(0); - F1[1] = _mm256_set1_epi32(0); - F1[2] = _mm256_set_epi32(0, 0, 0, 0, 1073741824, 0, 1073741824, 0); - - V0[0] = _mm256_set1_epi32(0); - V1[0] = _mm256_set1_epi32(0); - V0[1] = _mm256_set1_epi32(0); - V1[1] = _mm256_set1_epi32(0); - V0[2] = _mm256_set1_epi32(0); - V1[2] = _mm256_set1_epi32(0); - - R0[0] = _mm256_set_epi32(0, 0, 0, 0, 0, 0, 0, 1); - R1[0] = _mm256_set1_epi32(0); - R0[1] = _mm256_set1_epi32(0); - R1[1] = _mm256_set1_epi32(0); - R0[2] = _mm256_set1_epi32(0); - R1[2] = _mm256_set1_epi32(0); - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_1(V0); - vec256_timesx_1(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 3, swapvec); - vec256_swap(F1, G1, 3, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 3, c0vec, c1vec); - vec256_divx_3(G0); - vec256_divx_3(G1); - - vec256_swap(V0, R0, 1, swapvec); - vec256_swap(V1, R1, 1, swapvec); - vec256_eliminate(V0, V1, R0, R1, 1, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_2(V0); - vec256_timesx_2(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 3, swapvec); - vec256_swap(F1, G1, 3, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 3, c0vec, c1vec); - vec256_divx_3(G0); - vec256_divx_3(G1); - - vec256_swap(V0, R0, 2, swapvec); - vec256_swap(V1, R1, 2, swapvec); - vec256_eliminate(V0, V1, R0, R1, 2, c0vec, c1vec); - } - - for (loop = 497; loop > 0; --loop) { - vec256_timesx_3(V0); - vec256_timesx_3(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 3, swapvec); - vec256_swap(F1, G1, 3, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 3, c0vec, c1vec); - vec256_divx_3(G0); - vec256_divx_3(G1); - - vec256_swap(V0, R0, 3, swapvec); - vec256_swap(V1, R1, 3, swapvec); - vec256_eliminate(V0, V1, R0, R1, 3, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_3(V0); - vec256_timesx_3(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 2, swapvec); - vec256_swap(F1, G1, 2, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 2, c0vec, c1vec); - vec256_divx_2(G0); - vec256_divx_2(G1); - - vec256_swap(V0, R0, 3, swapvec); - vec256_swap(V1, R1, 3, swapvec); - vec256_eliminate(V0, V1, R0, R1, 3, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_3(V0); - vec256_timesx_3(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 1, swapvec); - vec256_swap(F1, G1, 1, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 1, c0vec, c1vec); - vec256_divx_1(G0); - vec256_divx_1(G1); - - vec256_swap(V0, R0, 3, swapvec); - vec256_swap(V1, R1, 3, swapvec); - vec256_eliminate(V0, V1, R0, R1, 3, c0vec, c1vec); - } - - c0vec = _mm256_set1_epi32(vec256_bit0mask(F0)); - c1vec = _mm256_set1_epi32(vec256_bit0mask(F1)); - vec256_scale(V0, V1, c0vec, c1vec); - - vec256_final(out, V0, V1); - out[p] = (small) negative_mask(minusdelta); - return 0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_core_inv3sntrup761.h b/crypto_kem/sntrup761/avx2/crypto_core_inv3sntrup761.h deleted file mode 100644 index 3ad25475..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_inv3sntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_INV3SNTRUP761_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_INV3SNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_inv3sntrup761_OUTPUTBYTES 762 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_inv3sntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_inv3sntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_inv3sntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_inv3sntrup761(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_core_invsntrup761.c b/crypto_kem/sntrup761/avx2/crypto_core_invsntrup761.c deleted file mode 100644 index b8dcfa5e..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_invsntrup761.c +++ /dev/null @@ -1,202 +0,0 @@ -#include "crypto_core_invsntrup761.h" -#include "params.h" -#include - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - - - -/* ----- masks */ - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* return -1 if x<0; otherwise return 0 */ -static int int16_negative_mask(int16 x) { - return x >> 15; /* XXX: theoretically need gcc -fwrapv for this */ -} - -/* ----- arithmetic mod q */ - -typedef int8 small; - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* works for -14000000 < x < 14000000 if q in 4591, 4621, 5167 */ -static Fq Fq_freeze(int32 x) { - x -= q * ((q18 * x) >> 18); - x -= q * ((q27 * x + 67108864) >> 27); - return (Fq) x; -} - -/* nonnegative e */ -static Fq Fq_pow(Fq a, int e) { - if (e == 0) { - return 1; - } - if (e == 1) { - return a; - } - if (e & 1) { - return Fq_freeze(a * (int32)Fq_pow(a, e - 1)); - } - a = Fq_freeze(a * (int32)a); - return Fq_pow(a, e >> 1); -} - -static Fq Fq_recip(Fq a) { - return Fq_pow(a, q - 2); -} - -/* ----- more */ - -#define qvec _mm256_set1_epi16(q) -#define qinvvec _mm256_set1_epi16(qinv) - -static inline __m256i montproduct(__m256i x, __m256i y, __m256i yqinv) { - __m256i hi, d, e; - - d = _mm256_mullo_epi16(x, yqinv); - hi = _mm256_mulhi_epi16(x, y); - e = _mm256_mulhi_epi16(d, qvec); - return _mm256_sub_epi16(hi, e); -} - -static inline void vectormodq_swapeliminate(Fq *f, Fq *g, int len, const Fq f0, const Fq g0, int mask) { - __m256i f0vec = _mm256_set1_epi16(f0); - __m256i g0vec = _mm256_set1_epi16(g0); - __m256i f0vecqinv = _mm256_mullo_epi16(f0vec, qinvvec); - __m256i g0vecqinv = _mm256_mullo_epi16(g0vec, qinvvec); - __m256i maskvec = _mm256_set1_epi32(mask); - - while (len > 0) { - __m256i fi = _mm256_loadu_si256((__m256i *) f); - __m256i gi = _mm256_loadu_si256((__m256i *) g); - __m256i finew = _mm256_blendv_epi8(fi, gi, maskvec); - __m256i ginew = _mm256_blendv_epi8(gi, fi, maskvec); - ginew = _mm256_sub_epi16(montproduct(ginew, f0vec, f0vecqinv), montproduct(finew, g0vec, g0vecqinv)); - _mm256_storeu_si256((__m256i *) f, finew); - _mm256_storeu_si256((__m256i *) (g - 1), ginew); - f += 16; - g += 16; - len -= 16; - } -} - -static inline void vectormodq_xswapeliminate(Fq *f, Fq *g, int len, const Fq f0, const Fq g0, int mask) { - __m256i f0vec = _mm256_set1_epi16(f0); - __m256i g0vec = _mm256_set1_epi16(g0); - __m256i f0vecqinv = _mm256_mullo_epi16(f0vec, qinvvec); - __m256i g0vecqinv = _mm256_mullo_epi16(g0vec, qinvvec); - __m256i maskvec = _mm256_set1_epi32(mask); - - f += len + (-len & 15); - g += len + (-len & 15); - while (len > 0) { - f -= 16; - g -= 16; - len -= 16; - __m256i fi = _mm256_loadu_si256((__m256i *) f); - __m256i gi = _mm256_loadu_si256((__m256i *) g); - __m256i finew = _mm256_blendv_epi8(fi, gi, maskvec); - __m256i ginew = _mm256_blendv_epi8(gi, fi, maskvec); - ginew = _mm256_sub_epi16(montproduct(ginew, f0vec, f0vecqinv), montproduct(finew, g0vec, g0vecqinv)); - _mm256_storeu_si256((__m256i *) (f + 1), finew); - _mm256_storeu_si256((__m256i *) g, ginew); - } -} - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_invsntrup761(unsigned char *outbytes, const unsigned char *inbytes) { - small *in = (void *) inbytes; - int loop; - Fq out[p], f[ppad], g[ppad], v[ppad], r[ppad]; - Fq f0, g0; - Fq scale; - int i; - int delta = 1; - int minusdelta; - int fgflip; - int swap; - - for (i = 0; i < ppad; ++i) { - f[i] = 0; - } - f[0] = 1; - f[p - 1] = -1; - f[p] = -1; - /* generalization: initialize f to reversal of any deg-p polynomial m */ - - for (i = 0; i < p; ++i) { - g[i] = in[p - 1 - i]; - } - for (i = p; i < ppad; ++i) { - g[i] = 0; - } - - for (i = 0; i < ppad; ++i) { - r[i] = 0; - } - r[0] = Fq_recip(3); - - for (i = 0; i < ppad; ++i) { - v[i] = 0; - } - - for (loop = 0; loop < p; ++loop) { - g0 = Fq_freeze(g[0]); - f0 = f[0]; - - minusdelta = -delta; - swap = int16_negative_mask((int16) minusdelta) & int16_nonzero_mask(g0); - delta ^= swap & (delta ^ minusdelta); - delta += 1; - - fgflip = swap & (f0 ^ g0); - f0 ^= (Fq) fgflip; - g0 ^= (Fq) fgflip; - - f[0] = f0; - - vectormodq_swapeliminate(f + 1, g + 1, p, f0, g0, swap); - vectormodq_xswapeliminate(v, r, loop + 1, f0, g0, swap); - } - - for (loop = p - 1; loop > 0; --loop) { - g0 = Fq_freeze(g[0]); - f0 = f[0]; - - minusdelta = -delta; - swap = int16_negative_mask((int16) minusdelta) & int16_nonzero_mask(g0); - delta ^= swap & (delta ^ minusdelta); - delta += 1; - - fgflip = swap & (f0 ^ g0); - f0 ^= (Fq) fgflip; - g0 ^= (Fq) fgflip; - - f[0] = f0; - - vectormodq_swapeliminate(f + 1, g + 1, loop, f0, g0, swap); - vectormodq_xswapeliminate(v, r, p, f0, g0, swap); - } - - scale = Fq_recip(Fq_freeze(f[0])); - for (i = 0; i < p; ++i) { - out[i] = Fq_freeze(scale * (int32)Fq_freeze(v[p - i])); - } - - crypto_encode_pxint16(outbytes, out); - outbytes[2 * p] = (unsigned char) int16_nonzero_mask((int16) delta); - return 0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_core_invsntrup761.h b/crypto_kem/sntrup761/avx2/crypto_core_invsntrup761.h deleted file mode 100644 index 1a2adf16..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_invsntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_INVSNTRUP761_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_INVSNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_invsntrup761_OUTPUTBYTES 1523 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_invsntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_invsntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_invsntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_invsntrup761(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_core_mult3sntrup761.c b/crypto_kem/sntrup761/avx2/crypto_core_mult3sntrup761.c deleted file mode 100644 index 7e46dde5..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_mult3sntrup761.c +++ /dev/null @@ -1,259 +0,0 @@ -#include "crypto_core_mult3sntrup761.h" -#include "crypto_core_multsntrup761_ntt.h" -#include "crypto_decode_761xint16.h" -#include "crypto_encode_761xint16.h" -#include - -typedef int8_t int8; -typedef int16_t int16; - -#define int16x16 __m256i -#define load_x16(p) _mm256_loadu_si256((int16x16 *) (p)) -#define store_x16(p,v) _mm256_storeu_si256((int16x16 *) (p),(v)) -#define const_x16 _mm256_set1_epi16 -#define add_x16 _mm256_add_epi16 -#define sub_x16 _mm256_sub_epi16 -#define mullo_x16 _mm256_mullo_epi16 -#define mulhi_x16 _mm256_mulhi_epi16 -#define mulhrs_x16 _mm256_mulhrs_epi16 -#define signmask_x16(x) _mm256_srai_epi16((x),15) - -typedef union { - int16 v[3][512]; - int16x16 _dummy; -} vec3x512; - -typedef union { - int16 v[768]; - int16x16 _dummy; -} vec768; - -typedef union { - int16 v[3 * 512]; - int16x16 _dummy; -} vec1536; - -static int16x16 squeeze_3_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(10923)), const_x16(3))); -} - -static int16x16 squeeze_7681_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(4)), const_x16(7681))); -} - -static int16x16 mulmod_7681_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-7679)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(7681)); - return sub_x16(b, e); -} - -#define mask0 _mm256_set_epi16(-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1) -#define mask1 _mm256_set_epi16(0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0) -#define mask2 _mm256_set_epi16(0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0) - -static void good(int16 fpad[3][512], const int16 f[768]) { - int j; - int16x16 f0, f1; - - j = 0; - for (;;) { - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask0) | (f1 & mask1)); - store_x16(&fpad[1][j], (f0 & mask1) | (f1 & mask2)); - store_x16(&fpad[2][j], (f0 & mask2) | (f1 & mask0)); - j += 16; - if (j == 256) { - break; - } - - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask2) | (f1 & mask0)); - store_x16(&fpad[1][j], (f0 & mask0) | (f1 & mask1)); - store_x16(&fpad[2][j], (f0 & mask1) | (f1 & mask2)); - j += 16; - - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask1) | (f1 & mask2)); - store_x16(&fpad[1][j], (f0 & mask2) | (f1 & mask0)); - store_x16(&fpad[2][j], (f0 & mask0) | (f1 & mask1)); - j += 16; - } - for (;;) { - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask2); - store_x16(&fpad[1][j], f0 & mask0); - store_x16(&fpad[2][j], f0 & mask1); - j += 16; - if (j == 512) { - break; - } - - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask1); - store_x16(&fpad[1][j], f0 & mask2); - store_x16(&fpad[2][j], f0 & mask0); - j += 16; - - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask0); - store_x16(&fpad[1][j], f0 & mask1); - store_x16(&fpad[2][j], f0 & mask2); - j += 16; - } -} - -static void ungood(int16 f[1536], const int16 fpad[3][512]) { - int j; - int16x16 f0, f1, f2, g0, g1, g2; - - j = 0; - - for (;;) { - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask0) | (f1 & mask1) | (f2 & mask2); - g1 = (f0 & mask1) | (f1 & mask2) | (f2 & mask0); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask2)|(f1&mask0)|(f2&mask1) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask2) | (f1 & mask0) | (f2 & mask1); - g1 = (f0 & mask0) | (f1 & mask1) | (f2 & mask2); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask1)|(f1&mask2)|(f2&mask0) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - if (j == 512) { - break; - } - - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask1) | (f1 & mask2) | (f2 & mask0); - g1 = (f0 & mask2) | (f1 & mask0) | (f2 & mask1); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask0)|(f1&mask1)|(f2&mask2) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - } -} - -static void mult768(int16 h[1536], const int16 f[768], const int16 g[768]) { - vec3x512 x1, x2; - vec1536 x3; -#define fpad (x1.v) -#define gpad (x2.v) -#define hpad fpad -#define h_7681 (x3.v) - int i; - - good(fpad, f); - PQCLEAN_SNTRUP761_AVX2_ntt512_7681(fpad[0], 3); - - good(gpad, g); - PQCLEAN_SNTRUP761_AVX2_ntt512_7681(gpad[0], 3); - - for (i = 0; i < 512; i += 16) { - int16x16 f0 = squeeze_7681_x16(load_x16(&fpad[0][i])); - int16x16 f1 = squeeze_7681_x16(load_x16(&fpad[1][i])); - int16x16 f2 = squeeze_7681_x16(load_x16(&fpad[2][i])); - int16x16 g0 = squeeze_7681_x16(load_x16(&gpad[0][i])); - int16x16 g1 = squeeze_7681_x16(load_x16(&gpad[1][i])); - int16x16 g2 = squeeze_7681_x16(load_x16(&gpad[2][i])); - int16x16 d0 = mulmod_7681_x16(f0, g0); - int16x16 d1 = mulmod_7681_x16(f1, g1); - int16x16 d2 = mulmod_7681_x16(f2, g2); - int16x16 dsum = add_x16(add_x16(d0, d1), d2); - int16x16 h0 = add_x16(dsum, mulmod_7681_x16(sub_x16(f2, f1), sub_x16(g1, g2))); - int16x16 h1 = add_x16(dsum, mulmod_7681_x16(sub_x16(f1, f0), sub_x16(g0, g1))); - int16x16 h2 = add_x16(dsum, mulmod_7681_x16(sub_x16(f0, f2), sub_x16(g2, g0))); - store_x16(&hpad[0][i], squeeze_7681_x16(h0)); - store_x16(&hpad[1][i], squeeze_7681_x16(h1)); - store_x16(&hpad[2][i], squeeze_7681_x16(h2)); - } - - PQCLEAN_SNTRUP761_AVX2_invntt512_7681(hpad[0], 3); - ungood(h_7681, (const int16(*)[512]) hpad); - - for (i = 0; i < 1536; i += 16) { - int16x16 u = load_x16(&h_7681[i]); - u = mulmod_7681_x16(u, const_x16(956)); - store_x16(&h[i], u); - } -} - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xint16 - -#define p 761 - -static inline int16x16 freeze_3_x16(int16x16 x) { - int16x16 mask, x3; - x = add_x16(x, const_x16(3)&signmask_x16(x)); - mask = signmask_x16(sub_x16(x, const_x16(2))); - x3 = sub_x16(x, const_x16(3)); - x = _mm256_blendv_epi8(x3, x, mask); - return x; -} - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_mult3sntrup761(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - vec768 x1, x2; - vec1536 x3; -#define f (x1.v) -#define g (x2.v) -#define fg (x3.v) -#define h f - int i; - int16x16 x; - - x = const_x16(0); - for (i = p & ~15; i < 768; i += 16) { - store_x16(&f[i], x); - } - for (i = p & ~15; i < 768; i += 16) { - store_x16(&g[i], x); - } - - for (i = 0; i < p; ++i) { - int8 fi = (int8) inbytes[i]; - int8 fi0 = fi & 1; - f[i] = (int16) (fi0 - (fi & (fi0 << 1))); - } - for (i = 0; i < p; ++i) { - int8 gi = (int8) kbytes[i]; - int8 gi0 = gi & 1; - g[i] = (int16) (gi0 - (gi & (gi0 << 1))); - } - - mult768(fg, f, g); - - fg[0] = (int16) (fg[0] - fg[p - 1]); - for (i = 0; i < 768; i += 16) { - int16x16 fgi = load_x16(&fg[i]); - int16x16 fgip = load_x16(&fg[i + p]); - int16x16 fgip1 = load_x16(&fg[i + p - 1]); - x = add_x16(fgi, add_x16(fgip, fgip1)); - x = freeze_3_x16(squeeze_3_x16(x)); - store_x16(&h[i], x); - } - - for (i = 0; i < p; ++i) { - outbytes[i] = (unsigned char) h[i]; - } - - return 0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_core_mult3sntrup761.h b/crypto_kem/sntrup761/avx2/crypto_core_mult3sntrup761.h deleted file mode 100644 index 051fd590..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_mult3sntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_MULT3SNTRUP761_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_MULT3SNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_mult3sntrup761_OUTPUTBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_mult3sntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_mult3sntrup761_KEYBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_mult3sntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_mult3sntrup761(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761.c b/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761.c deleted file mode 100644 index 7ee2997a..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761.c +++ /dev/null @@ -1,314 +0,0 @@ -#include "crypto_core_multsntrup761.h" -#include "crypto_core_multsntrup761_ntt.h" -#include "crypto_decode_761xint16.h" -#include "crypto_encode_761xint16.h" -#include - -typedef int8_t int8; -typedef int16_t int16; - -#define int16x16 __m256i -#define load_x16(p) _mm256_loadu_si256((int16x16 *) (p)) -#define store_x16(p,v) _mm256_storeu_si256((int16x16 *) (p),(v)) -#define const_x16 _mm256_set1_epi16 -#define add_x16 _mm256_add_epi16 -#define sub_x16 _mm256_sub_epi16 -#define mullo_x16 _mm256_mullo_epi16 -#define mulhi_x16 _mm256_mulhi_epi16 -#define mulhrs_x16 _mm256_mulhrs_epi16 -#define signmask_x16(x) _mm256_srai_epi16((x),15) - -typedef union { - int16 v[3][512]; - int16x16 _dummy; -} vec3x512; - -typedef union { - int16 v[768]; - int16x16 _dummy; -} vec768; - -typedef union { - int16 v[3 * 512]; - int16x16 _dummy; -} vec1536; - -static inline int16x16 squeeze_4591_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(7)), const_x16(4591))); -} - -static inline int16x16 squeeze_7681_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(4)), const_x16(7681))); -} - -static inline int16x16 squeeze_10753_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(3)), const_x16(10753))); -} - -static inline int16x16 mulmod_4591_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(15631)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(4591)); - return sub_x16(b, e); -} - -static inline int16x16 mulmod_7681_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-7679)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(7681)); - return sub_x16(b, e); -} - -static inline int16x16 mulmod_10753_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-10751)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(10753)); - return sub_x16(b, e); -} - -#define mask0 _mm256_set_epi16(-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1) -#define mask1 _mm256_set_epi16(0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0) -#define mask2 _mm256_set_epi16(0,-1,0,0,-1,0,0,-1,0,0,-1,0,0,-1,0,0) - -static void good(int16 fpad[3][512], const int16 f[768]) { - int j; - int16x16 f0, f1; - - j = 0; - for (;;) { - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask0) | (f1 & mask1)); - store_x16(&fpad[1][j], (f0 & mask1) | (f1 & mask2)); - store_x16(&fpad[2][j], (f0 & mask2) | (f1 & mask0)); - j += 16; - if (j == 256) { - break; - } - - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask2) | (f1 & mask0)); - store_x16(&fpad[1][j], (f0 & mask0) | (f1 & mask1)); - store_x16(&fpad[2][j], (f0 & mask1) | (f1 & mask2)); - j += 16; - - f0 = load_x16(f + j); - f1 = load_x16(f + 512 + j); - store_x16(&fpad[0][j], (f0 & mask1) | (f1 & mask2)); - store_x16(&fpad[1][j], (f0 & mask2) | (f1 & mask0)); - store_x16(&fpad[2][j], (f0 & mask0) | (f1 & mask1)); - j += 16; - } - for (;;) { - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask2); - store_x16(&fpad[1][j], f0 & mask0); - store_x16(&fpad[2][j], f0 & mask1); - j += 16; - if (j == 512) { - break; - } - - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask1); - store_x16(&fpad[1][j], f0 & mask2); - store_x16(&fpad[2][j], f0 & mask0); - j += 16; - - f0 = load_x16(f + j); - store_x16(&fpad[0][j], f0 & mask0); - store_x16(&fpad[1][j], f0 & mask1); - store_x16(&fpad[2][j], f0 & mask2); - j += 16; - } -} - -static void ungood(int16 f[1536], const int16 fpad[3][512]) { - int j; - int16x16 f0, f1, f2, g0, g1, g2; - - j = 0; - - for (;;) { - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask0) | (f1 & mask1) | (f2 & mask2); - g1 = (f0 & mask1) | (f1 & mask2) | (f2 & mask0); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask2)|(f1&mask0)|(f2&mask1) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask2) | (f1 & mask0) | (f2 & mask1); - g1 = (f0 & mask0) | (f1 & mask1) | (f2 & mask2); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask1)|(f1&mask2)|(f2&mask0) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - if (j == 512) { - break; - } - - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - g0 = (f0 & mask1) | (f1 & mask2) | (f2 & mask0); - g1 = (f0 & mask2) | (f1 & mask0) | (f2 & mask1); - g2 = f0 ^ f1 ^ f2 ^ g0 ^ g1; /* same as (f0&mask0)|(f1&mask1)|(f2&mask2) */ - store_x16(f + 0 + j, g0); - store_x16(f + 512 + j, g1); - store_x16(f + 1024 + j, g2); - j += 16; - } -} - -static void mult768(int16 h[1536], const int16 f[768], const int16 g[768]) { - vec3x512 x1, x2; - vec1536 x3, x4; -#define fpad (x1.v) -#define gpad (x2.v) -#define hpad fpad -#define h_7681 (x3.v) -#define h_10753 (x4.v) - int i; - - good(fpad, f); - PQCLEAN_SNTRUP761_AVX2_ntt512_7681(fpad[0], 3); - - good(gpad, g); - PQCLEAN_SNTRUP761_AVX2_ntt512_7681(gpad[0], 3); - - for (i = 0; i < 512; i += 16) { - int16x16 f0 = squeeze_7681_x16(load_x16(&fpad[0][i])); - int16x16 f1 = squeeze_7681_x16(load_x16(&fpad[1][i])); - int16x16 f2 = squeeze_7681_x16(load_x16(&fpad[2][i])); - int16x16 g0 = squeeze_7681_x16(load_x16(&gpad[0][i])); - int16x16 g1 = squeeze_7681_x16(load_x16(&gpad[1][i])); - int16x16 g2 = squeeze_7681_x16(load_x16(&gpad[2][i])); - int16x16 d0 = mulmod_7681_x16(f0, g0); - int16x16 d1 = mulmod_7681_x16(f1, g1); - int16x16 d2 = mulmod_7681_x16(f2, g2); - int16x16 dsum = add_x16(add_x16(d0, d1), d2); - int16x16 h0 = add_x16(dsum, mulmod_7681_x16(sub_x16(f2, f1), sub_x16(g1, g2))); - int16x16 h1 = add_x16(dsum, mulmod_7681_x16(sub_x16(f1, f0), sub_x16(g0, g1))); - int16x16 h2 = add_x16(dsum, mulmod_7681_x16(sub_x16(f0, f2), sub_x16(g2, g0))); - store_x16(&hpad[0][i], squeeze_7681_x16(h0)); - store_x16(&hpad[1][i], squeeze_7681_x16(h1)); - store_x16(&hpad[2][i], squeeze_7681_x16(h2)); - } - - PQCLEAN_SNTRUP761_AVX2_invntt512_7681(hpad[0], 3); - ungood(h_7681, (const int16(*)[512]) hpad); - - good(fpad, f); - PQCLEAN_SNTRUP761_AVX2_ntt512_10753(fpad[0], 3); - - good(gpad, g); - PQCLEAN_SNTRUP761_AVX2_ntt512_10753(gpad[0], 3); - - for (i = 0; i < 512; i += 16) { - int16x16 f0 = squeeze_10753_x16(load_x16(&fpad[0][i])); - int16x16 f1 = squeeze_10753_x16(load_x16(&fpad[1][i])); - int16x16 f2 = squeeze_10753_x16(load_x16(&fpad[2][i])); - int16x16 g0 = squeeze_10753_x16(load_x16(&gpad[0][i])); - int16x16 g1 = squeeze_10753_x16(load_x16(&gpad[1][i])); - int16x16 g2 = squeeze_10753_x16(load_x16(&gpad[2][i])); - int16x16 d0 = mulmod_10753_x16(f0, g0); - int16x16 d1 = mulmod_10753_x16(f1, g1); - int16x16 d2 = mulmod_10753_x16(f2, g2); - int16x16 dsum = add_x16(add_x16(d0, d1), d2); - int16x16 h0 = add_x16(dsum, mulmod_10753_x16(sub_x16(f2, f1), sub_x16(g1, g2))); - int16x16 h1 = add_x16(dsum, mulmod_10753_x16(sub_x16(f1, f0), sub_x16(g0, g1))); - int16x16 h2 = add_x16(dsum, mulmod_10753_x16(sub_x16(f0, f2), sub_x16(g2, g0))); - store_x16(&hpad[0][i], squeeze_10753_x16(h0)); - store_x16(&hpad[1][i], squeeze_10753_x16(h1)); - store_x16(&hpad[2][i], squeeze_10753_x16(h2)); - } - - PQCLEAN_SNTRUP761_AVX2_invntt512_10753(hpad[0], 3); - ungood(h_10753, (const int16(*)[512]) hpad); - - for (i = 0; i < 1536; i += 16) { - int16x16 u1 = load_x16(&h_10753[i]); - int16x16 u2 = load_x16(&h_7681[i]); - int16x16 t; - u1 = mulmod_10753_x16(u1, const_x16(1268)); - u2 = mulmod_7681_x16(u2, const_x16(956)); - t = mulmod_7681_x16(sub_x16(u2, u1), const_x16(-2539)); - t = add_x16(u1, mulmod_4591_x16(t, const_x16(-710))); - store_x16(&h[i], t); - } -} - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xint16 - -#define p 761 -#define q 4591 - -static inline int16x16 freeze_4591_x16(int16x16 x) { - int16x16 mask, xq; - x = add_x16(x, const_x16(q)&signmask_x16(x)); - mask = signmask_x16(sub_x16(x, const_x16((q + 1) / 2))); - xq = sub_x16(x, const_x16(q)); - x = _mm256_blendv_epi8(xq, x, mask); - return x; -} - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_multsntrup761(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - vec768 x1, x2; - vec1536 x3; -#define f (x1.v) -#define g (x2.v) -#define fg (x3.v) -#define h f - int i; - int16x16 x; - - x = const_x16(0); - for (i = p & ~15; i < 768; i += 16) { - store_x16(&f[i], x); - } - for (i = p & ~15; i < 768; i += 16) { - store_x16(&g[i], x); - } - - crypto_decode_pxint16(f, inbytes); - - for (i = 0; i < 768; i += 16) { - x = load_x16(&f[i]); - x = freeze_4591_x16(squeeze_4591_x16(x)); - store_x16(&f[i], x); - } - for (i = 0; i < p; ++i) { - int8 gi = (int8) kbytes[i]; - int8 gi0 = gi & 1; - g[i] = (int16) (gi0 - (gi & (gi0 << 1))); - } - - mult768(fg, f, g); - - fg[0] = (int16) (fg[0] - fg[p - 1]); - for (i = 0; i < 768; i += 16) { - int16x16 fgi = load_x16(&fg[i]); - int16x16 fgip = load_x16(&fg[i + p]); - int16x16 fgip1 = load_x16(&fg[i + p - 1]); - x = add_x16(fgi, add_x16(fgip, fgip1)); - x = freeze_4591_x16(squeeze_4591_x16(x)); - store_x16(&h[i], x); - } - - crypto_encode_pxint16(outbytes, h); - - return 0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761.h b/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761.h deleted file mode 100644 index 846aea2e..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_MULTSNTRUP761_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_MULTSNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_multsntrup761_OUTPUTBYTES 1522 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_multsntrup761_INPUTBYTES 1522 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_multsntrup761_KEYBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_multsntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_multsntrup761(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761_ntt.c b/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761_ntt.c deleted file mode 100644 index 67464046..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761_ntt.c +++ /dev/null @@ -1,927 +0,0 @@ -#include "crypto_core_multsntrup761.h" -#include "crypto_core_multsntrup761_ntt.h" -#include -#include - -/* auto-generated; do not edit */ - - -typedef int8_t int8; -typedef int16_t int16; - -#define zeta(n,i) (((__m256i *) zeta_##n)[(i)]) -#define zeta_x4(n,i) (((__m256i *) zeta_x4_##n)[(i)]) -#define zeta_qinv(n,i) (((__m256i *) qinvzeta_##n)[(i)]) -#define zeta_x4_qinv(n,i) (((__m256i *) qinvzeta_x4_##n)[(i)]) -#define zetainv(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) zeta_##n+(n)/2+1-16*((i)+1))) -#define zetainv_x4(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) zeta_x4_##n+2*(n)+4-16*((i)+1))) -#define zetainv_qinv(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) qinvzeta_##n+(n)/2+1-16*((i)+1))) -#define zetainv_x4_qinv(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) qinvzeta_x4_##n+2*(n)+4-16*((i)+1))) - -typedef union { - int16 data[93 * 16]; - __m256i _dummy; -} vec1488; - -static const vec1488 qdata_7681 = { .data = { - -#define q_x16 (qdata[0]) - 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, - -#define qrecip_x16 (qdata[1]) - 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, - -#define qshift_x16 (qdata[2]) - 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, - -#define zeta4_x16 (qdata[3]) - -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, - -#define zeta4_x16_qinv (qdata[4]) - -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, - -#define zeta8_x16 (qdata[5]) - -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, - -#define zeta8_x16_qinv (qdata[6]) - -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, - -#define zetainv8_x16 (qdata[7]) - -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, - -#define zetainv8_x16_qinv (qdata[8]) - -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, - -#define zeta_x4_16 (qdata+9) - -3593, -3593, -3593, -3593, -2194, -2194, -2194, -2194, -3625, -3625, -3625, -3625, 1100, 1100, 1100, 1100, - -3777, -3777, -3777, -3777, -2456, -2456, -2456, -2456, 3182, 3182, 3182, 3182, 3696, 3696, 3696, 3696, - 3593, 3593, 3593, 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_x4_16 (qdata+12) - -9, -9, -9, -9, 4974, 4974, 4974, 4974, -16425, -16425, -16425, -16425, 7244, 7244, 7244, 7244, - -28865, -28865, -28865, -28865, -14744, -14744, -14744, -14744, 10350, 10350, 10350, 10350, -4496, -4496, -4496, -4496, - 9, 9, 9, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_x4_32 (qdata+15) - -3593, -3593, -3593, -3593, 1414, 1414, 1414, 1414, -2194, -2194, -2194, -2194, -2495, -2495, -2495, -2495, - -3625, -3625, -3625, -3625, 2876, 2876, 2876, 2876, 1100, 1100, 1100, 1100, -2250, -2250, -2250, -2250, - -3777, -3777, -3777, -3777, -1701, -1701, -1701, -1701, -2456, -2456, -2456, -2456, 834, 834, 834, 834, - 3182, 3182, 3182, 3182, -2319, -2319, -2319, -2319, 3696, 3696, 3696, 3696, 121, 121, 121, 121, - 3593, 3593, 3593, 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_x4_32 (qdata+20) - -9, -9, -9, -9, 20870, 20870, 20870, 20870, 4974, 4974, 4974, 4974, 22593, 22593, 22593, 22593, - -16425, -16425, -16425, -16425, 828, 828, 828, 828, 7244, 7244, 7244, 7244, -23754, -23754, -23754, -23754, - -28865, -28865, -28865, -28865, 20315, 20315, 20315, 20315, -14744, -14744, -14744, -14744, 18242, 18242, 18242, 18242, - 10350, 10350, 10350, 10350, -18191, -18191, -18191, -18191, -4496, -4496, -4496, -4496, -11655, -11655, -11655, -11655, - 9, 9, 9, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_64 (qdata+25) - -3593, -617, 1414, 3706, -2194, -1296, -2495, -2237, -3625, 2830, 2876, -1599, 1100, 1525, -2250, 2816, - -3777, 1921, -1701, 2006, -2456, 1483, 834, -1986, 3182, 3364, -2319, -1993, 3696, -2557, 121, 2088, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_64 (qdata+28) - -9, 19351, 20870, -15750, 4974, -9488, 22593, 7491, -16425, 26382, 828, 23489, 7244, 20469, -23754, 2816, - -28865, -5759, 20315, -3114, -14744, 15307, 18242, -19394, 10350, -10972, -18191, -31177, -4496, -25597, -11655, 22568, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_128 (qdata+31) - -3593, -2804, -617, -396, 1414, -549, 3706, 810, -2194, -1321, -1296, 438, -2495, -2535, -2237, -3689, - -3625, 2043, 2830, -1881, 2876, 3153, -1599, 7, 1100, -514, 1525, -1760, -2250, -2440, 2816, 3600, - -3777, 103, 1921, -3174, -1701, 1535, 2006, -1887, -2456, 1399, 1483, -679, 834, 3772, -1986, 1738, - 3182, -1431, 3364, -3555, -2319, -2310, -1993, 638, 3696, -2956, -2557, -1305, 121, 2555, 2088, -3266, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_128 (qdata+36) - -9, -29428, 19351, 26228, 20870, 21467, -15750, 5930, 4974, -14121, -9488, -21066, 22593, 2073, 7491, 16279, - -16425, -25093, 26382, 26279, 828, -29103, 23489, 11783, 7244, 14846, 20469, 14624, -23754, -6536, 2816, 11792, - -28865, -4505, -5759, -6246, 20315, 9215, -3114, 6817, -14744, 4983, 15307, -28839, 18242, 1724, -19394, 23242, - 10350, -21399, -10972, -29667, -18191, -21766, -31177, 15998, -4496, 23668, -25597, -5913, -11655, -24581, 22568, -20674, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_256 (qdata+41) - -3593, 2665, -2804, -2572, -617, 727, -396, 3417, 1414, 2579, -549, 373, 3706, 3750, 810, -1054, - -2194, -2133, -1321, 1681, -1296, -1386, 438, -2732, -2495, 1919, -2535, -2391, -2237, 2835, -3689, 2, - -3625, -783, 2043, 3145, 2830, 1533, -1881, 2789, 2876, 2649, 3153, 3692, -1599, -1390, 7, -1166, - 1100, 3310, -514, 2224, 1525, -2743, -1760, 2385, -2250, -486, -2440, -1756, 2816, -3816, 3600, -3831, - -3777, -1799, 103, 1497, 1921, 1521, -3174, -194, -1701, -859, 1535, 2175, 2006, -2762, -1887, -1698, - -2456, -3480, 1399, 2883, 1483, -3428, -679, -2113, 834, 1532, 3772, -660, -1986, -2764, 1738, -915, - 3182, 1056, -1431, 1350, 3364, 1464, -3555, 2919, -2319, -2160, -2310, 730, -1993, -1598, 638, 3456, - 3696, -1168, -2956, -3588, -2557, -921, -1305, 3405, 121, -404, 2555, -3135, 2088, 2233, -3266, -2426, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_256 (qdata+50) - -9, -17303, -29428, 24052, 19351, -12073, 26228, -24743, 20870, -12269, 21467, 19317, -15750, -25946, 5930, 32738, - 4974, -4693, -14121, 2193, -9488, 26262, -21066, 7508, 22593, 9599, 2073, 10409, 7491, -12013, 16279, -15358, - -16425, -16655, -25093, 32329, 26382, 24573, 26279, 13541, 828, -25511, -29103, 26220, 23489, -8558, 11783, -24718, - 7244, 10478, 14846, 26800, 20469, 26441, 14624, -29871, -23754, -3558, -6536, -16092, 2816, 8472, 11792, -7415, - -28865, -13575, -4505, -26663, -5759, -14351, -6246, -17602, 20315, -22875, 9215, 9855, -3114, -24266, 6817, -2722, - -14744, -15768, 4983, 12611, 15307, -21860, -28839, -27201, 18242, 32252, 1724, 21868, -19394, -8908, 23242, 13933, - 10350, 17440, -21399, -11962, -10972, 30136, -29667, -1689, -18191, 6032, -21766, 30426, -31177, 15810, 15998, 3456, - -4496, -9360, 23668, 27132, -25597, -5529, -5913, 1869, -11655, 22124, -24581, 21953, 22568, 23225, -20674, 17030, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_512 (qdata+59) - -3593, 2005, 2665, 2891, -2804, 2345, -2572, 1121, -617, -188, 727, 2786, -396, -3208, 3417, -17, - 1414, -3752, 2579, 2815, -549, 1837, 373, 151, 3706, -1012, 3750, -1509, 810, -3214, -1054, 3177, - -2194, -1403, -2133, -3314, -1321, 83, 1681, -658, -1296, 2070, -1386, -3547, 438, 3781, -2732, 2230, - -2495, -1669, 1919, 2589, -2535, -3312, -2391, -3542, -2237, -1441, 2835, -3568, -3689, -402, 2, -1070, - -3625, 3763, -783, -3550, 2043, -2303, 3145, -436, 2830, -893, 1533, 1712, -1881, 124, 2789, -2001, - 2876, -2460, 2649, 3770, 3153, 2965, 3692, -1203, -1599, 2874, -1390, -1407, 7, -3745, -1166, 1649, - 1100, 2937, 3310, 3461, -514, -1526, 2224, 715, 1525, -1689, -2743, 434, -1760, -3163, 2385, -929, - -2250, -2167, -486, -1144, -2440, -370, -1756, 2378, 2816, -1084, -3816, -1586, 3600, 1931, -3831, -1242, - -3777, 592, -1799, 2340, 103, -1338, 1497, -2071, 1921, 1519, 1521, 451, -3174, 589, -194, -3744, - -1701, 3677, -859, -1295, 1535, 642, 2175, -3794, 2006, 2130, -2762, 2918, -1887, 3334, -1698, 2072, - -2456, 509, -3480, 2998, 1399, -3408, 2883, 1476, 1483, -2262, -3428, -1779, -679, 2258, -2113, 1348, - 834, -692, 1532, 2247, 3772, 2083, -660, -226, -1986, 2532, -2764, -3693, 1738, -429, -915, -2059, - 3182, 2812, 1056, 3434, -1431, -2515, 1350, -236, 3364, -2386, 1464, 222, -3555, -2963, 2919, -2422, - -2319, -3657, -2160, 3450, -2310, -791, 730, 1181, -1993, -1404, -1598, 2339, 638, -3366, 3456, 2161, - 3696, -3343, -1168, 2719, -2956, -826, -3588, -670, -2557, 777, -921, 1151, -1305, -796, 3405, -1278, - 121, -3287, -404, 1072, 2555, 293, -3135, 2767, 2088, -3335, 2233, 3581, -3266, 3723, -2426, -179, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_512 (qdata+76) - -9, 4565, -17303, 16715, -29428, 15145, 24052, -22943, 19351, 1860, -12073, -28958, 26228, -7304, -24743, -529, - 20870, -24232, -12269, 10495, 21467, -16083, 19317, 20119, -15750, -27636, -25946, -12261, 5930, -26766, 32738, -16791, - 4974, 25733, -4693, 20238, -14121, 18003, 2193, 6510, -9488, 29718, 26262, -25563, -21066, -1851, 7508, -19274, - 22593, -28805, 9599, -23523, 2073, 4880, 10409, 1578, 7491, -10145, -12013, 4624, 16279, 6766, -15358, 24530, - -16425, 5299, -16655, -2526, -25093, -9983, 32329, 5708, 26382, -23933, 24573, 26288, 26279, 30844, 13541, 30255, - 828, 15972, -25511, 17082, -29103, -27243, 26220, -2739, 23489, 16186, -8558, -9087, 11783, -12449, -24718, -14223, - 7244, -8839, 10478, 30597, 14846, -12790, 26800, 14539, 20469, -6297, 26441, 9650, 14624, -25179, -29871, -9633, - -23754, -5751, -3558, 2952, -6536, 23182, -16092, 23882, 2816, 964, 8472, -10802, 11792, -17013, -7415, -30938, - -28865, -23984, -13575, -11996, -4505, -14650, -26663, -22039, -5759, 1007, -14351, 10179, -6246, -947, -17602, -20128, - 20315, 10333, -22875, -17167, 9215, -14718, 9855, -29394, -3114, 27730, -24266, 5990, 6817, 22790, -2722, 14360, - -14744, 23549, -15768, -18506, 4983, 21168, 12611, 3524, 15307, 2858, -21860, 29453, -28839, 27858, -27201, 3396, - 18242, 5452, 32252, -18745, 1724, -4573, 21868, 31518, -19394, 20964, -8908, -18541, 23242, 17491, 13933, 16885, - 10350, -32004, 17440, -24214, -21399, -20435, -11962, -22764, -10972, -27986, 30136, -802, -29667, 11885, -1689, -13686, - -18191, 32695, 6032, -16006, -21766, -20759, 30426, -24931, -31177, -32124, 15810, -4317, 15998, 26330, 3456, -13711, - -4496, -19215, -9360, 26783, 23668, -14138, 27132, -32414, -25597, -2807, -5529, 8831, -5913, 17636, 1869, -16638, - -11655, 9513, 22124, 25648, -24581, -21723, 21953, -14129, 22568, -15111, 23225, 26621, -20674, -15221, 17030, -1715, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - } -}; - -static const vec1488 qdata_10753 = { .data = { - - 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, - - 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, - - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - - 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, - - 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, - - 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, - - -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, - - 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, - - -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, - - 1018, 1018, 1018, 1018, 2413, 2413, 2413, 2413, 4188, 4188, 4188, 4188, 357, 357, 357, 357, - 223, 223, 223, 223, -3686, -3686, -3686, -3686, -3688, -3688, -3688, -3688, -376, -376, -376, -376, - -1018, -1018, -1018, -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -6, -6, -6, 10093, 10093, 10093, 10093, -1956, -1956, -1956, -1956, 28517, 28517, 28517, 28517, - 27359, 27359, 27359, 27359, -21094, -21094, -21094, -21094, 408, 408, 408, 408, -20856, -20856, -20856, -20856, - 6, 6, 6, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, 1018, 1018, 1018, -2695, -2695, -2695, -2695, 2413, 2413, 2413, 2413, 425, 425, 425, 425, - 4188, 4188, 4188, 4188, -4855, -4855, -4855, -4855, 357, 357, 357, 357, -3364, -3364, -3364, -3364, - 223, 223, 223, 223, 730, 730, 730, 730, -3686, -3686, -3686, -3686, -4544, -4544, -4544, -4544, - -3688, -3688, -3688, -3688, -2236, -2236, -2236, -2236, -376, -376, -376, -376, 3784, 3784, 3784, 3784, - -1018, -1018, -1018, -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -6, -6, -6, 7033, 7033, 7033, 7033, 10093, 10093, 10093, 10093, 18345, 18345, 18345, 18345, - -1956, -1956, -1956, -1956, 29449, 29449, 29449, 29449, 28517, 28517, 28517, 28517, -9508, -9508, -9508, -9508, - 27359, 27359, 27359, 27359, 16090, 16090, 16090, 16090, -21094, -21094, -21094, -21094, 28224, 28224, 28224, 28224, - 408, 408, 408, 408, -12476, -12476, -12476, -12476, -20856, -20856, -20856, -20856, 16072, 16072, 16072, 16072, - 6, 6, 6, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, -1520, -2695, 1341, 2413, 918, 425, 5175, 4188, -4035, -4855, 341, 357, 4347, -3364, 5213, - 223, -4875, 730, 1931, -3686, -2503, -4544, -4095, -3688, 5063, -2236, -3823, -376, 3012, 3784, -2629, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, 23056, 7033, 829, 10093, 26518, 18345, 3639, -1956, -4547, 29449, 3925, 28517, -7429, -9508, -11683, - 27359, -17675, 16090, 14731, -21094, -25543, 28224, -14847, 408, 28103, -12476, 10001, -20856, -7228, 16072, 18363, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, -2935, -1520, -4744, -2695, -205, 1341, 1299, 2413, 4, 918, -4379, 425, -4616, 5175, -544, - 4188, 4129, -4035, 4102, -4855, -1287, 341, -2388, 357, 1284, 4347, 2984, -3364, 2178, 5213, -2576, - 223, 2790, -4875, 4876, 730, -4513, 1931, -3085, -3686, 3550, -2503, 847, -4544, 193, -4095, 1085, - -3688, 3091, 5063, -4742, -2236, 2982, -3823, -1009, -376, -268, 3012, 3062, 3784, -2565, -2629, 4189, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, 31369, 23056, 15736, 7033, -24269, 829, -6381, 10093, 22532, 26518, 23781, 18345, 15864, 3639, 15840, - -1956, -23007, -4547, 5126, 29449, 8441, 3925, -16724, 28517, 23812, -7429, 31656, -9508, -19326, -11683, -27152, - 27359, 20198, -17675, 6924, 16090, 22623, 14731, 5619, -21094, -24098, -25543, 3407, 28224, 22209, -14847, 573, - 408, -4589, 28103, -5766, -12476, -12378, 10001, -31217, -20856, -2316, -7228, -20490, 16072, -14341, 18363, -12707, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, -4734, -2935, -400, -1520, 4977, -4744, -2973, -2695, 512, -205, -779, 1341, -1356, 1299, 635, - 2413, 567, 4, -4286, 918, -5114, -4379, -1586, 425, 1615, -4616, -336, 5175, -1841, -544, 2234, - 4188, -3441, 4129, 636, -4035, -4580, 4102, 2684, -4855, 3057, -1287, -2740, 341, -5156, -2388, -472, - 357, -794, 1284, 578, 4347, 3615, 2984, -3715, -3364, 2271, 2178, -326, 5213, 454, -2576, -3337, - 223, 2998, 2790, -151, -4875, 2981, 4876, 1324, 730, 2774, -4513, 2206, 1931, 886, -3085, -970, - -3686, 3198, 3550, 2737, -2503, -909, 847, 1068, -4544, -2213, 193, 2884, -4095, -4808, 1085, 4123, - -3688, 5341, 3091, 5294, 5063, -116, -4742, -5116, -2236, -2045, 2982, -1572, -3823, 4828, -1009, 467, - -376, 5023, -268, -3169, 3012, -1458, 3062, -1268, 3784, -675, -2565, 1006, -2629, 5064, 4189, 864, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -26238, 31369, -24976, 23056, -30351, 15736, -18845, 7033, 512, -24269, -13579, 829, 29364, -6381, -11141, - 10093, -969, 22532, 6978, 26518, -4090, 23781, 11726, 18345, 4175, 15864, 7856, 3639, 719, 15840, -31558, - -1956, 31887, -23007, -21892, -4547, 22044, 5126, -19844, 29449, -32271, 8441, 32076, 3925, -11300, -16724, 28200, - 28517, 16614, 23812, 11842, -7429, -2017, 31656, 28541, -9508, 29407, -19326, 31418, -11683, -31290, -27152, 27895, - 27359, 12214, 20198, -14999, -17675, -1627, 6924, -13012, 16090, -4394, 22623, 7326, 14731, -22666, 5619, 8246, - -21094, 24702, -24098, 177, -25543, 7795, 3407, -13268, 28224, 2395, 22209, -7356, -14847, -17096, 573, -24037, - 408, -11555, -4589, -30546, 28103, 1932, -5766, 17412, -12476, 31235, -12378, -7716, 10001, -1316, -31217, 25555, - -20856, -609, -2316, -8801, -7228, 11854, -20490, 780, 16072, -17571, -14341, -2066, 18363, 17352, -12707, 17248, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, 3453, -4734, 4519, -2935, 2118, -400, -554, -1520, 2196, 4977, 1893, -4744, -1409, -2973, -1053, - -2695, 4601, 512, 279, -205, -3241, -779, 4889, 1341, 3524, -1356, -1663, 1299, 2283, 635, 73, - 2413, 2428, 567, 624, 4, -1930, -4286, 3419, 918, -2062, -5114, 5068, -4379, -97, -1586, 1782, - 425, 4621, 1615, 355, -4616, 1349, -336, 825, 5175, 3135, -1841, 1160, -544, 4408, 2234, -2605, - 4188, 854, -3441, -1056, 4129, 2439, 636, 4967, -4035, -4782, -4580, -5268, 4102, -663, 2684, -4670, - -4855, 3760, 3057, 3535, -1287, 2680, -2740, -569, 341, 2139, -5156, 3827, -2388, 1639, -472, 1927, - 357, 5172, -794, -4003, 1284, 4144, 578, 693, 4347, 4784, 3615, 3125, 2984, 1122, -3715, 2113, - -3364, -573, 2271, -4328, 2178, 2909, -326, -4000, 5213, -4447, 454, -3995, -2576, -4428, -3337, 2529, - 223, 5309, 2998, 5120, 2790, -2050, -151, 2963, -4875, 2657, 2981, -2807, 4876, 2237, 1324, -4403, - 730, 2624, 2774, -5083, -4513, 40, 2206, 152, 1931, -1573, 886, 2625, -3085, -778, -970, -5107, - -3686, 4250, 3198, -5356, 3550, -3148, 2737, -3360, -2503, -2015, -909, 3096, 847, 5313, 1068, 834, - -4544, -1132, -2213, -2151, 193, -1722, 2884, -4393, -4095, 2662, -4808, -2788, 1085, -1992, 4123, 5334, - -3688, 5215, 5341, -1689, 3091, -2117, 5294, 4859, 5063, 3410, -116, 2205, -4742, -2374, -5116, -4720, - -2236, 3570, -2045, 2813, 2982, 2087, -1572, -4973, -3823, 458, 4828, 3891, -1009, -2419, 467, -4891, - -376, -1381, 5023, 1204, -268, 274, -3169, -3260, 3012, -1635, -1458, 4540, 3062, -4254, -1268, -1111, - 3784, 2230, -675, -2279, -2565, -4359, 1006, -1510, -2629, 5015, 5064, -2449, 4189, -5005, 864, 2487, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -29827, -26238, -21593, 31369, -29626, -24976, -7722, 23056, -16236, -30351, 30053, 15736, 9343, -18845, -16925, - 7033, 14329, 512, 15127, -24269, -21161, -13579, -1767, 829, -6716, 29364, -12415, -6381, 31467, -11141, 1609, - 10093, -20100, -969, -23952, 22532, -25482, 6978, 8027, 26518, 17394, -4090, -25652, 23781, -5729, 11726, -21770, - 18345, -4083, 4175, -15517, 15864, -19643, 7856, -22215, 3639, -18881, 719, -19320, 15840, -7880, -31558, 22483, - -1956, -6314, 31887, 15328, -23007, -7289, -21892, 11623, -4547, 31058, 22044, 13164, 5126, -15511, -19844, 6594, - 29449, 11952, -32271, 6095, 8441, 23160, 32076, 22471, 3925, 6747, -11300, 12531, -16724, 8295, 28200, -7801, - 28517, -29644, 16614, -20899, 23812, 12336, 11842, 20661, -7429, 12976, -2017, 23093, 31656, -3998, 28541, 24129, - -9508, -61, 29407, -232, -19326, -13987, 31418, 12384, -11683, -31583, -31290, 24165, -27152, 26292, 27895, 8161, - 27359, 4797, 12214, 5120, 20198, 19454, -14999, -4717, -17675, 8289, -1627, 31497, 6924, 1725, -13012, 19661, - 16090, -30144, -4394, -9691, 22623, 28712, 7326, 4248, 14731, 3035, -22666, 24641, 5619, -24330, 8246, -13811, - -21094, -13158, 24702, -23788, -24098, 27572, 177, 13024, -25543, -29151, 7795, 7192, 3407, 27329, -13268, 12098, - 28224, -19564, 2395, -8807, 22209, 32070, -7356, -22313, -14847, 20070, -17096, 23836, 573, -14280, -24037, -1834, - 408, 32351, -11555, 4967, -4589, 18875, -30546, -6917, 28103, -26286, 1932, 18077, -5766, 29370, 17412, 19856, - -12476, 23026, 31235, -30467, -12378, -24025, -7716, -12653, 10001, -8758, -1316, -20173, -31217, -11123, 25555, 23269, - -20856, -29541, -609, 31924, -2316, 3346, -8801, -13500, -7228, 14237, 11854, 14780, -20490, -9374, 780, 16809, - 16072, 11446, -17571, -8935, -14341, 5369, -2066, -18918, 18363, 19863, 17352, -16273, -12707, 3699, 17248, 951, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - } -}; - -static inline __m256i sub_x16(__m256i a, __m256i b) { - //__asm__("vpsubw %1,%0,%0" : "+x"(a),"+x"(b)); - return _mm256_sub_epi16(a, b); -} - -static inline __m256i add_x16(__m256i a, __m256i b) { - return _mm256_add_epi16(a, b); -} - -static inline __m256i reduce_x16(const __m256i *qdata, __m256i x) { - __m256i y = _mm256_mulhi_epi16(x, qrecip_x16); - y = _mm256_mulhrs_epi16(y, qshift_x16); - y = _mm256_mullo_epi16(y, q_x16); - return sub_x16(x, y); -} - -static inline __m256i mulmod_x16_scaled(const __m256i *qdata, __m256i x, __m256i y, __m256i yqinv) { - __m256i b = _mm256_mulhi_epi16(x, y); - __m256i d = _mm256_mullo_epi16(x, yqinv); - __m256i e = _mm256_mulhi_epi16(d, q_x16); - return sub_x16(b, e); -} - -typedef union { - int8 data[32]; - __m256i _dummy; -} byte32; -static const byte32 shuffle_buf = { .data = { - 14, 15, 12, 13, 10, 11, 8, 9, 6, 7, 4, 5, 2, 3, 0, 1, - 14, 15, 12, 13, 10, 11, 8, 9, 6, 7, 4, 5, 2, 3, 0, 1, - } -}; -#define shuffle (*(__m256i *) shuffle_buf.data) - -static inline __m256i _mm256_loadu_reverse16(const __m256i *p) { - __m256i x = _mm256_loadu_si256(p); - x = _mm256_permute2x128_si256(x, x, 1); - x = _mm256_shuffle_epi8(x, shuffle); - return x; -} - -static void ntt128(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3, h0, h1, h2, h3; - int16 *origf = f; - int rep; - __m256i zetainv_128_0 = zetainv(128, 0); - __m256i zetainv_qinv_128_0 = zetainv_qinv(128, 0); - __m256i zetainv_x4_32_0 = zetainv_x4(32, 0); - __m256i zetainv_x4_qinv_32_0 = zetainv_x4_qinv(32, 0); - __m256i zetainv_128_1 = zetainv(128, 1); - __m256i zetainv_qinv_128_1 = zetainv_qinv(128, 1); - __m256i zetainv_x4_32_1 = zetainv_x4(32, 1); - __m256i zetainv_x4_qinv_32_1 = zetainv_x4_qinv(32, 1); - for (rep = 0; rep < reps; ++rep) { - f1 = _mm256_loadu_si256((__m256i *) (f + 32)); - f3 = _mm256_loadu_si256((__m256i *) (f + 96)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 64)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_128_0, zetainv_qinv_128_0); - f2 = mulmod_x16_scaled(qdata, f2, zeta(128, 0), zeta_qinv(128, 0)); - - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta(64, 0), zeta_qinv(64, 0)); - f0 = reduce_x16(qdata, f0); - - g0 = _mm256_unpacklo_epi16(f0, f1); - h0 = _mm256_unpacklo_epi32(g0, g2); - h1 = _mm256_unpackhi_epi32(g0, g2); - g1 = _mm256_unpackhi_epi16(f0, f1); - h2 = _mm256_unpacklo_epi32(g1, g3); - h3 = _mm256_unpackhi_epi32(g1, g3); - f0 = _mm256_permute2x128_si256(h0, h1, 0x20); - f2 = _mm256_permute2x128_si256(h0, h1, 0x31); - f1 = _mm256_permute2x128_si256(h2, h3, 0x20); - f3 = _mm256_permute2x128_si256(h2, h3, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 64), f2); - _mm256_storeu_si256((__m256i *) (f + 32), f1); - _mm256_storeu_si256((__m256i *) (f + 96), f3); - - f1 = _mm256_loadu_si256((__m256i *) (f + 48)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16)); - f2 = _mm256_loadu_si256((__m256i *) (f + 80)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_128_1, zetainv_qinv_128_1); - f2 = mulmod_x16_scaled(qdata, f2, zeta(128, 1), zeta_qinv(128, 1)); - - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta(64, 1), zeta_qinv(64, 1)); - f0 = reduce_x16(qdata, f0); - - g0 = _mm256_unpacklo_epi16(f0, f1); - h0 = _mm256_unpacklo_epi32(g0, g2); - h1 = _mm256_unpackhi_epi32(g0, g2); - g1 = _mm256_unpackhi_epi16(f0, f1); - h2 = _mm256_unpacklo_epi32(g1, g3); - h3 = _mm256_unpackhi_epi32(g1, g3); - f0 = _mm256_permute2x128_si256(h0, h1, 0x20); - f2 = _mm256_permute2x128_si256(h0, h1, 0x31); - f1 = _mm256_permute2x128_si256(h2, h3, 0x20); - f3 = _mm256_permute2x128_si256(h2, h3, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 16), f0); - _mm256_storeu_si256((__m256i *) (f + 80), f2); - _mm256_storeu_si256((__m256i *) (f + 48), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - f1 = _mm256_loadu_si256((__m256i *) (f + 64)); - f3 = _mm256_loadu_si256((__m256i *) (f + 80)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_x4_32_0, zetainv_x4_qinv_32_0); - f2 = mulmod_x16_scaled(qdata, f2, zeta_x4(32, 0), zeta_x4_qinv(32, 0)); - - g2 = _mm256_unpacklo_epi64(f2, f3); - g3 = _mm256_unpackhi_epi64(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta_x4(16, 0), zeta_x4_qinv(16, 0)); - f0 = reduce_x16(qdata, f0); - - g1 = _mm256_unpackhi_epi64(f0, f1); - g0 = _mm256_unpacklo_epi64(f0, f1); - f1 = _mm256_permute2x128_si256(g1, g3, 0x20); - f3 = _mm256_permute2x128_si256(g1, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g2, 0x20); - f2 = _mm256_permute2x128_si256(g0, g2, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 64), f1); - _mm256_storeu_si256((__m256i *) (f + 80), f3); - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 16), f2); - - f1 = _mm256_loadu_si256((__m256i *) (f + 96)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 32)); - f2 = _mm256_loadu_si256((__m256i *) (f + 48)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_x4_32_1, zetainv_x4_qinv_32_1); - f2 = mulmod_x16_scaled(qdata, f2, zeta_x4(32, 1), zeta_x4_qinv(32, 1)); - - g2 = _mm256_unpacklo_epi64(f2, f3); - g3 = _mm256_unpackhi_epi64(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta_x4(16, 1), zeta_x4_qinv(16, 1)); - f0 = reduce_x16(qdata, f0); - - g1 = _mm256_unpackhi_epi64(f0, f1); - g0 = _mm256_unpacklo_epi64(f0, f1); - f1 = _mm256_permute2x128_si256(g1, g3, 0x20); - f3 = _mm256_permute2x128_si256(g1, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g2, 0x20); - f2 = _mm256_permute2x128_si256(g0, g2, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 96), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - _mm256_storeu_si256((__m256i *) (f + 32), f0); - _mm256_storeu_si256((__m256i *) (f + 48), f2); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - - f1 = _mm256_loadu_si256((__m256i *) (f + 16)); - f3 = _mm256_loadu_si256((__m256i *) (f + 48)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 32)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f2 = add_x16(g2, g3); - f3 = sub_x16(g2, g3); - f2 = reduce_x16(qdata, f2); - f3 = reduce_x16(qdata, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f0 = reduce_x16(qdata, f0); - - h0 = f0; - h1 = f1; - h2 = f2; - h3 = f3; - - f1 = _mm256_loadu_si256((__m256i *) (f + 80)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 64)); - f2 = _mm256_loadu_si256((__m256i *) (f + 96)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv8_x16, zetainv8_x16_qinv); - f2 = mulmod_x16_scaled(qdata, f2, zeta8_x16, zeta8_x16_qinv); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta4_x16, zeta4_x16_qinv); - f0 = reduce_x16(qdata, f0); - - g0 = add_x16(h0, f0); - g1 = add_x16(h1, f1); - g2 = add_x16(h2, f2); - g3 = add_x16(h3, f3); - _mm256_storeu_si256((__m256i *) (f + 0), g0); - _mm256_storeu_si256((__m256i *) (f + 16), g1); - _mm256_storeu_si256((__m256i *) (f + 32), g2); - _mm256_storeu_si256((__m256i *) (f + 48), g3); - g0 = sub_x16(h0, f0); - g1 = sub_x16(h1, f1); - g2 = sub_x16(h2, f2); - g3 = sub_x16(h3, f3); - _mm256_storeu_si256((__m256i *) (f + 64), g0); - _mm256_storeu_si256((__m256i *) (f + 80), g1); - _mm256_storeu_si256((__m256i *) (f + 96), g2); - _mm256_storeu_si256((__m256i *) (f + 112), g3); - f += 128; - } -} - -static void ntt512(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3; /* [-Werror=unused-variable] */ /* ,h0,h1,h2,h3; */ - int16 *origf = f; - int rep; - __m256i zetainv_512[8]; - __m256i zetainv_qinv_512[8]; - int i; - for (i = 0; i < 8; ++i) { - zetainv_512[i] = zetainv(512, i); - } - for (i = 0; i < 8; ++i) { - zetainv_qinv_512[i] = zetainv_qinv(512, i); - } - for (rep = 0; rep < reps; ++rep) { - for (i = 0; i < 8; ++i) { - f1 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 128)); - f3 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 384)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16 * i)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 256)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_512[i], zetainv_qinv_512[i]); - f2 = mulmod_x16_scaled(qdata, f2, zeta(512, i), zeta_qinv(512, i)); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta(256, i), zeta_qinv(256, i)); - f0 = reduce_x16(qdata, f0); - - _mm256_storeu_si256((__m256i *) (f + 16 * i + 384), f3); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 256), f2); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 128), f1); - _mm256_storeu_si256((__m256i *) (f + 16 * i), f0); - - } - f += 512; - } - f = origf; - ntt128(f, reps * 4, qdata); -} - -void PQCLEAN_SNTRUP761_AVX2_ntt512_7681(int16 *f, int reps) { - ntt512(f, reps, (const __m256i *) qdata_7681.data); -} - -void PQCLEAN_SNTRUP761_AVX2_ntt512_10753(int16 *f, int reps) { - ntt512(f, reps, (const __m256i *) qdata_10753.data); -} - -static void invntt128(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3, h0, h1, h2, h3; - int16 *origf = f; - int rep; - __m256i zetainv_x4_16_0 = zetainv_x4(16, 0); - __m256i zetainv_x4_qinv_16_0 = zetainv_x4_qinv(16, 0); - __m256i zetainv_x4_32_0 = zetainv_x4(32, 0); - __m256i zetainv_x4_qinv_32_0 = zetainv_x4_qinv(32, 0); - __m256i zetainv_64_0 = zetainv(64, 0); - __m256i zetainv_qinv_64_0 = zetainv_qinv(64, 0); - __m256i zetainv_128_0 = zetainv(128, 0); - __m256i zetainv_qinv_128_0 = zetainv_qinv(128, 0); - __m256i zetainv_x4_16_1 = zetainv_x4(16, 1); - __m256i zetainv_x4_qinv_16_1 = zetainv_x4_qinv(16, 1); - __m256i zetainv_x4_32_1 = zetainv_x4(32, 1); - __m256i zetainv_x4_qinv_32_1 = zetainv_x4_qinv(32, 1); - __m256i zetainv_64_1 = zetainv(64, 1); - __m256i zetainv_qinv_64_1 = zetainv_qinv(64, 1); - __m256i zetainv_128_1 = zetainv(128, 1); - __m256i zetainv_qinv_128_1 = zetainv_qinv(128, 1); - for (rep = 0; rep < reps; ++rep) { - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f1 = _mm256_loadu_si256((__m256i *) (f + 64)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16)); - f3 = _mm256_loadu_si256((__m256i *) (f + 80)); - g0 = _mm256_loadu_si256((__m256i *) (f + 32)); - g1 = _mm256_loadu_si256((__m256i *) (f + 96)); - g2 = _mm256_loadu_si256((__m256i *) (f + 48)); - g3 = _mm256_loadu_si256((__m256i *) (f + 112)); - - h1 = sub_x16(f0, f1); - h1 = reduce_x16(qdata, h1); - h0 = add_x16(f0, f1); - h3 = sub_x16(f2, f3); - h3 = mulmod_x16_scaled(qdata, h3, zeta4_x16, zeta4_x16_qinv); - h2 = add_x16(f2, f3); - f1 = sub_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zetainv8_x16, zetainv8_x16_qinv); - f0 = add_x16(g0, g1); - f3 = sub_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zeta8_x16, zeta8_x16_qinv); - f2 = add_x16(g2, g3); - - g0 = add_x16(h0, h2); - g0 = reduce_x16(qdata, g0); - g2 = sub_x16(h0, h2); - g2 = reduce_x16(qdata, g2); - g1 = sub_x16(h1, h3); - g3 = add_x16(h1, h3); - h2 = sub_x16(f0, f2); - h2 = mulmod_x16_scaled(qdata, h2, zeta4_x16, zeta4_x16_qinv); - h0 = add_x16(f0, f2); - h3 = add_x16(f1, f3); - h3 = mulmod_x16_scaled(qdata, h3, zeta4_x16, zeta4_x16_qinv); - h1 = sub_x16(f1, f3); - - f0 = add_x16(g0, h0); - g0 = sub_x16(g0, h0); - f1 = add_x16(g1, h1); - g1 = sub_x16(g1, h1); - f2 = sub_x16(g2, h2); - g2 = add_x16(g2, h2); - f3 = sub_x16(g3, h3); - g3 = add_x16(g3, h3); - - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 32), g0); - _mm256_storeu_si256((__m256i *) (f + 64), f1); - _mm256_storeu_si256((__m256i *) (f + 96), g1); - _mm256_storeu_si256((__m256i *) (f + 16), f2); - _mm256_storeu_si256((__m256i *) (f + 48), g2); - _mm256_storeu_si256((__m256i *) (f + 80), f3); - _mm256_storeu_si256((__m256i *) (f + 112), g3); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f1 = _mm256_loadu_si256((__m256i *) (f + 64)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16)); - f3 = _mm256_loadu_si256((__m256i *) (f + 80)); - - g0 = _mm256_unpacklo_epi64(f0, f1); - g1 = _mm256_unpacklo_epi64(f2, f3); - g2 = _mm256_unpackhi_epi64(f0, f1); - g3 = _mm256_unpackhi_epi64(f2, f3); - f2 = _mm256_permute2x128_si256(g0, g1, 0x31); - f3 = _mm256_permute2x128_si256(g2, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g1, 0x20); - f1 = _mm256_permute2x128_si256(g2, g3, 0x20); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_x4_32_0, zetainv_x4_qinv_32_0); - f3 = mulmod_x16_scaled(qdata, f3, zeta_x4(32, 0), zeta_x4_qinv(32, 0)); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g2 = sub_x16(f3, f2); - - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_x4_16_0, zetainv_x4_qinv_16_0); - - g1 = add_x16(f0, f1); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 64), f1); - _mm256_storeu_si256((__m256i *) (f + 80), f3); - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 16), f2); - - f0 = _mm256_loadu_si256((__m256i *) (f + 32)); - f1 = _mm256_loadu_si256((__m256i *) (f + 96)); - f2 = _mm256_loadu_si256((__m256i *) (f + 48)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - - g0 = _mm256_unpacklo_epi64(f0, f1); - g1 = _mm256_unpacklo_epi64(f2, f3); - g2 = _mm256_unpackhi_epi64(f0, f1); - g3 = _mm256_unpackhi_epi64(f2, f3); - f2 = _mm256_permute2x128_si256(g0, g1, 0x31); - f3 = _mm256_permute2x128_si256(g2, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g1, 0x20); - f1 = _mm256_permute2x128_si256(g2, g3, 0x20); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_x4_32_1, zetainv_x4_qinv_32_1); - f3 = mulmod_x16_scaled(qdata, f3, zeta_x4(32, 1), zeta_x4_qinv(32, 1)); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g2 = sub_x16(f3, f2); - - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_x4_16_1, zetainv_x4_qinv_16_1); - - g1 = add_x16(f0, f1); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 96), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - _mm256_storeu_si256((__m256i *) (f + 32), f0); - _mm256_storeu_si256((__m256i *) (f + 48), f2); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 64)); - f1 = _mm256_loadu_si256((__m256i *) (f + 32)); - f3 = _mm256_loadu_si256((__m256i *) (f + 96)); - - g0 = _mm256_permute2x128_si256(f0, f2, 0x20); - g2 = _mm256_permute2x128_si256(f0, f2, 0x31); - f0 = _mm256_unpacklo_epi16(g0, g2); - f2 = _mm256_unpackhi_epi16(g0, g2); - g1 = _mm256_permute2x128_si256(f1, f3, 0x20); - g3 = _mm256_permute2x128_si256(f1, f3, 0x31); - f1 = _mm256_unpacklo_epi16(g1, g3); - f3 = _mm256_unpackhi_epi16(g1, g3); - g1 = _mm256_unpackhi_epi16(f0, f2); - g0 = _mm256_unpacklo_epi16(f0, f2); - g3 = _mm256_unpackhi_epi16(f1, f3); - g2 = _mm256_unpacklo_epi16(f1, f3); - f2 = _mm256_unpacklo_epi64(g1, g3); - f3 = _mm256_unpackhi_epi64(g1, g3); - f0 = _mm256_unpacklo_epi64(g0, g2); - f1 = _mm256_unpackhi_epi64(g0, g2); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_128_0, zetainv_qinv_128_0); - f3 = mulmod_x16_scaled(qdata, f3, zeta(128, 0), zeta_qinv(128, 0)); - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_64_0, zetainv_qinv_64_0); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f0, f1); - g2 = sub_x16(f3, f2); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 32), f1); - _mm256_storeu_si256((__m256i *) (f + 96), f3); - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 64), f2); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16)); - f2 = _mm256_loadu_si256((__m256i *) (f + 80)); - f1 = _mm256_loadu_si256((__m256i *) (f + 48)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - - g0 = _mm256_permute2x128_si256(f0, f2, 0x20); - g2 = _mm256_permute2x128_si256(f0, f2, 0x31); - f0 = _mm256_unpacklo_epi16(g0, g2); - f2 = _mm256_unpackhi_epi16(g0, g2); - g1 = _mm256_permute2x128_si256(f1, f3, 0x20); - g3 = _mm256_permute2x128_si256(f1, f3, 0x31); - f1 = _mm256_unpacklo_epi16(g1, g3); - f3 = _mm256_unpackhi_epi16(g1, g3); - g1 = _mm256_unpackhi_epi16(f0, f2); - g0 = _mm256_unpacklo_epi16(f0, f2); - g3 = _mm256_unpackhi_epi16(f1, f3); - g2 = _mm256_unpacklo_epi16(f1, f3); - f2 = _mm256_unpacklo_epi64(g1, g3); - f3 = _mm256_unpackhi_epi64(g1, g3); - f0 = _mm256_unpacklo_epi64(g0, g2); - f1 = _mm256_unpackhi_epi64(g0, g2); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_128_1, zetainv_qinv_128_1); - f3 = mulmod_x16_scaled(qdata, f3, zeta(128, 1), zeta_qinv(128, 1)); - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_64_1, zetainv_qinv_64_1); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f0, f1); - g2 = sub_x16(f3, f2); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 48), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - _mm256_storeu_si256((__m256i *) (f + 16), f0); - _mm256_storeu_si256((__m256i *) (f + 80), f2); - - f += 128; - } -} - -static void invntt512(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3; /* [-Werror=unused-variable] */ /* ,h0,h1,h2,h3; */ - /* [-Werror=unused-variable] */ /* int16 *origf = f; */ - int rep; - __m256i zetainv_512[8]; - __m256i zetainv_qinv_512[8]; - __m256i zetainv_256[8]; - __m256i zetainv_qinv_256[8]; - int i; - for (i = 0; i < 8; ++i) { - zetainv_512[i] = zetainv(512, i); - } - for (i = 0; i < 8; ++i) { - zetainv_qinv_512[i] = zetainv_qinv(512, i); - } - for (i = 0; i < 8; ++i) { - zetainv_256[i] = zetainv(256, i); - } - for (i = 0; i < 8; ++i) { - zetainv_qinv_256[i] = zetainv_qinv(256, i); - } - invntt128(f, 4 * reps, qdata); - for (rep = 0; rep < reps; ++rep) { - for (i = 0; i < 8; ++i) { - f2 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 256)); - f3 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 384)); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_512[i], zetainv_qinv_512[i]); - f3 = mulmod_x16_scaled(qdata, f3, zeta(512, i), zeta_qinv(512, i)); - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g2 = sub_x16(f3, f2); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 0)); - f1 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 128)); - - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_256[i], zetainv_qinv_256[i]); - g1 = add_x16(f0, f1); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 16 * i + 128), f1); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 384), f3); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 256), f2); - } - f += 512; - } -} - -void PQCLEAN_SNTRUP761_AVX2_invntt512_7681(int16 *f, int reps) { - invntt512(f, reps, (const __m256i *) qdata_7681.data); -} - -void PQCLEAN_SNTRUP761_AVX2_invntt512_10753(int16 *f, int reps) { - invntt512(f, reps, (const __m256i *) qdata_10753.data); -} diff --git a/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761_ntt.h b/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761_ntt.h deleted file mode 100644 index 8005ff81..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_multsntrup761_ntt.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef ntt_H -#define ntt_H - -#include - - - -extern void PQCLEAN_SNTRUP761_AVX2_ntt512_7681(int16_t *f, int reps); -extern void PQCLEAN_SNTRUP761_AVX2_ntt512_10753(int16_t *f, int reps); -extern void PQCLEAN_SNTRUP761_AVX2_invntt512_7681(int16_t *f, int reps); -extern void PQCLEAN_SNTRUP761_AVX2_invntt512_10753(int16_t *f, int reps); - -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_core_scale3sntrup761.c b/crypto_kem/sntrup761/avx2/crypto_core_scale3sntrup761.c deleted file mode 100644 index 477fe041..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_scale3sntrup761.c +++ /dev/null @@ -1,47 +0,0 @@ -#include "crypto_core_scale3sntrup761.h" -#include "crypto_decode_761xint16.h" -#include "crypto_encode_761xint16.h" -#include - -#define p 761 -#define q 4591 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xint16 - -typedef int16_t Fq; - -/* out = 3*in in Rq */ -int PQCLEAN_SNTRUP761_AVX2_crypto_core_scale3sntrup761(unsigned char *outbytes, const unsigned char *inbytes) { - int i = p - 16; - - __m256i save = _mm256_loadu_si256((__m256i *) (inbytes + 2 * i)); - /* in case outbytes = inbytes */ - - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) inbytes); - __m256i xneg; - x = _mm256_mullo_epi16(x, _mm256_set1_epi16(3)); - x = _mm256_sub_epi16(x, _mm256_set1_epi16((q + 1) / 2)); - xneg = _mm256_srai_epi16(x, 15); - x = _mm256_add_epi16(x, _mm256_set1_epi16(q)&xneg); - xneg = _mm256_srai_epi16(x, 15); - x = _mm256_add_epi16(x, _mm256_set1_epi16(q)&xneg); - x = _mm256_sub_epi16(x, _mm256_set1_epi16((q - 1) / 2)); - _mm256_storeu_si256((__m256i *) outbytes, x); - - inbytes += 32; - outbytes += 32; - i -= 16; - } while (i >= 0); - if (i <= -16) { - break; - } - inbytes += 2 * i; - outbytes += 2 * i; - _mm256_storeu_si256((__m256i *) outbytes, save); - } - - return 0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_core_scale3sntrup761.h b/crypto_kem/sntrup761/avx2/crypto_core_scale3sntrup761.h deleted file mode 100644 index 954872f7..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_scale3sntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_SCALE3SNTRUP761_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_SCALE3SNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_scale3sntrup761_OUTPUTBYTES 1522 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_scale3sntrup761_INPUTBYTES 1522 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_scale3sntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_scale3sntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_scale3sntrup761(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_core_weightsntrup761.c b/crypto_kem/sntrup761/avx2/crypto_core_weightsntrup761.c deleted file mode 100644 index 2184979d..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_weightsntrup761.c +++ /dev/null @@ -1,44 +0,0 @@ -#include "crypto_core_weightsntrup761.h" -#include "crypto_encode_int16.h" -#include "params.h" -#include - -#define int8 int8_t -#define int16 int16_t - - -/* out = little-endian weight of bottom bits of in */ -int PQCLEAN_SNTRUP761_AVX2_crypto_core_weightsntrup761(unsigned char *outbytes, const unsigned char *inbytes) { - int8 *in = (void *) inbytes; - int i; - __m256i sum, sumhi; - int16 weight; - - sum = _mm256_loadu_si256((__m256i *) (in + p - 32)); - sum &= _mm256_set_epi8(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0); - for (i = p - 32; i >= 0; i -= 32) { - __m256i bits = _mm256_loadu_si256((__m256i *) in); - bits &= _mm256_set1_epi8(1); - sum = _mm256_add_epi8(sum, bits); - in += 32; - } - - /* sum is 32xint8; want to add these int8 */ - sumhi = _mm256_srli_epi16(sum, 8); - sum &= _mm256_set1_epi16(0xff); - sum = _mm256_add_epi16(sum, sumhi); - - /* sum is 16xint16; want to add these int16 */ - sum = _mm256_hadd_epi16(sum, sum); - /* want sum[0]+sum[1]+sum[2]+sum[3]+sum[8]+sum[9]+sum[10]+sum[11] */ - sum = _mm256_hadd_epi16(sum, sum); - /* want sum[0]+sum[1]+sum[8]+sum[9] */ - sum = _mm256_hadd_epi16(sum, sum); - /* want sum[0]+sum[8] */ - - weight = (int16) _mm256_extract_epi16(sum, 0); - weight += (int16) _mm256_extract_epi16(sum, 8); - - PQCLEAN_SNTRUP761_AVX2_crypto_encode_int16(outbytes, &weight); - return 0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_core_weightsntrup761.h b/crypto_kem/sntrup761/avx2/crypto_core_weightsntrup761.h deleted file mode 100644 index a2e3cd44..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_weightsntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_WEIGHTSNTRUP761_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_WEIGHTSNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_weightsntrup761_OUTPUTBYTES 2 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_weightsntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_weightsntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_weightsntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_weightsntrup761(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_core_wforcesntrup761.c b/crypto_kem/sntrup761/avx2/crypto_core_wforcesntrup761.c deleted file mode 100644 index 0dedf0af..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_wforcesntrup761.c +++ /dev/null @@ -1,61 +0,0 @@ -#include "crypto_core_wforcesntrup761.h" -#include "crypto_decode_int16.h" -#include "params.h" -#include - -#define int16 int16_t - - -/* out = in if bottom bits of in have weight w */ -/* otherwise out = (1,1,...,1,0,0,...,0) */ -int PQCLEAN_SNTRUP761_AVX2_crypto_core_wforcesntrup761(unsigned char *out, const unsigned char *in) { - int16 weight; - int16 mask; - __m256i maskvec; - int i; - - crypto_core_weight((unsigned char *) &weight, in); - PQCLEAN_SNTRUP761_AVX2_crypto_decode_int16(&weight, (unsigned char *) &weight); - - mask = (int16) ((weight - w) | (w - weight)); - mask >>= 15; - maskvec = _mm256_set1_epi16((short) ~mask); - - i = w - 32; - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) in); - x ^= _mm256_set1_epi8(1); - x &= maskvec; - x ^= _mm256_set1_epi8(1); - _mm256_storeu_si256((__m256i *) out, x); - in += 32; - out += 32; - i -= 32; - } while (i >= 0); - if (i <= -32) { - break; - } - in += i; - out += i; - } - - i = p - w - 32; - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) in); - x &= maskvec; - _mm256_storeu_si256((__m256i *) out, x); - in += 32; - out += 32; - i -= 32; - } while (i >= 0); - if (i <= -32) { - break; - } - in += i; - out += i; - } - - return 0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_core_wforcesntrup761.h b/crypto_kem/sntrup761/avx2/crypto_core_wforcesntrup761.h deleted file mode 100644 index 78876a54..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_core_wforcesntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_WFORCESNTRUP761_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_CORE_WFORCESNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_wforcesntrup761_OUTPUTBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_wforcesntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_wforcesntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_AVX2_crypto_core_wforcesntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_AVX2_crypto_core_wforcesntrup761(unsigned char *out, const unsigned char *in); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761x1531.c b/crypto_kem/sntrup761/avx2/crypto_decode_761x1531.c deleted file mode 100644 index aa567462..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761x1531.c +++ /dev/null @@ -1,432 +0,0 @@ -#include "crypto_decode_761x1531.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define int32 int32_t - -static inline int16 mullo(int16 x, int16 y) { - return x * y; -} - -static inline int16 mulhi(int16 x, int16 y) { - return (int16) ((x * (int32)y) >> 16); -} - -static inline __m256i add(__m256i x, __m256i y) { - return _mm256_add_epi16(x, y); -} - -static inline __m256i sub(__m256i x, __m256i y) { - return _mm256_sub_epi16(x, y); -} - -static inline __m256i shiftleftconst(__m256i x, int16 y) { - return _mm256_slli_epi16(x, y); -} - -static inline __m256i signedshiftrightconst(__m256i x, int16 y) { - return _mm256_srai_epi16(x, y); -} - -static inline __m256i subconst(__m256i x, int16 y) { - return sub(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulloconst(__m256i x, int16 y) { - return _mm256_mullo_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulhiconst(__m256i x, int16 y) { - return _mm256_mulhi_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i ifgesubconst(__m256i x, int16 y) { - __m256i y16 = _mm256_set1_epi16(y); - __m256i top16 = _mm256_set1_epi16((int16)(y - 1)); - return sub(x, _mm256_cmpgt_epi16(x, top16) & y16); -} - -static inline __m256i ifnegaddconst(__m256i x, int16 y) { - return add(x, signedshiftrightconst(x, 15) & _mm256_set1_epi16(y)); -} - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x1531(void *v, const unsigned char *s) { - int16 *R0 = v; - int16 R1[381], R2[191], R3[96], R4[48], R5[24], R6[12], R7[6], R8[3], R9[2], R10[1]; - long long i; - int16 a0, a1, a2; - __m256i A0, A1, A2, S0, S1, B0, B1, C0, C1; - - s += PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x1531_STRBYTES; - a1 = 0; - a1 += *--s; /* 0...255 */ - a1 = mulhi(a1, -84) - mulhi(mullo(a1, -4828), 3475); - a1 += *--s; /* -1738...1992 */ - a1 += (a1 >> 15) & 3475; /* 0...3474 */ - R10[0] = a1; - - /* R10 ------> R9: reconstruct mod 1*[593]+[1500] */ - - i = 0; - s -= 1; - a2 = a0 = R10[0]; - a0 = mulhi(a0, 60) - mulhi(mullo(a0, -28292), 593); /* -297...311 */ - a0 += s[1 * i + 0]; /* -297...566 */ - a0 += (a0 >> 15) & 593; /* 0...592 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, -31055); - - /* invalid inputs might need reduction mod 1500 */ - a1 -= 1500; - a1 += (a1 >> 15) & 1500; - - R9[0] = a0; - R9[1] = a1; - s -= 0; - - /* R9 ------> R8: reconstruct mod 2*[6232]+[1500] */ - - R8[2] = R9[1]; - s -= 2; - for (i = 0; i >= 0; --i) { - a2 = a0 = R9[i]; - a0 = mulhi(a0, 672) - mulhi(mullo(a0, -2692), 6232); /* -3116...3284 */ - a0 += s[2 * i + 1]; /* -3116...3539 */ - a0 = mulhi(a0, 672) - mulhi(mullo(a0, -2692), 6232); /* -3148...3152 */ - a0 += s[2 * i + 0]; /* -3148...3407 */ - a0 += (a0 >> 15) & 6232; /* 0...6231 */ - a1 = (int16) ((a2 << 13) + (s[2 * i + 1] << 5) + ((s[2 * i] - a0) >> 3)); - a1 = mullo(a1, 12451); - - /* invalid inputs might need reduction mod 6232 */ - a1 -= 6232; - a1 += (a1 >> 15) & 6232; - - R8[2 * i] = a0; - R8[2 * i + 1] = a1; - } - - /* R8 ------> R7: reconstruct mod 5*[1263]+[304] */ - - i = 0; - s -= 1; - a2 = a0 = R8[2]; - a0 = mulhi(a0, -476) - mulhi(mullo(a0, -13284), 1263); /* -751...631 */ - a0 += s[1 * i + 0]; /* -751...886 */ - a0 += (a0 >> 15) & 1263; /* 0...1262 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, -22001); - - /* invalid inputs might need reduction mod 304 */ - a1 -= 304; - a1 += (a1 >> 15) & 304; - - R7[4] = a0; - R7[5] = a1; - s -= 2; - for (i = 1; i >= 0; --i) { - a2 = a0 = R8[i]; - a0 = mulhi(a0, -476) - mulhi(mullo(a0, -13284), 1263); /* -751...631 */ - a0 += s[1 * i + 0]; /* -751...886 */ - a0 += (a0 >> 15) & 1263; /* 0...1262 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, -22001); - - /* invalid inputs might need reduction mod 1263 */ - a1 -= 1263; - a1 += (a1 >> 15) & 1263; - - R7[2 * i] = a0; - R7[2 * i + 1] = a1; - } - - /* R7 ------> R6: reconstruct mod 11*[9097]+[2188] */ - - i = 0; - s -= 2; - a0 = R7[5]; - a0 = mulhi(a0, 2348) - mulhi(mullo(a0, -1844), 9097); /* -4549...5135 */ - a0 += s[2 * i + 1]; /* -4549...5390 */ - a0 = mulhi(a0, 2348) - mulhi(mullo(a0, -1844), 9097); /* -4712...4741 */ - a0 += s[2 * i + 0]; /* -4712...4996 */ - a0 += (a0 >> 15) & 9097; /* 0...9096 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, 17081); - - /* invalid inputs might need reduction mod 2188 */ - a1 -= 2188; - a1 += (a1 >> 15) & 2188; - - R6[10] = a0; - R6[11] = a1; - s -= 10; - for (i = 4; i >= 0; --i) { - a0 = R7[i]; - a0 = mulhi(a0, 2348) - mulhi(mullo(a0, -1844), 9097); /* -4549...5135 */ - a0 += s[2 * i + 1]; /* -4549...5390 */ - a0 = mulhi(a0, 2348) - mulhi(mullo(a0, -1844), 9097); /* -4712...4741 */ - a0 += s[2 * i + 0]; /* -4712...4996 */ - a0 += (a0 >> 15) & 9097; /* 0...9096 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, 17081); - - /* invalid inputs might need reduction mod 9097 */ - a1 -= 9097; - a1 += (a1 >> 15) & 9097; - - R6[2 * i] = a0; - R6[2 * i + 1] = a1; - } - - /* R6 ------> R5: reconstruct mod 23*[1526]+[367] */ - - i = 0; - s -= 1; - a2 = a0 = R6[11]; - a0 = mulhi(a0, 372) - mulhi(mullo(a0, -10994), 1526); /* -763...856 */ - a0 += s[1 * i + 0]; /* -763...1111 */ - a0 += (a0 >> 15) & 1526; /* 0...1525 */ - a1 = (int16) ((a2 << 7) + ((s[i] - a0) >> 1)); - a1 = mullo(a1, -18381); - - /* invalid inputs might need reduction mod 367 */ - a1 -= 367; - a1 += (a1 >> 15) & 367; - - R5[22] = a0; - R5[23] = a1; - s -= 11; - for (i = 10; i >= 0; --i) { - a2 = a0 = R6[i]; - a0 = mulhi(a0, 372) - mulhi(mullo(a0, -10994), 1526); /* -763...856 */ - a0 += s[1 * i + 0]; /* -763...1111 */ - a0 += (a0 >> 15) & 1526; /* 0...1525 */ - a1 = (int16) ((a2 << 7) + ((s[i] - a0) >> 1)); - a1 = mullo(a1, -18381); - - /* invalid inputs might need reduction mod 1526 */ - a1 -= 1526; - a1 += (a1 >> 15) & 1526; - - R5[2 * i] = a0; - R5[2 * i + 1] = a1; - } - - /* R5 ------> R4: reconstruct mod 47*[625]+[150] */ - - i = 0; - s -= 1; - a2 = a0 = R5[23]; - a0 = mulhi(a0, -284) - mulhi(mullo(a0, -26844), 625); /* -384...312 */ - a0 += s[1 * i + 0]; /* -384...567 */ - a0 += (a0 >> 15) & 625; /* 0...624 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, 32401); - - /* invalid inputs might need reduction mod 150 */ - a1 -= 150; - a1 += (a1 >> 15) & 150; - - R4[46] = a0; - R4[47] = a1; - s -= 23; - i = 7; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R5[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, -284), mulhiconst(mulloconst(A0, -26844), 625)); /* -384...312 */ - A0 = add(A0, S0); /* -384...567 */ - A0 = ifnegaddconst(A0, 625); /* 0...624 */ - A1 = add(shiftleftconst(A2, 8), sub(S0, A0)); - A1 = mulloconst(A1, 32401); - - /* invalid inputs might need reduction mod 625 */ - A1 = ifgesubconst(A1, 625); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R4[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R4[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R4 ------> R3: reconstruct mod 95*[6400]+[1531] */ - - i = 0; - s -= 2; - a2 = a0 = R4[47]; - a0 = mulhi(a0, 2816) - mulhi(mullo(a0, -2621), 6400); /* -3200...3904 */ - a0 += s[2 * i + 1]; /* -3200...4159 */ - a0 = mulhi(a0, 2816) - mulhi(mullo(a0, -2621), 6400); /* -3338...3378 */ - a0 += s[2 * i + 0]; /* -3338...3633 */ - a0 += (a0 >> 15) & 6400; /* 0...6399 */ - a1 = (int16) ((a2 << 8) + s[2 * i + 1] + ((s[2 * i] - a0) >> 8)); - a1 = mullo(a1, 23593); - - /* invalid inputs might need reduction mod 1531 */ - a1 -= 1531; - a1 += (a1 >> 15) & 1531; - - R3[94] = a0; - R3[95] = a1; - s -= 94; - i = 31; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R4[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, 2816), mulhiconst(mulloconst(A0, -2621), 6400)); /* -3200...3904 */ - A0 = add(A0, S1); /* -3200...4159 */ - A0 = sub(mulhiconst(A0, 2816), mulhiconst(mulloconst(A0, -2621), 6400)); /* -3338...3378 */ - A0 = add(A0, S0); /* -3338...3633 */ - A0 = ifnegaddconst(A0, 6400); /* 0...6399 */ - A1 = add(add(shiftleftconst(A2, 8), S1), signedshiftrightconst(sub(S0, A0), 8)); - A1 = mulloconst(A1, 23593); - - /* invalid inputs might need reduction mod 6400 */ - A1 = ifgesubconst(A1, 6400); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R3[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R3[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R3 ------> R2: reconstruct mod 190*[1280]+[1531] */ - - R2[190] = R3[95]; - s -= 95; - i = 79; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R3[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 256), mulhiconst(mulloconst(A0, -13107), 1280)); /* -640...704 */ - A0 = add(A0, S0); /* -640...959 */ - A0 = ifnegaddconst(A0, 1280); /* 0...1279 */ - A1 = add(A2, signedshiftrightconst(sub(S0, A0), 8)); - A1 = mulloconst(A1, -13107); - - /* invalid inputs might need reduction mod 1280 */ - A1 = ifgesubconst(A1, 1280); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R2[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R2[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R2 ------> R1: reconstruct mod 380*[9157]+[1531] */ - - R1[380] = R2[190]; - s -= 380; - i = 174; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R2[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, 1592), mulhiconst(mulloconst(A0, -1832), 9157)); /* -4579...4976 */ - A0 = add(A0, S1); /* -4579...5231 */ - A0 = sub(mulhiconst(A0, 1592), mulhiconst(mulloconst(A0, -1832), 9157)); /* -4690...4705 */ - A0 = add(A0, S0); /* -4690...4960 */ - A0 = ifnegaddconst(A0, 9157); /* 0...9156 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, 25357); - - /* invalid inputs might need reduction mod 9157 */ - A1 = ifgesubconst(A1, 9157); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R1[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R1[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R1 ------> R0: reconstruct mod 761*[1531] */ - - R0[760] = (int16) (3 * R1[380] - 2295); - s -= 380; - i = 364; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R1[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 518), mulhiconst(mulloconst(A0, -10958), 1531)); /* -766...895 */ - A0 = add(A0, S0); /* -766...1150 */ - A0 = ifnegaddconst(A0, 1531); /* 0...1530 */ - A1 = add(shiftleftconst(A2, 8), sub(S0, A0)); - A1 = mulloconst(A1, 15667); - - /* invalid inputs might need reduction mod 1531 */ - A1 = ifgesubconst(A1, 1531); - - A0 = mulloconst(A0, 3); - A1 = mulloconst(A1, 3); - A0 = subconst(A0, 2295); - A1 = subconst(A1, 2295); - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R0[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R0[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } -} diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761x1531.h b/crypto_kem/sntrup761/avx2/crypto_decode_761x1531.h deleted file mode 100644 index 02ee10a8..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761x1531.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761X1531_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761X1531_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x1531_STRBYTES 1007 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x1531_ITEMS 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x1531_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x1531(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761x3.c b/crypto_kem/sntrup761/avx2/crypto_decode_761x3.c deleted file mode 100644 index 73b0f092..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761x3.c +++ /dev/null @@ -1,65 +0,0 @@ -#include "crypto_decode_761x3.h" -#include -#define uint8 uint8_t - -#define p 761 -#define loops 6 -#define overshoot 2 - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x3(void *v, const unsigned char *s) { - uint8 *f = v; - int loop; - uint8 *nextf = f + 128 - 4 * overshoot; - const unsigned char *nexts = s + 32 - overshoot; - - for (loop = loops; loop > 0; --loop) { - __m256i s0 = _mm256_loadu_si256((const __m256i *) s); - s = nexts; - nexts += 32; - - __m256i s1 = _mm256_srli_epi16(s0 & _mm256_set1_epi8(-16), 4); - s0 &= _mm256_set1_epi8(15); - - __m256i a0 = _mm256_unpacklo_epi8(s0, s1); - /* 0 0>>4 1 1>>4 2 2>>4 3 3>>4 4 4>>4 5 5>>4 6 6>>4 7 7>>4 */ - /* 16 16>>4 ... */ - __m256i a1 = _mm256_unpackhi_epi8(s0, s1); - /* 8 8>>4 9 9>>4 10 10>>4 ... */ - /* 24 24>>4 ... */ - - __m256i a2 = _mm256_srli_epi16(a0 & _mm256_set1_epi8(12), 2); - __m256i a3 = _mm256_srli_epi16(a1 & _mm256_set1_epi8(12), 2); - a0 &= _mm256_set1_epi8(3); - a1 &= _mm256_set1_epi8(3); - - __m256i b0 = _mm256_unpacklo_epi8(a0, a2); - /* 0 0>>2 0>>4 0>>6 1 1>>2 1>>4 1>>6 */ - /* 2 2>>2 2>>4 2>>6 3 3>>2 3>>4 3>.6 */ - /* 16 16>>2 16>>4 16>>6 ... */ - __m256i b2 = _mm256_unpackhi_epi8(a0, a2); - /* 4 4>>2 ... */ - __m256i b1 = _mm256_unpacklo_epi8(a1, a3); - /* 8 8>>2 ... */ - __m256i b3 = _mm256_unpackhi_epi8(a1, a3); - /* 12 12>>2 ... */ - - __m256i f0 = _mm256_permute2x128_si256(b0, b2, 0x20); - __m256i f2 = _mm256_permute2x128_si256(b0, b2, 0x31); - __m256i f1 = _mm256_permute2x128_si256(b1, b3, 0x20); - __m256i f3 = _mm256_permute2x128_si256(b1, b3, 0x31); - - f0 = _mm256_add_epi8(f0, _mm256_set1_epi8(-1)); - f1 = _mm256_add_epi8(f1, _mm256_set1_epi8(-1)); - f2 = _mm256_add_epi8(f2, _mm256_set1_epi8(-1)); - f3 = _mm256_add_epi8(f3, _mm256_set1_epi8(-1)); - - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 32), f1); - _mm256_storeu_si256((__m256i *) (f + 64), f2); - _mm256_storeu_si256((__m256i *) (f + 96), f3); - f = nextf; - nextf += 128; - } - - *f = (uint8) ((*s & 3) - 1); -} diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761x3.h b/crypto_kem/sntrup761/avx2/crypto_decode_761x3.h deleted file mode 100644 index f72e26ad..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761X3_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761X3_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x3_STRBYTES 191 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x3_ITEMS 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x3(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761x4591.c b/crypto_kem/sntrup761/avx2/crypto_decode_761x4591.c deleted file mode 100644 index ea31ac79..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761x4591.c +++ /dev/null @@ -1,432 +0,0 @@ -#include "crypto_decode_761x4591.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define int32 int32_t - -static inline int16 mullo(int16 x, int16 y) { - return x * y; -} - -static inline int16 mulhi(int16 x, int16 y) { - return (int16) ((x * (int32)y) >> 16); -} - -static inline __m256i add(__m256i x, __m256i y) { - return _mm256_add_epi16(x, y); -} - -static inline __m256i sub(__m256i x, __m256i y) { - return _mm256_sub_epi16(x, y); -} - -static inline __m256i shiftleftconst(__m256i x, int16 y) { - return _mm256_slli_epi16(x, y); -} - -static inline __m256i signedshiftrightconst(__m256i x, int16 y) { - return _mm256_srai_epi16(x, y); -} - -static inline __m256i subconst(__m256i x, int16 y) { - return sub(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulloconst(__m256i x, int16 y) { - return _mm256_mullo_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulhiconst(__m256i x, int16 y) { - return _mm256_mulhi_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i ifgesubconst(__m256i x, int16 y) { - __m256i y16 = _mm256_set1_epi16(y); - __m256i top16 = _mm256_set1_epi16((int16)(y - 1)); - return sub(x, _mm256_cmpgt_epi16(x, top16) & y16); -} - -static inline __m256i ifnegaddconst(__m256i x, int16 y) { - return add(x, signedshiftrightconst(x, 15) & _mm256_set1_epi16(y)); -} - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x4591(void *v, const unsigned char *s) { - int16 *R0 = v; - int16 R1[381], R2[191], R3[96], R4[48], R5[24], R6[12], R7[6], R8[3], R9[2], R10[1]; - long long i; - int16 a0, a1, a2; - __m256i A0, A1, A2, S0, S1, B0, B1, C0, C1; - - s += PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x4591_STRBYTES; - a1 = 0; - a1 += *--s; /* 0...255 */ - a1 = mulhi(a1, -656) - mulhi(mullo(a1, -10434), 1608); - a1 += *--s; /* -804...1056 */ - a1 += (a1 >> 15) & 1608; /* 0...1607 */ - R10[0] = a1; - - /* R10 ------> R9: reconstruct mod 1*[9470]+[11127] */ - - i = 0; - s -= 2; - a2 = a0 = R10[0]; - a0 = mulhi(a0, -3624) - mulhi(mullo(a0, -1772), 9470); /* -5641...4735 */ - a0 += s[2 * i + 1]; /* -5641...4990 */ - a0 = mulhi(a0, -3624) - mulhi(mullo(a0, -1772), 9470); /* -5011...5046 */ - a0 += s[2 * i + 0]; /* -5011...5301 */ - a0 += (a0 >> 15) & 9470; /* 0...9469 */ - a1 = (int16) ((a2 << 15) + (s[2 * i + 1] << 7) + ((s[2 * i] - a0) >> 1)); - a1 = mullo(a1, -21121); - - /* invalid inputs might need reduction mod 11127 */ - a1 -= 11127; - a1 += (a1 >> 15) & 11127; - - R9[0] = a0; - R9[1] = a1; - s -= 0; - - /* R9 ------> R8: reconstruct mod 2*[1557]+[11127] */ - - R8[2] = R9[1]; - s -= 1; - for (i = 0; i >= 0; --i) { - a2 = a0 = R9[i]; - a0 = mulhi(a0, 541) - mulhi(mullo(a0, -10775), 1557); /* -779...913 */ - a0 += s[1 * i + 0]; /* -779...1168 */ - a0 += (a0 >> 15) & 1557; /* 0...1556 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, -26307); - - /* invalid inputs might need reduction mod 1557 */ - a1 -= 1557; - a1 += (a1 >> 15) & 1557; - - R8[2 * i] = a0; - R8[2 * i + 1] = a1; - } - - /* R8 ------> R7: reconstruct mod 5*[10101]+[282] */ - - i = 0; - s -= 1; - a2 = a0 = R8[2]; - a0 = mulhi(a0, -545) - mulhi(mullo(a0, -1661), 10101); /* -5187...5050 */ - a0 += s[1 * i + 0]; /* -5187...5305 */ - a0 += (a0 >> 15) & 10101; /* 0...10100 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, 12509); - - /* invalid inputs might need reduction mod 282 */ - a1 -= 282; - a1 += (a1 >> 15) & 282; - - R7[4] = a0; - R7[5] = a1; - s -= 4; - for (i = 1; i >= 0; --i) { - a0 = R8[i]; - a0 = mulhi(a0, -545) - mulhi(mullo(a0, -1661), 10101); /* -5187...5050 */ - a0 += s[2 * i + 1]; /* -5187...5305 */ - a0 = mulhi(a0, -545) - mulhi(mullo(a0, -1661), 10101); /* -5095...5093 */ - a0 += s[2 * i + 0]; /* -5095...5348 */ - a0 += (a0 >> 15) & 10101; /* 0...10100 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, 12509); - - /* invalid inputs might need reduction mod 10101 */ - a1 -= 10101; - a1 += (a1 >> 15) & 10101; - - R7[2 * i] = a0; - R7[2 * i + 1] = a1; - } - - /* R7 ------> R6: reconstruct mod 11*[1608]+[11468] */ - - i = 0; - s -= 2; - a2 = a0 = R7[5]; - a0 = mulhi(a0, -656) - mulhi(mullo(a0, -10434), 1608); /* -968...804 */ - a0 += s[2 * i + 1]; /* -968...1059 */ - a0 = mulhi(a0, -656) - mulhi(mullo(a0, -10434), 1608); /* -815...813 */ - a0 += s[2 * i + 0]; /* -815...1068 */ - a0 += (a0 >> 15) & 1608; /* 0...1607 */ - a1 = (int16) ((a2 << 13) + (s[2 * i + 1] << 5) + ((s[2 * i] - a0) >> 3)); - a1 = mullo(a1, 6521); - - /* invalid inputs might need reduction mod 11468 */ - a1 -= 11468; - a1 += (a1 >> 15) & 11468; - - R6[10] = a0; - R6[11] = a1; - s -= 5; - for (i = 4; i >= 0; --i) { - a2 = a0 = R7[i]; - a0 = mulhi(a0, -656) - mulhi(mullo(a0, -10434), 1608); /* -968...804 */ - a0 += s[1 * i + 0]; /* -968...1059 */ - a0 += (a0 >> 15) & 1608; /* 0...1607 */ - a1 = (int16) ((a2 << 5) + ((s[i] - a0) >> 3)); - a1 = mullo(a1, 6521); - - /* invalid inputs might need reduction mod 1608 */ - a1 -= 1608; - a1 += (a1 >> 15) & 1608; - - R6[2 * i] = a0; - R6[2 * i + 1] = a1; - } - - /* R6 ------> R5: reconstruct mod 23*[10265]+[286] */ - - i = 0; - s -= 1; - a2 = a0 = R6[11]; - a0 = mulhi(a0, 4206) - mulhi(mullo(a0, -1634), 10265); /* -5133...6184 */ - a0 += s[1 * i + 0]; /* -5133...6439 */ - a0 += (a0 >> 15) & 10265; /* 0...10264 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, -19415); - - /* invalid inputs might need reduction mod 286 */ - a1 -= 286; - a1 += (a1 >> 15) & 286; - - R5[22] = a0; - R5[23] = a1; - s -= 22; - for (i = 10; i >= 0; --i) { - a0 = R6[i]; - a0 = mulhi(a0, 4206) - mulhi(mullo(a0, -1634), 10265); /* -5133...6184 */ - a0 += s[2 * i + 1]; /* -5133...6439 */ - a0 = mulhi(a0, 4206) - mulhi(mullo(a0, -1634), 10265); /* -5462...5545 */ - a0 += s[2 * i + 0]; /* -5462...5800 */ - a0 += (a0 >> 15) & 10265; /* 0...10264 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, -19415); - - /* invalid inputs might need reduction mod 10265 */ - a1 -= 10265; - a1 += (a1 >> 15) & 10265; - - R5[2 * i] = a0; - R5[2 * i + 1] = a1; - } - - /* R5 ------> R4: reconstruct mod 47*[1621]+[11550] */ - - i = 0; - s -= 2; - a0 = R5[23]; - a0 = mulhi(a0, -134) - mulhi(mullo(a0, -10350), 1621); /* -844...810 */ - a0 += s[2 * i + 1]; /* -844...1065 */ - a0 = mulhi(a0, -134) - mulhi(mullo(a0, -10350), 1621); /* -813...812 */ - a0 += s[2 * i + 0]; /* -813...1067 */ - a0 += (a0 >> 15) & 1621; /* 0...1620 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, -14595); - - /* invalid inputs might need reduction mod 11550 */ - a1 -= 11550; - a1 += (a1 >> 15) & 11550; - - R4[46] = a0; - R4[47] = a1; - s -= 23; - i = 7; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R5[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, -134), mulhiconst(mulloconst(A0, -10350), 1621)); /* -844...810 */ - A0 = add(A0, S0); /* -844...1065 */ - A0 = ifnegaddconst(A0, 1621); /* 0...1620 */ - A1 = add(shiftleftconst(A2, 8), sub(S0, A0)); - A1 = mulloconst(A1, -14595); - - /* invalid inputs might need reduction mod 1621 */ - A1 = ifgesubconst(A1, 1621); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R4[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R4[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R4 ------> R3: reconstruct mod 95*[644]+[4591] */ - - i = 0; - s -= 1; - a2 = a0 = R4[47]; - a0 = mulhi(a0, -272) - mulhi(mullo(a0, -26052), 644); /* -390...322 */ - a0 += s[1 * i + 0]; /* -390...577 */ - a0 += (a0 >> 15) & 644; /* 0...643 */ - a1 = (int16) ((a2 << 6) + ((s[i] - a0) >> 2)); - a1 = mullo(a1, -7327); - - /* invalid inputs might need reduction mod 4591 */ - a1 -= 4591; - a1 += (a1 >> 15) & 4591; - - R3[94] = a0; - R3[95] = a1; - s -= 47; - i = 31; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R4[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, -272), mulhiconst(mulloconst(A0, -26052), 644)); /* -390...322 */ - A0 = add(A0, S0); /* -390...577 */ - A0 = ifnegaddconst(A0, 644); /* 0...643 */ - A1 = add(shiftleftconst(A2, 6), signedshiftrightconst(sub(S0, A0), 2)); - A1 = mulloconst(A1, -7327); - - /* invalid inputs might need reduction mod 644 */ - A1 = ifgesubconst(A1, 644); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R3[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R3[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R3 ------> R2: reconstruct mod 190*[406]+[4591] */ - - R2[190] = R3[95]; - s -= 95; - i = 79; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R3[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 78), mulhiconst(mulloconst(A0, 24213), 406)); /* -203...222 */ - A0 = add(A0, S0); /* -203...477 */ - A0 = subconst(A0, 406); /* -609...71 */ - A0 = ifnegaddconst(A0, 406); /* -203...405 */ - A0 = ifnegaddconst(A0, 406); /* 0...405 */ - A1 = add(shiftleftconst(A2, 7), signedshiftrightconst(sub(S0, A0), 1)); - A1 = mulloconst(A1, 25827); - - /* invalid inputs might need reduction mod 406 */ - A1 = ifgesubconst(A1, 406); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R2[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R2[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R2 ------> R1: reconstruct mod 380*[322]+[4591] */ - - R1[380] = R2[190]; - s -= 190; - i = 174; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R2[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 50), mulhiconst(mulloconst(A0, 13433), 322)); /* -161...173 */ - A0 = add(A0, S0); /* -161...428 */ - A0 = subconst(A0, 322); /* -483...106 */ - A0 = ifnegaddconst(A0, 322); /* -161...321 */ - A0 = ifnegaddconst(A0, 322); /* 0...321 */ - A1 = add(shiftleftconst(A2, 7), signedshiftrightconst(sub(S0, A0), 1)); - A1 = mulloconst(A1, -7327); - - /* invalid inputs might need reduction mod 322 */ - A1 = ifgesubconst(A1, 322); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R1[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R1[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R1 ------> R0: reconstruct mod 761*[4591] */ - - R0[760] = R1[380] - 2295; - s -= 760; - i = 364; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R1[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, 1702), mulhiconst(mulloconst(A0, -3654), 4591)); /* -2296...2721 */ - A0 = add(A0, S1); /* -2296...2976 */ - A0 = sub(mulhiconst(A0, 1702), mulhiconst(mulloconst(A0, -3654), 4591)); /* -2356...2372 */ - A0 = add(A0, S0); /* -2356...2627 */ - A0 = ifnegaddconst(A0, 4591); /* 0...4590 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, 15631); - - /* invalid inputs might need reduction mod 4591 */ - A1 = ifgesubconst(A1, 4591); - - A0 = subconst(A0, 2295); - A1 = subconst(A1, 2295); - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R0[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R0[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } -} diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761x4591.h b/crypto_kem/sntrup761/avx2/crypto_decode_761x4591.h deleted file mode 100644 index 6b637814..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761x4591.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761X4591_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761X4591_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x4591_STRBYTES 1158 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x4591_ITEMS 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x4591_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x4591(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761xint16.c b/crypto_kem/sntrup761/avx2/crypto_decode_761xint16.c deleted file mode 100644 index 68210a2c..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761xint16.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_decode_761xint16.h" - - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint16(void *v, const unsigned char *s) { - uint16_t *x = v; - int i; - - for (i = 0; i < 761; ++i) { - uint16_t u0 = s[0]; - uint16_t u1 = s[1]; - *x = (uint16_t) (u0 | (u1 << 8)); - x += 1; - s += 2; - } -} diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761xint16.h b/crypto_kem/sntrup761/avx2/crypto_decode_761xint16.h deleted file mode 100644 index 050d7c9a..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761XINT16_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761XINT16_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint16_STRBYTES 1522 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint16_ITEMS 761 - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint16(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761xint32.c b/crypto_kem/sntrup761/avx2/crypto_decode_761xint32.c deleted file mode 100644 index fb5210b1..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761xint32.c +++ /dev/null @@ -1,20 +0,0 @@ -#include "crypto_decode_761xint32.h" - - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint32(void *v, const unsigned char *s) { - uint32_t *x = v; - int i; - - for (i = 0; i < 761; ++i) { - uint32_t u0 = s[0]; - uint32_t u1 = s[1]; - uint32_t u2 = s[2]; - uint32_t u3 = s[3]; - u1 <<= 8; - u2 <<= 16; - u3 <<= 24; - *x = u0 | u1 | u2 | u3; - x += 1; - s += 4; - } -} diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_761xint32.h b/crypto_kem/sntrup761/avx2/crypto_decode_761xint32.h deleted file mode 100644 index dfaf6eeb..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_761xint32.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761XINT32_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_761XINT32_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint32_STRBYTES 3044 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint32_ITEMBYTES 4 -#define PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint32_ITEMS 761 - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint32(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_int16.c b/crypto_kem/sntrup761/avx2/crypto_decode_int16.c deleted file mode 100644 index 3994a7e5..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_int16.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "crypto_decode_int16.h" - - -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_int16(void *x, const unsigned char *s) { - uint16_t u0 = s[0]; - uint16_t u1 = s[1]; - u1 = (uint16_t) (u1 << 8); - *(uint16_t *) x = u0 | u1; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_decode_int16.h b/crypto_kem/sntrup761/avx2/crypto_decode_int16.h deleted file mode 100644 index 8ed24816..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_decode_int16.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_INT16_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_DECODE_INT16_H - -#include -#define crypto_core_multsntrup857_STRBYTES 2 -#define crypto_core_multsntrup857_ITEMBYTES 2 -#define crypto_core_multsntrup857_ITEMS 1 -void PQCLEAN_SNTRUP761_AVX2_crypto_decode_int16(void *x, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761x1531.c b/crypto_kem/sntrup761/avx2/crypto_encode_761x1531.c deleted file mode 100644 index c293a1b1..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761x1531.c +++ /dev/null @@ -1,301 +0,0 @@ -#include "crypto_encode_761x1531.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[381]; - long i; - const uint16 *reading; - uint16 *writing; - uint16 r0, r1; - uint32 r2; - uint32 s0; - - reading = (uint16 *) R0; - writing = R; - i = 48; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) reading); - x = _mm256_add_epi16(x, _mm256_set1_epi16(2295)); - x &= _mm256_set1_epi16(16383); - x = _mm256_mulhi_epi16(x, _mm256_set1_epi16(21846)); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1531)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[380] = (uint16) ((((R0[760] + 2295) & 16383) * 10923) >> 15); - - reading = (uint16 *) R; - writing = R; - i = 12; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 4; - writing -= 2; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(9157)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(9157)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[190] = R[380]; - - reading = (uint16 *) R; - writing = R; - i = 12; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 2; - writing -= 1; - out -= 1; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1280)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[95] = R[190]; - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(6400)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(6400)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, y; - --i; - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(625)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - - reading = (uint16 *) R; - writing = R; - i = 2; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1526)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - - for (i = 0; i < 6; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)9097; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1263; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)6232; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)593; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761x1531.h b/crypto_kem/sntrup761/avx2/crypto_encode_761x1531.h deleted file mode 100644 index c4a2a753..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761x1531.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761X1531_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761X1531_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531_STRBYTES 1007 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531_ITEMS 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761x1531round.c b/crypto_kem/sntrup761/avx2/crypto_encode_761x1531round.c deleted file mode 100644 index 7aa27f42..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761x1531round.c +++ /dev/null @@ -1,303 +0,0 @@ -#include "crypto_encode_761x1531round.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531round(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[381]; - long i; - const uint16 *reading; - uint16 *writing; - uint16 r0, r1; - uint32 r2; - uint32 s0; - - reading = (uint16 *) R0; - writing = R; - i = 48; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) reading); - x = _mm256_mulhrs_epi16(x, _mm256_set1_epi16(10923)); - x = _mm256_add_epi16(x, _mm256_add_epi16(x, x)); - x = _mm256_add_epi16(x, _mm256_set1_epi16(2295)); - x &= _mm256_set1_epi16(16383); - x = _mm256_mulhi_epi16(x, _mm256_set1_epi16(21846)); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1531)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[380] = (uint16) ((((3 * ((10923 * R0[760] + 16384) >> 15) + 2295) & 16383) * 10923) >> 15); - - reading = (uint16 *) R; - writing = R; - i = 12; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 4; - writing -= 2; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(9157)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(9157)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[190] = R[380]; - - reading = (uint16 *) R; - writing = R; - i = 12; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 2; - writing -= 1; - out -= 1; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1280)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[95] = R[190]; - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(6400)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(6400)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, y; - --i; - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(625)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - - reading = (uint16 *) R; - writing = R; - i = 2; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1526)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - - for (i = 0; i < 6; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)9097; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1263; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)6232; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)593; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761x1531round.h b/crypto_kem/sntrup761/avx2/crypto_encode_761x1531round.h deleted file mode 100644 index b3c29ef9..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761x1531round.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761X1531ROUND_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761X1531ROUND_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531round_STRBYTES 1007 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531round_ITEMS 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531round_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531round(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761x3.c b/crypto_kem/sntrup761/avx2/crypto_encode_761x3.c deleted file mode 100644 index d7442199..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761x3.c +++ /dev/null @@ -1,64 +0,0 @@ -#include "crypto_encode_761x3.h" -#include -#define uint8 uint8_t - -#define p 761 -#define loops 6 -#define overshoot 2 - -static const union { - uint8 init[32]; - __m256i val; -} lobytes_buf = { .init = { - 255, 0, 255, 0, 255, 0, 255, 0, - 255, 0, 255, 0, 255, 0, 255, 0, - 255, 0, 255, 0, 255, 0, 255, 0, - 255, 0, 255, 0, 255, 0, 255, 0, - } -}; -#define lobytes (lobytes_buf.val) - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x3(unsigned char *s, const void *v) { - const uint8 *f = v; - int loop; - const uint8 *nextf = f + 128 - 4 * overshoot; - unsigned char *nexts = s + 32 - overshoot; - - for (loop = loops; loop > 0; --loop) { - __m256i f0 = _mm256_loadu_si256((const __m256i *) (f + 0)); - __m256i f1 = _mm256_loadu_si256((const __m256i *) (f + 32)); - __m256i f2 = _mm256_loadu_si256((const __m256i *) (f + 64)); - __m256i f3 = _mm256_loadu_si256((const __m256i *) (f + 96)); - f = nextf; - nextf += 128; - - __m256i a0 = _mm256_packus_epi16(f0 & lobytes, f1 & lobytes); - /* 0 2 4 6 8 10 12 14 32 34 36 38 40 42 44 46 */ - /* 16 18 20 22 24 26 28 30 48 50 52 54 56 58 60 62 */ - __m256i a1 = _mm256_packus_epi16(_mm256_srli_epi16(f0, 8), _mm256_srli_epi16(f1, 8)); - /* 1 3 ... */ - __m256i a2 = _mm256_packus_epi16(f2 & lobytes, f3 & lobytes); - __m256i a3 = _mm256_packus_epi16(_mm256_srli_epi16(f2, 8), _mm256_srli_epi16(f3, 8)); - - a0 = _mm256_add_epi8(a0, _mm256_slli_epi16(a1 & _mm256_set1_epi8(63), 2)); - a2 = _mm256_add_epi8(a2, _mm256_slli_epi16(a3 & _mm256_set1_epi8(63), 2)); - - __m256i b0 = _mm256_packus_epi16(a0 & lobytes, a2 & lobytes); - /* 0 4 8 12 32 36 40 44 64 68 72 76 96 100 104 108 */ - /* 16 20 24 28 48 52 56 60 80 84 88 92 112 116 120 124 */ - __m256i b2 = _mm256_packus_epi16(_mm256_srli_epi16(a0, 8), _mm256_srli_epi16(a2, 8)); - /* 2 6 ... */ - - b0 = _mm256_add_epi8(b0, _mm256_slli_epi16(b2 & _mm256_set1_epi8(15), 4)); - - b0 = _mm256_permutevar8x32_epi32(b0, _mm256_set_epi32(7, 3, 6, 2, 5, 1, 4, 0)); - - b0 = _mm256_add_epi8(b0, _mm256_set1_epi8(85)); - - _mm256_storeu_si256((__m256i *) s, b0); - s = nexts; - nexts += 32; - } - - *s++ = *f++ + 1; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761x3.h b/crypto_kem/sntrup761/avx2/crypto_encode_761x3.h deleted file mode 100644 index e99384fb..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761X3_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761X3_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x3_STRBYTES 191 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x3_ITEMS 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761x4591.c b/crypto_kem/sntrup761/avx2/crypto_encode_761x4591.c deleted file mode 100644 index 128cd4bb..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761x4591.c +++ /dev/null @@ -1,308 +0,0 @@ -#include "crypto_encode_761x4591.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x4591(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[381]; - long i; - const uint16 *reading; - uint16 *writing; - uint16 r0, r1; - uint32 r2; - uint32 s0; - - reading = (uint16 *) R0; - writing = R; - i = 24; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 8; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - x = _mm256_add_epi16(x, _mm256_set1_epi16(2295)); - x2 = _mm256_add_epi16(x2, _mm256_set1_epi16(2295)); - x &= _mm256_set1_epi16(16383); - x2 &= _mm256_set1_epi16(16383); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(4591)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(4591)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[380] = (uint16) (((R0[760] + 2295) & 16383)); - - reading = (uint16 *) R; - writing = R; - i = 24; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 4; - writing -= 2; - out -= 2; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(322)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[190] = R[380]; - - reading = (uint16 *) R; - writing = R; - i = 12; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 2; - writing -= 1; - out -= 1; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(406)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[95] = R[190]; - - reading = (uint16 *) R; - writing = R; - i = 6; - while (i > 0) { - __m256i x, y; - --i; - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(644)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - - reading = (uint16 *) R; - writing = R; - i = 3; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 2; - writing -= 1; - out -= 1; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1621)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - r0 = R[46]; - r1 = R[47]; - r2 = r0 + r1 * (uint32)1621; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[23] = (uint16) r2; - - for (i = 0; i < 11; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)10265; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[22]; - r1 = R[23]; - r2 = r0 + r1 * (uint32)10265; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[11] = (uint16) r2; - - for (i = 0; i < 5; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1608; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[10]; - r1 = R[11]; - r2 = r0 + r1 * (uint32)1608; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[5] = (uint16) r2; - - for (i = 0; i < 2; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)10101; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[4]; - r1 = R[5]; - r2 = r0 + r1 * (uint32)10101; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[2] = (uint16) r2; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)1557; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)9470; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761x4591.h b/crypto_kem/sntrup761/avx2/crypto_encode_761x4591.h deleted file mode 100644 index 52404cc2..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761x4591.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761X4591_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761X4591_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x4591_STRBYTES 1158 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x4591_ITEMS 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x4591_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x4591(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761xfreeze3.c b/crypto_kem/sntrup761/avx2/crypto_encode_761xfreeze3.c deleted file mode 100644 index 6622e310..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761xfreeze3.c +++ /dev/null @@ -1,31 +0,0 @@ -#include "crypto_encode_761xfreeze3.h" -#include -#define int16 int16_t - -#define p 761 - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xfreeze3(unsigned char *s, const void *v) { - const int16 *r = v; - - int i = p - 16; - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) r); - __m256i y = _mm256_mulhrs_epi16(x, _mm256_set1_epi16(10923)); - x = _mm256_sub_epi16(x, y); - y = _mm256_add_epi16(y, y); - x = _mm256_sub_epi16(x, y); - __m128i x0 = _mm256_extractf128_si256(x, 0); - __m128i x1 = _mm256_extractf128_si256(x, 1); - _mm_storeu_si128((__m128i *) s, _mm_packs_epi16(x0, x1)); - i -= 16; - r += 16; - s += 16; - } while (i >= 0); - if (i <= -16) { - break; - } - r += i; - s += i; - } -} diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761xfreeze3.h b/crypto_kem/sntrup761/avx2/crypto_encode_761xfreeze3.h deleted file mode 100644 index cc89f9a5..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761xfreeze3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761XFREEZE3_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761XFREEZE3_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xfreeze3_STRBYTES 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xfreeze3_ITEMS 761 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xfreeze3_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xfreeze3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761xint16.c b/crypto_kem/sntrup761/avx2/crypto_encode_761xint16.c deleted file mode 100644 index db839f08..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761xint16.c +++ /dev/null @@ -1,13 +0,0 @@ -#include "crypto_encode_761xint16.h" - - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xint16(unsigned char *s, const void *v) { - const uint16_t *x = v; - int i; - - for (i = 0; i < 761; ++i) { - uint16_t u = *x++; - *s++ = (unsigned char) u; - *s++ = (unsigned char) (u >> 8); - } -} diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_761xint16.h b/crypto_kem/sntrup761/avx2/crypto_encode_761xint16.h deleted file mode 100644 index 38252f8d..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_761xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761XINT16_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_761XINT16_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xint16_STRBYTES 1522 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xint16_ITEMS 761 - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xint16(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_int16.c b/crypto_kem/sntrup761/avx2/crypto_encode_int16.c deleted file mode 100644 index 53b9535d..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_int16.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "crypto_encode_int16.h" - -#define uint16 uint16_t - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_int16(unsigned char *s, const void *x) { - uint16 u = *(const uint16 *) x; - s[0] = (unsigned char) u; - s[1] = (unsigned char) (u >> 8); -} diff --git a/crypto_kem/sntrup761/avx2/crypto_encode_int16.h b/crypto_kem/sntrup761/avx2/crypto_encode_int16.h deleted file mode 100644 index 348de67a..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_encode_int16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_INT16_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_ENCODE_INT16_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_int16_STRBYTES 2 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_int16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP761_AVX2_crypto_encode_int16_ITEMS 1 - -void PQCLEAN_SNTRUP761_AVX2_crypto_encode_int16(unsigned char *s, const void *x); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_sort_int32.c b/crypto_kem/sntrup761/avx2/crypto_sort_int32.c deleted file mode 100644 index a3268aef..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_sort_int32.c +++ /dev/null @@ -1,1215 +0,0 @@ -#include "crypto_sort_int32.h" -#include - -#define int32 int32_t - -typedef __m256i int32x8; -#define int32x8_load(z) _mm256_loadu_si256((__m256i *) (z)) -#define int32x8_store(z,i) _mm256_storeu_si256((__m256i *) (z),(i)) -#define int32x8_min _mm256_min_epi32 -#define int32x8_max _mm256_max_epi32 - -#define int32x8_MINMAX(a,b) \ - do { \ - int32x8 c = int32x8_min((a),(b)); \ - (b) = int32x8_max((a),(b)); \ - (a) = c; \ - } while(0) - -static inline void int32_MINMAX(int32 *a, int32 *b) { - int32 ab = *b ^ *a; - int32 c = (int32)((int64_t) * b - (int64_t) * a); - c ^= ab & (c ^ *b); - c >>= 31; - c &= ab; - *a ^= c; - *b ^= c; -} - -static void minmax_vector(int32 *x, int32 *y, long long n) { - if (n < 8) { - while (n > 0) { - int32_MINMAX(x, y); - ++x; - ++y; - --n; - } - return; - } - if (n & 7) { - int32x8 x0 = int32x8_load(x + n - 8); - int32x8 y0 = int32x8_load(y + n - 8); - int32x8_MINMAX(x0, y0); - int32x8_store(x + n - 8, x0); - int32x8_store(y + n - 8, y0); - n &= ~7; - } - do { - int32x8 x0 = int32x8_load(x); - int32x8 y0 = int32x8_load(y); - int32x8_MINMAX(x0, y0); - int32x8_store(x, x0); - int32x8_store(y, y0); - x += 8; - y += 8; - n -= 8; - } while (n); -} - -/* stages 8,4,2,1 of size-16 bitonic merging */ -static void merge16_finish(int32 *x, int32x8 x0, int32x8 x1, int flagdown) { - int32x8 b0, b1, c0, c1, mask; - - int32x8_MINMAX(x0, x1); - - b0 = _mm256_permute2x128_si256(x0, x1, 0x20); /* A0123B0123 */ - b1 = _mm256_permute2x128_si256(x0, x1, 0x31); /* A4567B4567 */ - - int32x8_MINMAX(b0, b1); - - c0 = _mm256_unpacklo_epi64(b0, b1); /* A0145B0145 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* A2367B2367 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A0213B0213 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A4657B4657 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* A0246B0246 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* A1357B1357 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A0123B0123 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A4567B4567 */ - - x0 = _mm256_permute2x128_si256(b0, b1, 0x20); /* A01234567 */ - x1 = _mm256_permute2x128_si256(b0, b1, 0x31); /* A01234567 */ - - if (flagdown) { - mask = _mm256_set1_epi32(-1); - x0 ^= mask; - x1 ^= mask; - } - - int32x8_store(&x[0], x0); - int32x8_store(&x[8], x1); -} - -/* stages 64,32 of bitonic merging; n is multiple of 128 */ -static void int32_twostages_32(int32 *x, long long n) { - long long i; - - while (n > 0) { - for (i = 0; i < 32; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + 32]); - int32x8 x2 = int32x8_load(&x[i + 64]); - int32x8 x3 = int32x8_load(&x[i + 96]); - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + 32], x1); - int32x8_store(&x[i + 64], x2); - int32x8_store(&x[i + 96], x3); - } - x += 128; - n -= 128; - } -} - -/* stages 4q,2q,q of bitonic merging */ -static long long int32_threestages(int32 *x, long long n, long long q) { - long long k, i; - - for (k = 0; k + 8 * q <= n; k += 8 * q) { - for (i = k; i < k + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - } - - return k; -} - -/* n is a power of 2; n >= 8; if n == 8 then flagdown */ -// NOLINTNEXTLINE(google-readability-function-size) -static void int32_sort_2power(int32 *x, long long n, int flagdown) { - long long p, q, i, j, k; - int32x8 mask; - - if (n == 8) { - int32 x0 = x[0]; - int32 x1 = x[1]; - int32 x2 = x[2]; - int32 x3 = x[3]; - int32 x4 = x[4]; - int32 x5 = x[5]; - int32 x6 = x[6]; - int32 x7 = x[7]; - - /* odd-even sort instead of bitonic sort */ - - int32_MINMAX(&x1, &x0); - int32_MINMAX(&x3, &x2); - int32_MINMAX(&x2, &x0); - int32_MINMAX(&x3, &x1); - int32_MINMAX(&x2, &x1); - - int32_MINMAX(&x5, &x4); - int32_MINMAX(&x7, &x6); - int32_MINMAX(&x6, &x4); - int32_MINMAX(&x7, &x5); - int32_MINMAX(&x6, &x5); - - int32_MINMAX(&x4, &x0); - int32_MINMAX(&x6, &x2); - int32_MINMAX(&x4, &x2); - - int32_MINMAX(&x5, &x1); - int32_MINMAX(&x7, &x3); - int32_MINMAX(&x5, &x3); - - int32_MINMAX(&x2, &x1); - int32_MINMAX(&x4, &x3); - int32_MINMAX(&x6, &x5); - - x[0] = x0; - x[1] = x1; - x[2] = x2; - x[3] = x3; - x[4] = x4; - x[5] = x5; - x[6] = x6; - x[7] = x7; - return; - } - - if (n == 16) { - int32x8 x0, x1, b0, b1, c0, c1; - - x0 = int32x8_load(&x[0]); - x1 = int32x8_load(&x[8]); - - mask = _mm256_set_epi32(0, 0, -1, -1, 0, 0, -1, -1); - - x0 ^= mask; /* A01234567 */ - x1 ^= mask; /* B01234567 */ - - b0 = _mm256_unpacklo_epi32(x0, x1); /* AB0AB1AB4AB5 */ - b1 = _mm256_unpackhi_epi32(x0, x1); /* AB2AB3AB6AB7 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* AB0AB2AB4AB6 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* AB1AB3AB5AB7 */ - - int32x8_MINMAX(c0, c1); - - mask = _mm256_set_epi32(0, 0, -1, -1, -1, -1, 0, 0); - c0 ^= mask; - c1 ^= mask; - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A01B01A45B45 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A23B23A67B67 */ - - int32x8_MINMAX(b0, b1); - - x0 = _mm256_unpacklo_epi64(b0, b1); /* A01234567 */ - x1 = _mm256_unpackhi_epi64(b0, b1); /* B01234567 */ - - b0 = _mm256_unpacklo_epi32(x0, x1); /* AB0AB1AB4AB5 */ - b1 = _mm256_unpackhi_epi32(x0, x1); /* AB2AB3AB6AB7 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* AB0AB2AB4AB6 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* AB1AB3AB5AB7 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A01B01A45B45 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A23B23A67B67 */ - - b0 ^= mask; - b1 ^= mask; - - c0 = _mm256_permute2x128_si256(b0, b1, 0x20); /* A01B01A23B23 */ - c1 = _mm256_permute2x128_si256(b0, b1, 0x31); /* A45B45A67B67 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_permute2x128_si256(c0, c1, 0x20); /* A01B01A45B45 */ - b1 = _mm256_permute2x128_si256(c0, c1, 0x31); /* A23B23A67B67 */ - - int32x8_MINMAX(b0, b1); - - x0 = _mm256_unpacklo_epi64(b0, b1); /* A01234567 */ - x1 = _mm256_unpackhi_epi64(b0, b1); /* B01234567 */ - - b0 = _mm256_unpacklo_epi32(x0, x1); /* AB0AB1AB4AB5 */ - b1 = _mm256_unpackhi_epi32(x0, x1); /* AB2AB3AB6AB7 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* AB0AB2AB4AB6 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* AB1AB3AB5AB7 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A01B01A45B45 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A23B23A67B67 */ - - x0 = _mm256_unpacklo_epi64(b0, b1); /* A01234567 */ - x1 = _mm256_unpackhi_epi64(b0, b1); /* B01234567 */ - - mask = _mm256_set1_epi32(-1); - if (flagdown) { - x1 ^= mask; - } else { - x0 ^= mask; - } - - merge16_finish(x, x0, x1, flagdown); - return; - } - - if (n == 32) { - int32x8 x0, x1, x2, x3; - - int32_sort_2power(x, 16, 1); - int32_sort_2power(x + 16, 16, 0); - - x0 = int32x8_load(&x[0]); - x1 = int32x8_load(&x[8]); - x2 = int32x8_load(&x[16]); - x3 = int32x8_load(&x[24]); - - if (flagdown) { - mask = _mm256_set1_epi32(-1); - x0 ^= mask; - x1 ^= mask; - x2 ^= mask; - x3 ^= mask; - } - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - - merge16_finish(x, x0, x1, flagdown); - merge16_finish(x + 16, x2, x3, flagdown); - return; - } - - p = n >> 3; - for (i = 0; i < p; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x2 = int32x8_load(&x[i + 2 * p]); - int32x8 x4 = int32x8_load(&x[i + 4 * p]); - int32x8 x6 = int32x8_load(&x[i + 6 * p]); - - /* odd-even stage instead of bitonic stage */ - - int32x8_MINMAX(x4, x0); - int32x8_MINMAX(x6, x2); - int32x8_MINMAX(x2, x0); - int32x8_MINMAX(x6, x4); - int32x8_MINMAX(x2, x4); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + 2 * p], x2); - int32x8_store(&x[i + 4 * p], x4); - int32x8_store(&x[i + 6 * p], x6); - - int32x8 x1 = int32x8_load(&x[i + p]); - int32x8 x3 = int32x8_load(&x[i + 3 * p]); - int32x8 x5 = int32x8_load(&x[i + 5 * p]); - int32x8 x7 = int32x8_load(&x[i + 7 * p]); - - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x5, x3); - - int32x8_store(&x[i + p], x1); - int32x8_store(&x[i + 3 * p], x3); - int32x8_store(&x[i + 5 * p], x5); - int32x8_store(&x[i + 7 * p], x7); - } - - if (n >= 128) { - int flip, flipflip; - - mask = _mm256_set1_epi32(-1); - - for (j = 0; j < n; j += 32) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 16]); - x0 ^= mask; - x1 ^= mask; - int32x8_store(&x[j], x0); - int32x8_store(&x[j + 16], x1); - } - - p = 8; - for (;;) { /* for p in [8, 16, ..., n/16] */ - q = p >> 1; - while (q >= 128) { - int32_threestages(x, n, q >> 2); - q >>= 3; - } - if (q == 64) { - int32_twostages_32(x, n); - q = 16; - } - if (q == 32) { - q = 8; - for (k = 0; k < n; k += 8 * q) { - for (i = k; i < k + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - } - q = 4; - } - if (q == 16) { - q = 8; - for (k = 0; k < n; k += 4 * q) { - for (i = k; i < k + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - } - } - q = 4; - } - if (q == 8) { - for (k = 0; k < n; k += q + q) { - int32x8 x0 = int32x8_load(&x[k]); - int32x8 x1 = int32x8_load(&x[k + q]); - - int32x8_MINMAX(x0, x1); - - int32x8_store(&x[k], x0); - int32x8_store(&x[k + q], x1); - } - } - - q = n >> 3; - flip = 0; - if (p << 1 == q) { - flip = 1; - } - flipflip = 1 - flip; - for (j = 0; j < q; j += p + p) { - for (k = j; k < j + p + p; k += p) { - for (i = k; i < k + p; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - - if (flip) { - x0 ^= mask; - x1 ^= mask; - x2 ^= mask; - x3 ^= mask; - x4 ^= mask; - x5 ^= mask; - x6 ^= mask; - x7 ^= mask; - } - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - flip ^= 1; - } - flip ^= flipflip; - } - - if (p << 4 == n) { - break; - } - p <<= 1; - } - } - - for (p = 4; p >= 1; p >>= 1) { - int32 *z = x; - int32 *target = x + n; - if (p == 4) { - mask = _mm256_set_epi32(0, 0, 0, 0, -1, -1, -1, -1); - while (z != target) { - int32x8 x0 = int32x8_load(&z[0]); - int32x8 x1 = int32x8_load(&z[8]); - x0 ^= mask; - x1 ^= mask; - int32x8_store(&z[0], x0); - int32x8_store(&z[8], x1); - z += 16; - } - } else if (p == 2) { - mask = _mm256_set_epi32(0, 0, -1, -1, -1, -1, 0, 0); - while (z != target) { - int32x8 x0 = int32x8_load(&z[0]); - int32x8 x1 = int32x8_load(&z[8]); - x0 ^= mask; - x1 ^= mask; - int32x8 b0 = _mm256_permute2x128_si256(x0, x1, 0x20); - int32x8 b1 = _mm256_permute2x128_si256(x0, x1, 0x31); - int32x8_MINMAX(b0, b1); - int32x8 c0 = _mm256_permute2x128_si256(b0, b1, 0x20); - int32x8 c1 = _mm256_permute2x128_si256(b0, b1, 0x31); - int32x8_store(&z[0], c0); - int32x8_store(&z[8], c1); - z += 16; - } - } else { /* p == 1 */ - mask = _mm256_set_epi32(0, -1, -1, 0, 0, -1, -1, 0); - while (z != target) { - int32x8 x0 = int32x8_load(&z[0]); - int32x8 x1 = int32x8_load(&z[8]); - x0 ^= mask; - x1 ^= mask; - int32x8 b0 = _mm256_permute2x128_si256(x0, x1, 0x20); /* A0123B0123 */ - int32x8 b1 = _mm256_permute2x128_si256(x0, x1, 0x31); /* A4567B4567 */ - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); /* A0145B0145 */ - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); /* A2367B2367 */ - int32x8_MINMAX(c0, c1); - int32x8 d0 = _mm256_unpacklo_epi64(c0, c1); /* A0123B0123 */ - int32x8 d1 = _mm256_unpackhi_epi64(c0, c1); /* A4567B4567 */ - int32x8_MINMAX(d0, d1); - int32x8 e0 = _mm256_permute2x128_si256(d0, d1, 0x20); - int32x8 e1 = _mm256_permute2x128_si256(d0, d1, 0x31); - int32x8_store(&z[0], e0); - int32x8_store(&z[8], e1); - z += 16; - } - } - - q = n >> 4; - while (q >= 128 || q == 32) { - int32_threestages(x, n, q >> 2); - q >>= 3; - } - while (q >= 16) { - q >>= 1; - for (j = 0; j < n; j += 4 * q) { - for (k = j; k < j + q; k += 8) { - int32x8 x0 = int32x8_load(&x[k]); - int32x8 x1 = int32x8_load(&x[k + q]); - int32x8 x2 = int32x8_load(&x[k + 2 * q]); - int32x8 x3 = int32x8_load(&x[k + 3 * q]); - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - - int32x8_store(&x[k], x0); - int32x8_store(&x[k + q], x1); - int32x8_store(&x[k + 2 * q], x2); - int32x8_store(&x[k + 3 * q], x3); - } - } - q >>= 1; - } - if (q == 8) { - for (j = 0; j < n; j += 2 * q) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + q]); - - int32x8_MINMAX(x0, x1); - - int32x8_store(&x[j], x0); - int32x8_store(&x[j + q], x1); - } - } - - q = n >> 3; - for (k = 0; k < q; k += 8) { - int32x8 x0 = int32x8_load(&x[k]); - int32x8 x1 = int32x8_load(&x[k + q]); - int32x8 x2 = int32x8_load(&x[k + 2 * q]); - int32x8 x3 = int32x8_load(&x[k + 3 * q]); - int32x8 x4 = int32x8_load(&x[k + 4 * q]); - int32x8 x5 = int32x8_load(&x[k + 5 * q]); - int32x8 x6 = int32x8_load(&x[k + 6 * q]); - int32x8 x7 = int32x8_load(&x[k + 7 * q]); - - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - - int32x8_store(&x[k], x0); - int32x8_store(&x[k + q], x1); - int32x8_store(&x[k + 2 * q], x2); - int32x8_store(&x[k + 3 * q], x3); - int32x8_store(&x[k + 4 * q], x4); - int32x8_store(&x[k + 5 * q], x5); - int32x8_store(&x[k + 6 * q], x6); - int32x8_store(&x[k + 7 * q], x7); - } - } - - /* everything is still masked with _mm256_set_epi32(0,-1,0,-1,0,-1,0,-1); */ - mask = _mm256_set1_epi32(-1); - - for (i = 0; i < n; i += 64) { - int32x8 a0 = int32x8_load(&x[i]); - int32x8 a1 = int32x8_load(&x[i + 8]); - int32x8 a2 = int32x8_load(&x[i + 16]); - int32x8 a3 = int32x8_load(&x[i + 24]); - int32x8 a4 = int32x8_load(&x[i + 32]); - int32x8 a5 = int32x8_load(&x[i + 40]); - int32x8 a6 = int32x8_load(&x[i + 48]); - int32x8 a7 = int32x8_load(&x[i + 56]); - - int32x8 b0 = _mm256_unpacklo_epi32(a0, a1); /* AB0AB1AB4AB5 */ - int32x8 b1 = _mm256_unpackhi_epi32(a0, a1); /* AB2AB3AB6AB7 */ - int32x8 b2 = _mm256_unpacklo_epi32(a2, a3); /* CD0CD1CD4CD5 */ - int32x8 b3 = _mm256_unpackhi_epi32(a2, a3); /* CD2CD3CD6CD7 */ - int32x8 b4 = _mm256_unpacklo_epi32(a4, a5); /* EF0EF1EF4EF5 */ - int32x8 b5 = _mm256_unpackhi_epi32(a4, a5); /* EF2EF3EF6EF7 */ - int32x8 b6 = _mm256_unpacklo_epi32(a6, a7); /* GH0GH1GH4GH5 */ - int32x8 b7 = _mm256_unpackhi_epi32(a6, a7); /* GH2GH3GH6GH7 */ - - int32x8 c0 = _mm256_unpacklo_epi64(b0, b2); /* ABCD0ABCD4 */ - int32x8 c1 = _mm256_unpacklo_epi64(b1, b3); /* ABCD2ABCD6 */ - int32x8 c2 = _mm256_unpackhi_epi64(b0, b2); /* ABCD1ABCD5 */ - int32x8 c3 = _mm256_unpackhi_epi64(b1, b3); /* ABCD3ABCD7 */ - int32x8 c4 = _mm256_unpacklo_epi64(b4, b6); /* EFGH0EFGH4 */ - int32x8 c5 = _mm256_unpacklo_epi64(b5, b7); /* EFGH2EFGH6 */ - int32x8 c6 = _mm256_unpackhi_epi64(b4, b6); /* EFGH1EFGH5 */ - int32x8 c7 = _mm256_unpackhi_epi64(b5, b7); /* EFGH3EFGH7 */ - - if (flagdown) { - c2 ^= mask; - c3 ^= mask; - c6 ^= mask; - c7 ^= mask; - } else { - c0 ^= mask; - c1 ^= mask; - c4 ^= mask; - c5 ^= mask; - } - - int32x8 d0 = _mm256_permute2x128_si256(c0, c4, 0x20); /* ABCDEFGH0 */ - int32x8 d1 = _mm256_permute2x128_si256(c2, c6, 0x20); /* ABCDEFGH1 */ - int32x8 d2 = _mm256_permute2x128_si256(c1, c5, 0x20); /* ABCDEFGH2 */ - int32x8 d3 = _mm256_permute2x128_si256(c3, c7, 0x20); /* ABCDEFGH5 */ - int32x8 d4 = _mm256_permute2x128_si256(c0, c4, 0x31); /* ABCDEFGH4 */ - int32x8 d5 = _mm256_permute2x128_si256(c2, c6, 0x31); /* ABCDEFGH3 */ - int32x8 d6 = _mm256_permute2x128_si256(c1, c5, 0x31); /* ABCDEFGH6 */ - int32x8 d7 = _mm256_permute2x128_si256(c3, c7, 0x31); /* ABCDEFGH7 */ - - int32x8_MINMAX(d0, d1); - int32x8_MINMAX(d2, d3); - int32x8_MINMAX(d4, d5); - int32x8_MINMAX(d6, d7); - int32x8_MINMAX(d0, d2); - int32x8_MINMAX(d1, d3); - int32x8_MINMAX(d4, d6); - int32x8_MINMAX(d5, d7); - int32x8_MINMAX(d0, d4); - int32x8_MINMAX(d1, d5); - int32x8_MINMAX(d2, d6); - int32x8_MINMAX(d3, d7); - - int32x8 e0 = _mm256_unpacklo_epi32(d0, d1); - int32x8 e1 = _mm256_unpackhi_epi32(d0, d1); - int32x8 e2 = _mm256_unpacklo_epi32(d2, d3); - int32x8 e3 = _mm256_unpackhi_epi32(d2, d3); - int32x8 e4 = _mm256_unpacklo_epi32(d4, d5); - int32x8 e5 = _mm256_unpackhi_epi32(d4, d5); - int32x8 e6 = _mm256_unpacklo_epi32(d6, d7); - int32x8 e7 = _mm256_unpackhi_epi32(d6, d7); - - int32x8 f0 = _mm256_unpacklo_epi64(e0, e2); - int32x8 f1 = _mm256_unpacklo_epi64(e1, e3); - int32x8 f2 = _mm256_unpackhi_epi64(e0, e2); - int32x8 f3 = _mm256_unpackhi_epi64(e1, e3); - int32x8 f4 = _mm256_unpacklo_epi64(e4, e6); - int32x8 f5 = _mm256_unpacklo_epi64(e5, e7); - int32x8 f6 = _mm256_unpackhi_epi64(e4, e6); - int32x8 f7 = _mm256_unpackhi_epi64(e5, e7); - - int32x8 g0 = _mm256_permute2x128_si256(f0, f4, 0x20); - int32x8 g1 = _mm256_permute2x128_si256(f2, f6, 0x20); - int32x8 g2 = _mm256_permute2x128_si256(f1, f5, 0x20); - int32x8 g3 = _mm256_permute2x128_si256(f3, f7, 0x20); - int32x8 g4 = _mm256_permute2x128_si256(f0, f4, 0x31); - int32x8 g5 = _mm256_permute2x128_si256(f2, f6, 0x31); - int32x8 g6 = _mm256_permute2x128_si256(f1, f5, 0x31); - int32x8 g7 = _mm256_permute2x128_si256(f3, f7, 0x31); - - int32x8_store(&x[i], g0); - int32x8_store(&x[i + 8], g1); - int32x8_store(&x[i + 16], g2); - int32x8_store(&x[i + 24], g3); - int32x8_store(&x[i + 32], g4); - int32x8_store(&x[i + 40], g5); - int32x8_store(&x[i + 48], g6); - int32x8_store(&x[i + 56], g7); - } - - q = n >> 4; - while (q >= 128 || q == 32) { - q >>= 2; - for (j = 0; j < n; j += 8 * q) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - } - q >>= 1; - } - while (q >= 16) { - q >>= 1; - for (j = 0; j < n; j += 4 * q) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - } - } - q >>= 1; - } - if (q == 8) { - for (j = 0; j < n; j += q + q) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + q]); - int32x8_MINMAX(x0, x1); - int32x8_store(&x[j], x0); - int32x8_store(&x[j + q], x1); - } - } - - q = n >> 3; - for (i = 0; i < q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - - int32x8 b0 = _mm256_unpacklo_epi32(x0, x4); /* AE0AE1AE4AE5 */ - int32x8 b1 = _mm256_unpackhi_epi32(x0, x4); /* AE2AE3AE6AE7 */ - int32x8 b2 = _mm256_unpacklo_epi32(x1, x5); /* BF0BF1BF4BF5 */ - int32x8 b3 = _mm256_unpackhi_epi32(x1, x5); /* BF2BF3BF6BF7 */ - int32x8 b4 = _mm256_unpacklo_epi32(x2, x6); /* CG0CG1CG4CG5 */ - int32x8 b5 = _mm256_unpackhi_epi32(x2, x6); /* CG2CG3CG6CG7 */ - int32x8 b6 = _mm256_unpacklo_epi32(x3, x7); /* DH0DH1DH4DH5 */ - int32x8 b7 = _mm256_unpackhi_epi32(x3, x7); /* DH2DH3DH6DH7 */ - - int32x8 c0 = _mm256_unpacklo_epi64(b0, b4); /* AECG0AECG4 */ - int32x8 c1 = _mm256_unpacklo_epi64(b1, b5); /* AECG2AECG6 */ - int32x8 c2 = _mm256_unpackhi_epi64(b0, b4); /* AECG1AECG5 */ - int32x8 c3 = _mm256_unpackhi_epi64(b1, b5); /* AECG3AECG7 */ - int32x8 c4 = _mm256_unpacklo_epi64(b2, b6); /* BFDH0BFDH4 */ - int32x8 c5 = _mm256_unpacklo_epi64(b3, b7); /* BFDH2BFDH6 */ - int32x8 c6 = _mm256_unpackhi_epi64(b2, b6); /* BFDH1BFDH5 */ - int32x8 c7 = _mm256_unpackhi_epi64(b3, b7); /* BFDH3BFDH7 */ - - int32x8 d0 = _mm256_permute2x128_si256(c0, c4, 0x20); /* AECGBFDH0 */ - int32x8 d1 = _mm256_permute2x128_si256(c1, c5, 0x20); /* AECGBFDH2 */ - int32x8 d2 = _mm256_permute2x128_si256(c2, c6, 0x20); /* AECGBFDH1 */ - int32x8 d3 = _mm256_permute2x128_si256(c3, c7, 0x20); /* AECGBFDH3 */ - int32x8 d4 = _mm256_permute2x128_si256(c0, c4, 0x31); /* AECGBFDH4 */ - int32x8 d5 = _mm256_permute2x128_si256(c1, c5, 0x31); /* AECGBFDH6 */ - int32x8 d6 = _mm256_permute2x128_si256(c2, c6, 0x31); /* AECGBFDH5 */ - int32x8 d7 = _mm256_permute2x128_si256(c3, c7, 0x31); /* AECGBFDH7 */ - - if (flagdown) { - d0 ^= mask; - d1 ^= mask; - d2 ^= mask; - d3 ^= mask; - d4 ^= mask; - d5 ^= mask; - d6 ^= mask; - d7 ^= mask; - } - - int32x8_store(&x[i], d0); - int32x8_store(&x[i + q], d4); - int32x8_store(&x[i + 2 * q], d1); - int32x8_store(&x[i + 3 * q], d5); - int32x8_store(&x[i + 4 * q], d2); - int32x8_store(&x[i + 5 * q], d6); - int32x8_store(&x[i + 6 * q], d3); - int32x8_store(&x[i + 7 * q], d7); - } -} - -static void int32_sort(int32 *x, long long n) { - long long q, i, j; - - if (n <= 8) { - if (n == 8) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - int32_MINMAX(&x[4], &x[5]); - int32_MINMAX(&x[5], &x[6]); - int32_MINMAX(&x[6], &x[7]); - } - if (n >= 7) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - int32_MINMAX(&x[4], &x[5]); - int32_MINMAX(&x[5], &x[6]); - } - if (n >= 6) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - int32_MINMAX(&x[4], &x[5]); - } - if (n >= 5) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - } - if (n >= 4) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - } - if (n >= 3) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - } - if (n >= 2) { - int32_MINMAX(&x[0], &x[1]); - } - return; - } - - if (!(n & (n - 1))) { - int32_sort_2power(x, n, 0); - return; - } - - q = 8; - while (q < n - q) { - q += q; - } - /* n > q >= 8 */ - - if (q <= 128) { /* n <= 256 */ - int32x8 y[32]; - for (i = q >> 3; i < q >> 2; ++i) { - y[i] = _mm256_set1_epi32(0x7fffffff); - } - for (i = 0; i < n; ++i) { - ((int32 *) y)[i] = x[i]; - } - int32_sort_2power((int32 *) y, 2 * q, 0); - for (i = 0; i < n; ++i) { - x[i] = ((int32 *) y)[i]; - } - return; - } - - int32_sort_2power(x, q, 1); - int32_sort(x + q, n - q); - - while (q >= 64) { - q >>= 2; - j = int32_threestages(x, n, q); - minmax_vector(x + j, x + j + 4 * q, n - 4 * q - j); - if (j + 4 * q <= n) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - } - j += 4 * q; - } - minmax_vector(x + j, x + j + 2 * q, n - 2 * q - j); - if (j + 2 * q <= n) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8_MINMAX(x0, x1); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - } - j += 2 * q; - } - minmax_vector(x + j, x + j + q, n - q - j); - q >>= 1; - } - if (q == 32) { - j = 0; - for (; j + 64 <= n; j += 64) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 8]); - int32x8 x2 = int32x8_load(&x[j + 16]); - int32x8 x3 = int32x8_load(&x[j + 24]); - int32x8 x4 = int32x8_load(&x[j + 32]); - int32x8 x5 = int32x8_load(&x[j + 40]); - int32x8 x6 = int32x8_load(&x[j + 48]); - int32x8 x7 = int32x8_load(&x[j + 56]); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8 a0 = _mm256_permute2x128_si256(x0, x1, 0x20); - int32x8 a1 = _mm256_permute2x128_si256(x0, x1, 0x31); - int32x8 a2 = _mm256_permute2x128_si256(x2, x3, 0x20); - int32x8 a3 = _mm256_permute2x128_si256(x2, x3, 0x31); - int32x8 a4 = _mm256_permute2x128_si256(x4, x5, 0x20); - int32x8 a5 = _mm256_permute2x128_si256(x4, x5, 0x31); - int32x8 a6 = _mm256_permute2x128_si256(x6, x7, 0x20); - int32x8 a7 = _mm256_permute2x128_si256(x6, x7, 0x31); - int32x8_MINMAX(a0, a1); - int32x8_MINMAX(a2, a3); - int32x8_MINMAX(a4, a5); - int32x8_MINMAX(a6, a7); - int32x8 b0 = _mm256_permute2x128_si256(a0, a1, 0x20); - int32x8 b1 = _mm256_permute2x128_si256(a0, a1, 0x31); - int32x8 b2 = _mm256_permute2x128_si256(a2, a3, 0x20); - int32x8 b3 = _mm256_permute2x128_si256(a2, a3, 0x31); - int32x8 b4 = _mm256_permute2x128_si256(a4, a5, 0x20); - int32x8 b5 = _mm256_permute2x128_si256(a4, a5, 0x31); - int32x8 b6 = _mm256_permute2x128_si256(a6, a7, 0x20); - int32x8 b7 = _mm256_permute2x128_si256(a6, a7, 0x31); - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); - int32x8 c2 = _mm256_unpacklo_epi64(b2, b3); - int32x8 c3 = _mm256_unpackhi_epi64(b2, b3); - int32x8 c4 = _mm256_unpacklo_epi64(b4, b5); - int32x8 c5 = _mm256_unpackhi_epi64(b4, b5); - int32x8 c6 = _mm256_unpacklo_epi64(b6, b7); - int32x8 c7 = _mm256_unpackhi_epi64(b6, b7); - int32x8_MINMAX(c0, c1); - int32x8_MINMAX(c2, c3); - int32x8_MINMAX(c4, c5); - int32x8_MINMAX(c6, c7); - int32x8 d0 = _mm256_unpacklo_epi32(c0, c1); - int32x8 d1 = _mm256_unpackhi_epi32(c0, c1); - int32x8 d2 = _mm256_unpacklo_epi32(c2, c3); - int32x8 d3 = _mm256_unpackhi_epi32(c2, c3); - int32x8 d4 = _mm256_unpacklo_epi32(c4, c5); - int32x8 d5 = _mm256_unpackhi_epi32(c4, c5); - int32x8 d6 = _mm256_unpacklo_epi32(c6, c7); - int32x8 d7 = _mm256_unpackhi_epi32(c6, c7); - int32x8 e0 = _mm256_unpacklo_epi64(d0, d1); - int32x8 e1 = _mm256_unpackhi_epi64(d0, d1); - int32x8 e2 = _mm256_unpacklo_epi64(d2, d3); - int32x8 e3 = _mm256_unpackhi_epi64(d2, d3); - int32x8 e4 = _mm256_unpacklo_epi64(d4, d5); - int32x8 e5 = _mm256_unpackhi_epi64(d4, d5); - int32x8 e6 = _mm256_unpacklo_epi64(d6, d7); - int32x8 e7 = _mm256_unpackhi_epi64(d6, d7); - int32x8_MINMAX(e0, e1); - int32x8_MINMAX(e2, e3); - int32x8_MINMAX(e4, e5); - int32x8_MINMAX(e6, e7); - int32x8 f0 = _mm256_unpacklo_epi32(e0, e1); - int32x8 f1 = _mm256_unpackhi_epi32(e0, e1); - int32x8 f2 = _mm256_unpacklo_epi32(e2, e3); - int32x8 f3 = _mm256_unpackhi_epi32(e2, e3); - int32x8 f4 = _mm256_unpacklo_epi32(e4, e5); - int32x8 f5 = _mm256_unpackhi_epi32(e4, e5); - int32x8 f6 = _mm256_unpacklo_epi32(e6, e7); - int32x8 f7 = _mm256_unpackhi_epi32(e6, e7); - int32x8_store(&x[j], f0); - int32x8_store(&x[j + 8], f1); - int32x8_store(&x[j + 16], f2); - int32x8_store(&x[j + 24], f3); - int32x8_store(&x[j + 32], f4); - int32x8_store(&x[j + 40], f5); - int32x8_store(&x[j + 48], f6); - int32x8_store(&x[j + 56], f7); - } - minmax_vector(x + j, x + j + 32, n - 32 - j); - goto continue16; - } - if (q == 16) { - j = 0; -continue16: - for (; j + 32 <= n; j += 32) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 8]); - int32x8 x2 = int32x8_load(&x[j + 16]); - int32x8 x3 = int32x8_load(&x[j + 24]); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8 a0 = _mm256_permute2x128_si256(x0, x1, 0x20); - int32x8 a1 = _mm256_permute2x128_si256(x0, x1, 0x31); - int32x8 a2 = _mm256_permute2x128_si256(x2, x3, 0x20); - int32x8 a3 = _mm256_permute2x128_si256(x2, x3, 0x31); - int32x8_MINMAX(a0, a1); - int32x8_MINMAX(a2, a3); - int32x8 b0 = _mm256_permute2x128_si256(a0, a1, 0x20); - int32x8 b1 = _mm256_permute2x128_si256(a0, a1, 0x31); - int32x8 b2 = _mm256_permute2x128_si256(a2, a3, 0x20); - int32x8 b3 = _mm256_permute2x128_si256(a2, a3, 0x31); - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); - int32x8 c2 = _mm256_unpacklo_epi64(b2, b3); - int32x8 c3 = _mm256_unpackhi_epi64(b2, b3); - int32x8_MINMAX(c0, c1); - int32x8_MINMAX(c2, c3); - int32x8 d0 = _mm256_unpacklo_epi32(c0, c1); - int32x8 d1 = _mm256_unpackhi_epi32(c0, c1); - int32x8 d2 = _mm256_unpacklo_epi32(c2, c3); - int32x8 d3 = _mm256_unpackhi_epi32(c2, c3); - int32x8 e0 = _mm256_unpacklo_epi64(d0, d1); - int32x8 e1 = _mm256_unpackhi_epi64(d0, d1); - int32x8 e2 = _mm256_unpacklo_epi64(d2, d3); - int32x8 e3 = _mm256_unpackhi_epi64(d2, d3); - int32x8_MINMAX(e0, e1); - int32x8_MINMAX(e2, e3); - int32x8 f0 = _mm256_unpacklo_epi32(e0, e1); - int32x8 f1 = _mm256_unpackhi_epi32(e0, e1); - int32x8 f2 = _mm256_unpacklo_epi32(e2, e3); - int32x8 f3 = _mm256_unpackhi_epi32(e2, e3); - int32x8_store(&x[j], f0); - int32x8_store(&x[j + 8], f1); - int32x8_store(&x[j + 16], f2); - int32x8_store(&x[j + 24], f3); - } - minmax_vector(x + j, x + j + 16, n - 16 - j); - goto continue8; - } - /* q == 8 */ - j = 0; -continue8: - for (; j + 16 <= n; j += 16) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 8]); - int32x8_MINMAX(x0, x1); - int32x8_store(&x[j], x0); - int32x8_store(&x[j + 8], x1); - int32x8 a0 = _mm256_permute2x128_si256(x0, x1, 0x20); /* x0123y0123 */ - int32x8 a1 = _mm256_permute2x128_si256(x0, x1, 0x31); /* x4567y4567 */ - int32x8_MINMAX(a0, a1); - int32x8 b0 = _mm256_permute2x128_si256(a0, a1, 0x20); /* x01234567 */ - int32x8 b1 = _mm256_permute2x128_si256(a0, a1, 0x31); /* y01234567 */ - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); /* x01y01x45y45 */ - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); /* x23y23x67y67 */ - int32x8_MINMAX(c0, c1); - int32x8 d0 = _mm256_unpacklo_epi32(c0, c1); /* x02x13x46x57 */ - int32x8 d1 = _mm256_unpackhi_epi32(c0, c1); /* y02y13y46y57 */ - int32x8 e0 = _mm256_unpacklo_epi64(d0, d1); /* x02y02x46y46 */ - int32x8 e1 = _mm256_unpackhi_epi64(d0, d1); /* x13y13x57y57 */ - int32x8_MINMAX(e0, e1); - int32x8 f0 = _mm256_unpacklo_epi32(e0, e1); /* x01234567 */ - int32x8 f1 = _mm256_unpackhi_epi32(e0, e1); /* y01234567 */ - int32x8_store(&x[j], f0); - int32x8_store(&x[j + 8], f1); - } - minmax_vector(x + j, x + j + 8, n - 8 - j); - if (j + 8 <= n) { - int32_MINMAX(&x[j], &x[j + 4]); - int32_MINMAX(&x[j + 1], &x[j + 5]); - int32_MINMAX(&x[j + 2], &x[j + 6]); - int32_MINMAX(&x[j + 3], &x[j + 7]); - int32_MINMAX(&x[j], &x[j + 2]); - int32_MINMAX(&x[j + 1], &x[j + 3]); - int32_MINMAX(&x[j], &x[j + 1]); - int32_MINMAX(&x[j + 2], &x[j + 3]); - int32_MINMAX(&x[j + 4], &x[j + 6]); - int32_MINMAX(&x[j + 5], &x[j + 7]); - int32_MINMAX(&x[j + 4], &x[j + 5]); - int32_MINMAX(&x[j + 6], &x[j + 7]); - j += 8; - } - minmax_vector(x + j, x + j + 4, n - 4 - j); - if (j + 4 <= n) { - int32_MINMAX(&x[j], &x[j + 2]); - int32_MINMAX(&x[j + 1], &x[j + 3]); - int32_MINMAX(&x[j], &x[j + 1]); - int32_MINMAX(&x[j + 2], &x[j + 3]); - j += 4; - } - if (j + 3 <= n) { - int32_MINMAX(&x[j], &x[j + 2]); - } - if (j + 2 <= n) { - int32_MINMAX(&x[j], &x[j + 1]); - } -} - -void PQCLEAN_SNTRUP761_AVX2_crypto_sort_int32(void *array, long long n) { - int32_sort(array, n); -} diff --git a/crypto_kem/sntrup761/avx2/crypto_sort_int32.h b/crypto_kem/sntrup761/avx2/crypto_sort_int32.h deleted file mode 100644 index 2f5329dd..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_sort_int32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_SORT_INT32_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_SORT_INT32_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_sort_int32_BYTES 4 - -void PQCLEAN_SNTRUP761_AVX2_crypto_sort_int32(void *array, long long n); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_sort_uint32.c b/crypto_kem/sntrup761/avx2/crypto_sort_uint32.c deleted file mode 100644 index e9ee179c..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_sort_uint32.c +++ /dev/null @@ -1,18 +0,0 @@ -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" - - -/* can save time by vectorizing xor loops */ -/* can save time by integrating xor loops with int32_sort */ - -void PQCLEAN_SNTRUP761_AVX2_crypto_sort_uint32(void *array, long long n) { - uint32_t *x = array; - long long j; - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } - PQCLEAN_SNTRUP761_AVX2_crypto_sort_int32((int32_t *)array, n); - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } -} diff --git a/crypto_kem/sntrup761/avx2/crypto_sort_uint32.h b/crypto_kem/sntrup761/avx2/crypto_sort_uint32.h deleted file mode 100644 index 7d22be84..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_sort_uint32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_SORT_UINT32_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_SORT_UINT32_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_sort_uint32_BYTES 4 - -void PQCLEAN_SNTRUP761_AVX2_crypto_sort_uint32(void *array, long long n); -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_stream_aes256ctr.c b/crypto_kem/sntrup761/avx2/crypto_stream_aes256ctr.c deleted file mode 100644 index cd5240ed..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_stream_aes256ctr.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_stream_aes256ctr.h" - - -int PQCLEAN_SNTRUP761_AVX2_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]) { - - aes256ctx state; - aes256_ctr_keyexp(&state, key); - aes256_ctr(out, outlen, nonce, &state); - aes256_ctx_release(&state); - return 0; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_stream_aes256ctr.h b/crypto_kem/sntrup761/avx2/crypto_stream_aes256ctr.h deleted file mode 100644 index f5072215..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_stream_aes256ctr.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_STREAM_AES256CTR_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_STREAM_AES256CTR_H -#include "aes.h" -#include -#include - - - -int PQCLEAN_SNTRUP761_AVX2_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]); - -#endif diff --git a/crypto_kem/sntrup761/avx2/crypto_verify_1039.c b/crypto_kem/sntrup761/avx2/crypto_verify_1039.c deleted file mode 100644 index e2bc9f1c..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_verify_1039.c +++ /dev/null @@ -1,36 +0,0 @@ -#include "crypto_verify_1039.h" -#include - -int PQCLEAN_SNTRUP761_AVX2_crypto_verify_1039(const unsigned char *x, const unsigned char *y) { - __m256i diff = _mm256_set1_epi8(0); - unsigned int differentbits = 0; - int i = PQCLEAN_SNTRUP761_AVX2_crypto_verify_1039_BYTES; - - i -= 32; - for (;;) { - do { - __m256i x0 = _mm256_loadu_si256((__m256i *) x); - __m256i y0 = _mm256_loadu_si256((__m256i *) y); - diff |= x0 ^ y0; - i -= 32; - x += 32; - y += 32; - } while (i >= 0); - if (i <= -32) { - break; - } - x += i; - y += i; - } - - diff |= _mm256_srli_epi16(diff, 8); - diff |= _mm256_srli_epi32(diff, 16); - diff |= _mm256_srli_epi64(diff, 32); - - differentbits = (unsigned int) _mm256_extract_epi8(diff, 0); - differentbits |= (unsigned int) _mm256_extract_epi8(diff, 8); - differentbits |= (unsigned int) _mm256_extract_epi8(diff, 16); - differentbits |= (unsigned int) _mm256_extract_epi8(diff, 24); - - return (int) (1 & ((differentbits - 1) >> 8)) - 1; -} diff --git a/crypto_kem/sntrup761/avx2/crypto_verify_1039.h b/crypto_kem/sntrup761/avx2/crypto_verify_1039.h deleted file mode 100644 index b0d5ffd4..00000000 --- a/crypto_kem/sntrup761/avx2/crypto_verify_1039.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_AVX2_CRYPTO_VERIFY_1039_H -#define PQCLEAN_SNTRUP761_AVX2_CRYPTO_VERIFY_1039_H - -#include -#define PQCLEAN_SNTRUP761_AVX2_crypto_verify_1039_BYTES 1039 - -int PQCLEAN_SNTRUP761_AVX2_crypto_verify_1039(const unsigned char *x, const unsigned char *y); -#endif diff --git a/crypto_kem/sntrup761/avx2/kem.c b/crypto_kem/sntrup761/avx2/kem.c deleted file mode 100644 index ff1672eb..00000000 --- a/crypto_kem/sntrup761/avx2/kem.c +++ /dev/null @@ -1,247 +0,0 @@ -#include "api.h" -#include "crypto_sort_uint32.h" -#include "params.h" -#include "randombytes.h" -#include "sha2.h" - - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - -/* ----- arithmetic mod 3 */ - -typedef int8 small; -/* F3 is always represented as -1,0,1 */ - -/* ----- arithmetic mod q */ - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* ----- small polynomials */ - -/* R3_fromR(R_fromRq(r)) */ -static void R3_fromRq(small *out, const Fq *r) { - crypto_encode_pxfreeze3((unsigned char *) out, (unsigned char *) r); -} - -/* h = f*g in the ring R3 */ -static void R3_mult(small *h, const small *f, const small *g) { - crypto_core_mult3((unsigned char *) h, (const unsigned char *) f, (const unsigned char *) g); -} - -/* ----- polynomials mod q */ - -/* h = h*g in the ring Rq */ -static void Rq_mult_small(Fq *h, const small *g) { - crypto_encode_pxint16((unsigned char *) h, h); - crypto_core_mult((unsigned char *) h, (const unsigned char *) h, (const unsigned char *) g); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* h = 3f in Rq */ -static void Rq_mult3(Fq *h, const Fq *f) { - crypto_encode_pxint16((unsigned char *) h, f); - crypto_core_scale3((unsigned char *) h, (const unsigned char *) h); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* out = 1/(3*in) in Rq */ -/* caller must have 2p+1 bytes free in out, not just 2p */ -static void Rq_recip3(Fq *out, const small *in) { - crypto_core_inv((unsigned char *) out, (const unsigned char *) in); - /* could check byte 2*p for failure; but, in context, inv always works */ - crypto_decode_pxint16(out, (unsigned char *) out); -} - -/* ----- underlying hash function */ - -#define Hash_bytes 32 - -static void Hash(unsigned char *out, const unsigned char *in, int inlen) { - unsigned char h[64]; - int i; - sha512(h, in, (size_t) inlen); - for (i = 0; i < 32; ++i) { - out[i] = h[i]; - } -} - -/* ----- higher-level randomness */ - -static void Short_random(small *out) { - uint32 L[ppadsort]; - int i; - - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < w; ++i) { - L[i] = L[i] & (uint32) - 2; - } - for (i = w; i < p; ++i) { - L[i] = (L[i] & (uint32) - 3) | 1; - } - for (i = p; i < ppadsort; ++i) { - L[i] = 0xffffffff; - } - PQCLEAN_SNTRUP761_AVX2_crypto_sort_uint32(L, ppadsort); - for (i = 0; i < p; ++i) { - out[i] = (small) ((L[i] & 3) - 1); - } -} - -static void Small_random(small *out) { - uint32 L[p]; - int i; - - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < p; ++i) { - out[i] = (small) ((((L[i] & 0x3fffffff) * 3) >> 30) - 1); - } -} - -/* ----- Streamlined NTRU Prime */ - -typedef small Inputs[p]; /* passed by reference */ -#define Ciphertexts_bytes Rounded_bytes -#define SecretKeys_bytes (2*Small_bytes) -#define PublicKeys_bytes Rq_bytes -#define Confirm_bytes 32 - -/* c,r_enc[1:] = Hide(r,pk,cache); cache is Hash4(pk) */ -/* also set r_enc[0]=3 */ -/* also set x[0]=2, and x[1:1+Hash_bytes] = Hash3(r_enc) */ -/* also overwrite x[1+Hash_bytes:1+2*Hash_bytes] */ -static void Hide(unsigned char *x, unsigned char *c, unsigned char *r_enc, const Inputs r, const unsigned char *pk, const unsigned char *cache) { - Fq h[p]; - int i; - - Small_encode(r_enc + 1, r); - Rq_decode(h, pk); - Rq_mult_small(h, r); - Round_and_encode(c, h); - r_enc[0] = 3; - Hash(x + 1, r_enc, 1 + Small_bytes); - for (i = 0; i < Hash_bytes; ++i) { - x[1 + Hash_bytes + i] = cache[i]; - } - x[0] = 2; - Hash(c + Ciphertexts_bytes, x, 1 + Hash_bytes * 2); -} - - -int PQCLEAN_SNTRUP761_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - small g[p]; - for (;;) { - Small_random(g); - { - small v[p + 1]; - crypto_core_inv3((unsigned char *) v, (const unsigned char *) g); - if (v[p] == 0) { - Small_encode(sk + Small_bytes, v); - break; - } - } - } - { - small f[p]; - Short_random(f); - Small_encode(sk, f); - { - Fq h[p + 1]; - Rq_recip3(h, f); /* always works */ - Rq_mult_small(h, g); - Rq_encode(pk, h); - } - } - { - int i; - unsigned char sksave = sk[SecretKeys_bytes - 1]; - for (i = 0; i < PublicKeys_bytes; ++i) { - sk[SecretKeys_bytes + i] = pk[i]; - } - sk[SecretKeys_bytes - 1] = 4; - Hash(sk + SecretKeys_bytes + PublicKeys_bytes + Small_bytes, sk + SecretKeys_bytes - 1, 1 + PublicKeys_bytes); - sk[SecretKeys_bytes - 1] = sksave; - randombytes(sk + SecretKeys_bytes + PublicKeys_bytes, Small_bytes); - } - return 0; -} - -int PQCLEAN_SNTRUP761_AVX2_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk) { - unsigned char cache[Hash_bytes]; - int i; - { - unsigned char y[1 + PublicKeys_bytes]; /* XXX: can eliminate with incremental hashing */ - for (i = 0; i < PublicKeys_bytes; ++i) { - y[1 + i] = pk[i]; - } - y[0] = 4; - Hash(cache, y, sizeof y); - } - { - Inputs r; - Short_random(r); - { - unsigned char r_enc[Small_bytes + 1]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - Hide(x, c, r_enc, r, pk, cache); - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = 1; - Hash(k, x, sizeof x); - } - } - return 0; -} - -int PQCLEAN_SNTRUP761_AVX2_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) { - const unsigned char *pk = sk + SecretKeys_bytes; - const unsigned char *rho = pk + PublicKeys_bytes; - const unsigned char *cache = rho + Small_bytes; - int mask, i; - Inputs r; - { - Fq d[p]; - Rounded_decode(d, c); - { - small f[p]; - Small_decode(f, sk); - Rq_mult_small(d, f); - Rq_mult3(d, d); - } - { - small e[p]; - small v[p]; - R3_fromRq(e, d); - Small_decode(v, sk + Small_bytes); - R3_mult(r, e, v); - } - crypto_core_wforce((unsigned char *) r, (unsigned char *) r); - } - { - unsigned char r_enc[1 + Small_bytes]; - unsigned char cnew[Ciphertexts_bytes + Confirm_bytes]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - /* XXX: can use incremental hashing to reduce x size */ - - Hide(x, cnew, r_enc, r, pk, cache); - mask = crypto_verify_clen(c, cnew); - for (i = 0; i < Small_bytes; ++i) { - r_enc[i + 1] ^= (unsigned char) (mask & (r_enc[i + 1] ^ rho[i])); - } - Hash(x + 1, r_enc, 1 + Small_bytes); /* XXX: can instead do cmov on cached hash of rho */ - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = (unsigned char) (1 + mask); - Hash(k, x, sizeof x); - } - return 0; -} diff --git a/crypto_kem/sntrup761/avx2/params.h b/crypto_kem/sntrup761/avx2/params.h deleted file mode 100644 index 6a72060a..00000000 --- a/crypto_kem/sntrup761/avx2/params.h +++ /dev/null @@ -1,73 +0,0 @@ -#ifndef params_H -#define params_H -#include "crypto_core_inv3sntrup761.h" -#include "crypto_core_invsntrup761.h" -#include "crypto_core_mult3sntrup761.h" -#include "crypto_core_multsntrup761.h" -#include "crypto_core_scale3sntrup761.h" -#include "crypto_core_weightsntrup761.h" -#include "crypto_core_wforcesntrup761.h" -#include "crypto_decode_761x1531.h" -#include "crypto_decode_761x3.h" -#include "crypto_decode_761x4591.h" -#include "crypto_decode_761xint16.h" -#include "crypto_decode_761xint32.h" -#include "crypto_encode_761x1531.h" -#include "crypto_encode_761x1531round.h" -#include "crypto_encode_761x3.h" -#include "crypto_encode_761x4591.h" -#include "crypto_encode_761xfreeze3.h" -#include "crypto_encode_761xint16.h" -#include "crypto_encode_int16.h" -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" -#include "crypto_verify_1039.h" - - -#define qinv 15631 /* reciprocal of q mod 2^16 */ -#define q27 29235 /* closest integer to 2^27/q */ -#define q18 57 /* closest integer to 2^18/q */ -#define ppad 769 -#define crypto_core_weight PQCLEAN_SNTRUP761_AVX2_crypto_core_weightsntrup761 -#define p 761 -#define q 4591 -#define w 286 - -#define ppadsort 761 - -#define crypto_verify_clen PQCLEAN_SNTRUP761_AVX2_crypto_verify_1039 - -#define Rq_bytes PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x4591_STRBYTES -#define Rq_encode PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x4591 -#define Rq_decode PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x4591 - -#define Rounded_bytes PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x1531_STRBYTES -#define Rounded_decode PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x1531 - -#define Round_and_encode PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x1531round - -#define Small_bytes PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x3_STRBYTES -#define Small_encode PQCLEAN_SNTRUP761_AVX2_crypto_encode_761x3 -#define Small_decode PQCLEAN_SNTRUP761_AVX2_crypto_decode_761x3 - -#define crypto_encode_pxfreeze3 PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xfreeze3 - -#define crypto_decode_pxint32 PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint32 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP761_AVX2_crypto_decode_761xint16 - -#define crypto_encode_pxint16 PQCLEAN_SNTRUP761_AVX2_crypto_encode_761xint16 - -#define crypto_core_wforce PQCLEAN_SNTRUP761_AVX2_crypto_core_wforcesntrup761 - -#define crypto_core_scale3 PQCLEAN_SNTRUP761_AVX2_crypto_core_scale3sntrup761 - -#define crypto_core_inv PQCLEAN_SNTRUP761_AVX2_crypto_core_invsntrup761 - -#define crypto_core_inv3 PQCLEAN_SNTRUP761_AVX2_crypto_core_inv3sntrup761 - -#define crypto_core_mult3 PQCLEAN_SNTRUP761_AVX2_crypto_core_mult3sntrup761 - -#define crypto_core_mult PQCLEAN_SNTRUP761_AVX2_crypto_core_multsntrup761 - -#endif diff --git a/crypto_kem/sntrup761/clean/LICENSE b/crypto_kem/sntrup761/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/sntrup761/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/sntrup761/clean/Makefile.Microsoft_nmake b/crypto_kem/sntrup761/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 4618d5a2..00000000 --- a/crypto_kem/sntrup761/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsntrup761_clean.lib -OBJECTS=crypto_core_inv3sntrup761.obj crypto_core_invsntrup761.obj crypto_core_mult3sntrup761.obj crypto_core_multsntrup761.obj crypto_core_scale3sntrup761.obj crypto_core_weightsntrup761.obj crypto_core_wforcesntrup761.obj crypto_decode_761x1531.obj crypto_decode_761x3.obj crypto_decode_761x4591.obj crypto_decode_761xint16.obj crypto_decode_761xint32.obj crypto_encode_761x1531.obj crypto_encode_761x1531round.obj crypto_encode_761x3.obj crypto_encode_761x4591.obj crypto_encode_761xfreeze3.obj crypto_encode_761xint16.obj crypto_encode_int16.obj crypto_sort_int32.obj crypto_sort_uint32.obj crypto_stream_aes256ctr.obj crypto_verify_1039.obj kem.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/sntrup761/clean/api.h b/crypto_kem/sntrup761/clean/api.h deleted file mode 100644 index f0d53841..00000000 --- a/crypto_kem/sntrup761/clean/api.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_API_H -#define PQCLEAN_SNTRUP761_CLEAN_API_H - - - -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ALGNAME "sntrup761" - -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_SECRETKEYBYTES 1763 -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_PUBLICKEYBYTES 1158 -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CIPHERTEXTBYTES 1039 -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_BYTES 32 - -int PQCLEAN_SNTRUP761_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_SNTRUP761_CLEAN_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk); -int PQCLEAN_SNTRUP761_CLEAN_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_core_inv3sntrup761.c b/crypto_kem/sntrup761/clean/crypto_core_inv3sntrup761.c deleted file mode 100644 index 1aba59e9..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_inv3sntrup761.c +++ /dev/null @@ -1,110 +0,0 @@ -#include "crypto_core_inv3sntrup761.h" -#include "params.h" - - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - -/* ----- masks */ - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* return -1 if x<0; otherwise return 0 */ -static int int16_negative_mask(int16 x) { - uint16 u = (uint16) x; - u >>= 15; - return -(int) u; - /* alternative with gcc -fwrapv: */ - /* x>>15 compiles to CPU's arithmetic right shift */ -} - -/* ----- arithmetic mod 3 */ - -typedef int8 small; -/* F3 is always represented as -1,0,1 */ - -/* works for -16384 <= x < 16384 */ -static small F3_freeze(int16 x) { - return (small) (x - 3 * ((10923 * x + 16384) >> 15)); -} - -/* byte p of output is 0 if recip succeeded; else -1 */ -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_inv3sntrup761(unsigned char *outbytes, const unsigned char *inbytes) { - small *out = (void *) outbytes; - small *in = (void *) inbytes; - small f[p + 1], g[p + 1], v[p + 1], r[p + 1]; - int i, loop, delta; - int sign, swap, t; - - for (i = 0; i < p + 1; ++i) { - v[i] = 0; - } - for (i = 0; i < p + 1; ++i) { - r[i] = 0; - } - r[0] = 1; - for (i = 0; i < p; ++i) { - f[i] = 0; - } - f[0] = 1; - f[p - 1] = f[p] = -1; - for (i = 0; i < p; ++i) { - small i1 = in[i] & 1; - g[p - 1 - i] = (small) (i1 - (in[i] & (i1 << 1))); - } - g[p] = 0; - - delta = 1; - - for (loop = 0; loop < 2 * p - 1; ++loop) { - for (i = p; i > 0; --i) { - v[i] = v[i - 1]; - } - v[0] = 0; - - sign = -g[0] * f[0]; - swap = int16_negative_mask((int16) - delta) & int16_nonzero_mask(g[0]); - delta ^= swap & (delta ^ -delta); - delta += 1; - - for (i = 0; i < p + 1; ++i) { - t = swap & (f[i] ^ g[i]); - f[i] ^= (small) t; - g[i] ^= (small) t; - t = swap & (v[i] ^ r[i]); - v[i] ^= (small) t; - r[i] ^= (small) t; - } - - for (i = 0; i < p + 1; ++i) { - g[i] = F3_freeze((int16) (g[i] + sign * f[i])); - } - for (i = 0; i < p + 1; ++i) { - r[i] = F3_freeze((int16) (r[i] + sign * v[i])); - } - - for (i = 0; i < p; ++i) { - g[i] = g[i + 1]; - } - g[p] = 0; - } - - sign = f[0]; - for (i = 0; i < p; ++i) { - out[i] = (small) (sign * v[p - 1 - i]); - } - - out[p] = (small) int16_nonzero_mask((int16) delta); - return 0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_core_inv3sntrup761.h b/crypto_kem/sntrup761/clean/crypto_core_inv3sntrup761.h deleted file mode 100644 index 583e49c0..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_inv3sntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_INV3SNTRUP761_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_INV3SNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_inv3sntrup761_OUTPUTBYTES 762 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_inv3sntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_inv3sntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_inv3sntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_inv3sntrup761(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_core_invsntrup761.c b/crypto_kem/sntrup761/clean/crypto_core_invsntrup761.c deleted file mode 100644 index dab970d4..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_invsntrup761.c +++ /dev/null @@ -1,130 +0,0 @@ -#include "crypto_core_invsntrup761.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - - -/* ----- masks */ - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* return -1 if x<0; otherwise return 0 */ -static int int16_negative_mask(int16 x) { - uint16 u = (uint16) x; - u >>= 15; - return -(int) u; - /* alternative with gcc -fwrapv: */ - /* x>>15 compiles to CPU's arithmetic right shift */ -} - -/* ----- arithmetic mod q */ - -typedef int8 small; - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* works for -14000000 < x < 14000000 if q in 4591, 4621, 5167 */ -static Fq Fq_freeze(int32 x) { - x -= q * ((q18 * x) >> 18); - x -= q * ((q27 * x + 67108864) >> 27); - return (Fq) x; -} - -static Fq Fq_recip(Fq a1) { - int i = 1; - Fq ai = a1; - - while (i < q - 2) { - ai = Fq_freeze(a1 * (int32)ai); - i += 1; - } - return ai; -} - -/* ----- polynomials mod q */ - -/* out = 1/(3*in) in Rq */ -/* outbytes[2*p] is 0 if recip succeeded; else -1 */ -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_invsntrup761(unsigned char *outbytes, const unsigned char *inbytes) { - small *in = (void *) inbytes; - Fq out[p], f[p + 1], g[p + 1], v[p + 1], r[p + 1]; - int i, loop, delta; - int swap, t; - int32 f0, g0; - Fq scale; - - for (i = 0; i < p + 1; ++i) { - v[i] = 0; - } - for (i = 0; i < p + 1; ++i) { - r[i] = 0; - } - r[0] = Fq_recip(3); - for (i = 0; i < p; ++i) { - f[i] = 0; - } - f[0] = 1; - f[p - 1] = f[p] = -1; - for (i = 0; i < p; ++i) { - g[p - 1 - i] = in[i]; - } - g[p] = 0; - - delta = 1; - - for (loop = 0; loop < 2 * p - 1; ++loop) { - for (i = p; i > 0; --i) { - v[i] = v[i - 1]; - } - v[0] = 0; - - swap = int16_negative_mask((int16) - delta) & int16_nonzero_mask(g[0]); - delta ^= swap & (delta ^ -delta); - delta += 1; - - for (i = 0; i < p + 1; ++i) { - t = swap & (f[i] ^ g[i]); - f[i] ^= (Fq) t; - g[i] ^= (Fq) t; - t = swap & (v[i] ^ r[i]); - v[i] ^= (Fq) t; - r[i] ^= (Fq) t; - } - - f0 = f[0]; - g0 = g[0]; - for (i = 0; i < p + 1; ++i) { - g[i] = Fq_freeze(f0 * g[i] - g0 * f[i]); - } - for (i = 0; i < p + 1; ++i) { - r[i] = Fq_freeze(f0 * r[i] - g0 * v[i]); - } - - for (i = 0; i < p; ++i) { - g[i] = g[i + 1]; - } - g[p] = 0; - } - - scale = Fq_recip(f[0]); - for (i = 0; i < p; ++i) { - out[i] = Fq_freeze(scale * (int32)v[p - 1 - i]); - } - - crypto_encode_pxint16(outbytes, out); - outbytes[2 * p] = (unsigned char) int16_nonzero_mask((int16) delta); - return 0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_core_invsntrup761.h b/crypto_kem/sntrup761/clean/crypto_core_invsntrup761.h deleted file mode 100644 index c9e09ef4..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_invsntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_INVSNTRUP761_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_INVSNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_invsntrup761_OUTPUTBYTES 1523 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_invsntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_invsntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_invsntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_invsntrup761(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_core_mult3sntrup761.c b/crypto_kem/sntrup761/clean/crypto_core_mult3sntrup761.c deleted file mode 100644 index b25892b4..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_mult3sntrup761.c +++ /dev/null @@ -1,57 +0,0 @@ -#include "crypto_core_mult3sntrup761.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -typedef int8 small; - -/* works for -16384 <= x < 16384 */ -static small F3_freeze(int16 x) { - return (small) (x - 3 * ((10923 * x + 16384) >> 15)); -} - -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_mult3sntrup761(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - small *h = (void *) outbytes; - small f[p]; - small g[p]; - small fg[p + p - 1]; - int16 result; - int i, j; - - for (i = 0; i < p; ++i) { - small fi = (small) inbytes[i]; - small fi0 = fi & 1; - f[i] = (small) (fi0 - (fi & (fi0 << 1))); - } - for (i = 0; i < p; ++i) { - small gi = (small) kbytes[i]; - small gi0 = gi & 1; - g[i] = (small) (gi0 - (gi & (gi0 << 1))); - } - - for (i = 0; i < p; ++i) { - result = 0; - for (j = 0; j <= i; ++j) { - result += (small) (f[j] * g[i - j]); - } - fg[i] = F3_freeze(result); - } - for (i = p; i < p + p - 1; ++i) { - result = 0; - for (j = i - p + 1; j < p; ++j) { - result += (small) (f[j] * g[i - j]); - } - fg[i] = F3_freeze(result); - } - - for (i = p + p - 2; i >= p; --i) { - fg[i - p] = F3_freeze(fg[i - p] + fg[i]); - fg[i - p + 1] = F3_freeze(fg[i - p + 1] + fg[i]); - } - - for (i = 0; i < p; ++i) { - h[i] = fg[i]; - } - return 0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_core_mult3sntrup761.h b/crypto_kem/sntrup761/clean/crypto_core_mult3sntrup761.h deleted file mode 100644 index d06fb73c..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_mult3sntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_MULT3SNTRUP761_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_MULT3SNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_mult3sntrup761_OUTPUTBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_mult3sntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_mult3sntrup761_KEYBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_mult3sntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_mult3sntrup761(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_core_multsntrup761.c b/crypto_kem/sntrup761/clean/crypto_core_multsntrup761.c deleted file mode 100644 index 0ae23c3c..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_multsntrup761.c +++ /dev/null @@ -1,60 +0,0 @@ -#include "crypto_core_multsntrup761.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -typedef int8 small; - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* works for -14000000 < x < 14000000 if q in 4591, 4621, 5167 */ -static Fq Fq_freeze(int32 x) { - x -= q * ((q18 * x) >> 18); - x -= q * ((q27 * x + 67108864) >> 27); - return (Fq) x; -} - -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_multsntrup761(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - Fq f[p]; - small g[p]; - Fq fg[p + p - 1]; - int32 result; - int i, j; - - crypto_decode_pxint16(f, inbytes); - for (i = 0; i < p; ++i) { - f[i] = Fq_freeze(f[i]); - } - - for (i = 0; i < p; ++i) { - small gi = (small) kbytes[i]; - small gi0 = gi & 1; - g[i] = (small) (gi0 - (gi & (gi0 << 1))); - } - - for (i = 0; i < p; ++i) { - result = 0; - for (j = 0; j <= i; ++j) { - result += f[j] * (int32)g[i - j]; - } - fg[i] = Fq_freeze(result); - } - for (i = p; i < p + p - 1; ++i) { - result = 0; - for (j = i - p + 1; j < p; ++j) { - result += f[j] * (int32)g[i - j]; - } - fg[i] = Fq_freeze(result); - } - - for (i = p + p - 2; i >= p; --i) { - fg[i - p] = Fq_freeze(fg[i - p] + fg[i]); - fg[i - p + 1] = Fq_freeze(fg[i - p + 1] + fg[i]); - } - - crypto_encode_pxint16(outbytes, fg); - return 0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_core_multsntrup761.h b/crypto_kem/sntrup761/clean/crypto_core_multsntrup761.h deleted file mode 100644 index dc81268f..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_multsntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_MULTSNTRUP761_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_MULTSNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_multsntrup761_OUTPUTBYTES 1522 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_multsntrup761_INPUTBYTES 1522 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_multsntrup761_KEYBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_multsntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_multsntrup761(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_core_scale3sntrup761.c b/crypto_kem/sntrup761/clean/crypto_core_scale3sntrup761.c deleted file mode 100644 index f4da4e6f..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_scale3sntrup761.c +++ /dev/null @@ -1,32 +0,0 @@ -#include "crypto_core_scale3sntrup761.h" -#include "crypto_decode_761xint16.h" -#include "crypto_encode_761xint16.h" - - -#define p 761 -#define q 4591 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xint16 - -typedef int16_t Fq; - -/* out = 3*in in Rq */ -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_scale3sntrup761(unsigned char *outbytes, const unsigned char *inbytes) { - Fq f[p]; - int i; - - crypto_decode_pxint16(f, inbytes); - for (i = 0; i < p; ++i) { - Fq x = f[i]; - x *= 3; /* (-3q+3)/2 ... (3q-3)/2 */ - x -= (q + 1) / 2; /* -2q+1 ... q-2 */ - x += q & (x >> 15); /* -q+1 ... q-1 */ - x += q & (x >> 15); /* 0 ... q-1 */ - x -= (q - 1) / 2; /* -(q-1)/2 ... (q-1)/2 */ - f[i] = x; - } - crypto_encode_pxint16(outbytes, f); - - return 0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_core_scale3sntrup761.h b/crypto_kem/sntrup761/clean/crypto_core_scale3sntrup761.h deleted file mode 100644 index 712cdb5b..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_scale3sntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_SCALE3SNTRUP761_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_SCALE3SNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_scale3sntrup761_OUTPUTBYTES 1522 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_scale3sntrup761_INPUTBYTES 1522 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_scale3sntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_scale3sntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_scale3sntrup761(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_core_weightsntrup761.c b/crypto_kem/sntrup761/clean/crypto_core_weightsntrup761.c deleted file mode 100644 index 3809abf0..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_weightsntrup761.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "crypto_core_weightsntrup761.h" -#include "crypto_encode_int16.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t - - -/* out = little-endian weight of bottom bits of in */ -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_weightsntrup761(unsigned char *outbytes, const unsigned char *inbytes) { - int8 *in = (void *) inbytes; - int16 weight = 0; - int i; - - for (i = 0; i < p; ++i) { - weight += in[i] & 1; - } - PQCLEAN_SNTRUP761_CLEAN_crypto_encode_int16(outbytes, &weight); - return 0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_core_weightsntrup761.h b/crypto_kem/sntrup761/clean/crypto_core_weightsntrup761.h deleted file mode 100644 index a1cef62f..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_weightsntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_WEIGHTSNTRUP761_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_WEIGHTSNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_weightsntrup761_OUTPUTBYTES 2 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_weightsntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_weightsntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_weightsntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_weightsntrup761(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_core_wforcesntrup761.c b/crypto_kem/sntrup761/clean/crypto_core_wforcesntrup761.c deleted file mode 100644 index 01dc9ddd..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_wforcesntrup761.c +++ /dev/null @@ -1,48 +0,0 @@ -#include "crypto_core_wforcesntrup761.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -typedef int8 small; - - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* 0 if Weightw_is(r), else -1 */ -static int Weightw_mask(const small *r) { - int weight = 0; - int i; - - for (i = 0; i < p; ++i) { - weight += r[i] & 1; - } - return int16_nonzero_mask((int16) (weight - w)); -} - -/* out = in if bottom bits of in have weight w */ -/* otherwise out = (1,1,...,1,0,0,...,0) */ -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_wforcesntrup761(unsigned char *outbytes, const unsigned char *inbytes) { - small *out = (void *) outbytes; - const small *in = (const void *) inbytes; - int i, mask; - - mask = Weightw_mask(in); /* 0 if weight w, else -1 */ - for (i = 0; i < w; ++i) { - out[i] = (small) (((in[i] ^ 1) & ~mask) ^ 1); - } - for (i = w; i < p; ++i) { - out[i] = (small) (in[i] & ~mask); - } - return 0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_core_wforcesntrup761.h b/crypto_kem/sntrup761/clean/crypto_core_wforcesntrup761.h deleted file mode 100644 index 42e84231..00000000 --- a/crypto_kem/sntrup761/clean/crypto_core_wforcesntrup761.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_WFORCESNTRUP761_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_CORE_WFORCESNTRUP761_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_wforcesntrup761_OUTPUTBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_wforcesntrup761_INPUTBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_wforcesntrup761_KEYBYTES 0 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_core_wforcesntrup761_CONSTBYTES 0 - -int PQCLEAN_SNTRUP761_CLEAN_crypto_core_wforcesntrup761(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761x1531.c b/crypto_kem/sntrup761/clean/crypto_decode_761x1531.c deleted file mode 100644 index bc72c01f..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761x1531.c +++ /dev/null @@ -1,211 +0,0 @@ -#include "crypto_decode_761x1531.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t -#define uint64 uint64_t - -/* -CPU division instruction typically takes time depending on x. -This software is designed to take time independent of x. -Time still varies depending on m; user must ensure that m is constant. -Time also varies on CPUs where multiplication is variable-time. -There could be more CPU issues. -There could also be compiler issues. -*/ - -static void uint32_divmod_uint14(uint32 *q, uint16 *r, uint32 x, uint16 m) { - uint32 v = 0x80000000; - uint32 qpart; - uint32 mask; - - v /= m; - - /* caller guarantees m > 0 */ - /* caller guarantees m < 16384 */ - /* vm <= 2^31 <= vm+m-1 */ - /* xvm <= 2^31 x <= xvm+x(m-1) */ - - *q = 0; - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 2^31 qpart <= xv <= 2^31 qpart + 2^31-1 */ - /* 2^31 qpart m <= xvm <= 2^31 qpart m + (2^31-1)m */ - /* 2^31 qpart m <= 2^31 x <= 2^31 qpart m + (2^31-1)m + x(m-1) */ - /* 0 <= 2^31 newx <= (2^31-1)m + x(m-1) */ - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= (1-1/2^31)(2^14-1) + (2^32-1)((2^14-1)-1)/2^31 */ - - x -= qpart * m; - *q += qpart; - /* x <= 49146 */ - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= m + 49146(2^14-1)/2^31 */ - /* 0 <= newx <= m + 0.4 */ - /* 0 <= newx <= m */ - - x -= qpart * m; - *q += qpart; - /* x <= m */ - - x -= m; - *q += 1; - mask = (~(x >> 31) + 1); - x += mask & (uint32)m; - *q += mask; - /* x < m */ - - *r = (uint16) x; -} - -static uint16 uint32_mod_uint14(uint32 x, uint16 m) { - uint32 q; - uint16 r; - uint32_divmod_uint14(&q, &r, x, m); - return r; -} - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x1531(void *v, const unsigned char *s) { - int16 *R0 = v; - uint16 R1[381], R2[191], R3[96], R4[48], R5[24], R6[12], R7[6], R8[3], R9[2], R10[1]; - long long i; - uint16 r0; - uint32 r1, r2; - - s += PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x1531_STRBYTES; - r1 = 0; - r1 = (r1 << 8) | *--s; - r1 = (r1 << 8) | *--s; - r1 = uint32_mod_uint14(r1, 3475); /* needed only for invalid inputs */ - R10[0] = (uint16) r1; - - r2 = R10[0]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 593); - R9[0] = r0; - r1 = uint32_mod_uint14(r1, 1500); /* needed only for invalid inputs */ - R9[1] = (uint16) r1; - - R8[2] = R9[1]; - r2 = R9[0]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 6232); - R8[0] = r0; - r1 = uint32_mod_uint14(r1, 6232); /* needed only for invalid inputs */ - R8[1] = (uint16) r1; - - r2 = R8[2]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1263); - R7[4] = r0; - r1 = uint32_mod_uint14(r1, 304); /* needed only for invalid inputs */ - R7[5] = (uint16) r1; - for (i = 1; i >= 0; --i) { - r2 = R8[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1263); - R7[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1263); /* needed only for invalid inputs */ - R7[2 * i + 1] = (uint16) r1; - } - - r2 = R7[5]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 9097); - R6[10] = r0; - r1 = uint32_mod_uint14(r1, 2188); /* needed only for invalid inputs */ - R6[11] = (uint16) r1; - for (i = 4; i >= 0; --i) { - r2 = R7[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 9097); - R6[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 9097); /* needed only for invalid inputs */ - R6[2 * i + 1] = (uint16) r1; - } - - r2 = R6[11]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1526); - R5[22] = r0; - r1 = uint32_mod_uint14(r1, 367); /* needed only for invalid inputs */ - R5[23] = (uint16) r1; - for (i = 10; i >= 0; --i) { - r2 = R6[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1526); - R5[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1526); /* needed only for invalid inputs */ - R5[2 * i + 1] = (uint16) r1; - } - - r2 = R5[23]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 625); - R4[46] = r0; - r1 = uint32_mod_uint14(r1, 150); /* needed only for invalid inputs */ - R4[47] = (uint16) r1; - for (i = 22; i >= 0; --i) { - r2 = R5[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 625); - R4[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 625); /* needed only for invalid inputs */ - R4[2 * i + 1] = (uint16) r1; - } - - r2 = R4[47]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 6400); - R3[94] = r0; - r1 = uint32_mod_uint14(r1, 1531); /* needed only for invalid inputs */ - R3[95] = (uint16) r1; - for (i = 46; i >= 0; --i) { - r2 = R4[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 6400); - R3[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 6400); /* needed only for invalid inputs */ - R3[2 * i + 1] = (uint16) r1; - } - - R2[190] = R3[95]; - for (i = 94; i >= 0; --i) { - r2 = R3[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1280); - R2[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1280); /* needed only for invalid inputs */ - R2[2 * i + 1] = (uint16) r1; - } - - R1[380] = R2[190]; - for (i = 189; i >= 0; --i) { - r2 = R2[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 9157); - R1[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 9157); /* needed only for invalid inputs */ - R1[2 * i + 1] = (uint16) r1; - } - - R0[760] = (int16) (3 * R1[380] - 2295); - for (i = 379; i >= 0; --i) { - r2 = R1[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1531); - R0[2 * i] = (int16) (3 * r0 - 2295); - r1 = uint32_mod_uint14(r1, 1531); /* needed only for invalid inputs */ - R0[2 * i + 1] = (int16) (3 * r1 - 2295); - } -} diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761x1531.h b/crypto_kem/sntrup761/clean/crypto_decode_761x1531.h deleted file mode 100644 index c55247c9..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761x1531.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761X1531_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761X1531_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x1531_STRBYTES 1007 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x1531_ITEMS 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x1531_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x1531(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761x3.c b/crypto_kem/sntrup761/clean/crypto_decode_761x3.c deleted file mode 100644 index d5d69508..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761x3.c +++ /dev/null @@ -1,24 +0,0 @@ -#include "crypto_decode_761x3.h" - -#define uint8 uint8_t - -#define p 761 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x3(void *v, const unsigned char *s) { - uint8 *f = v; - uint8 x; - int i; - - for (i = 0; i < p / 4; ++i) { - x = *s++; - *f++ = (uint8) ((x & 3) - 1); - x >>= 2; - *f++ = (uint8) ((x & 3) - 1); - x >>= 2; - *f++ = (uint8) ((x & 3) - 1); - x >>= 2; - *f++ = (uint8) ((x & 3) - 1); - } - x = *s++; - *f++ = (uint8) ((x & 3) - 1); -} diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761x3.h b/crypto_kem/sntrup761/clean/crypto_decode_761x3.h deleted file mode 100644 index acf9d9cc..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761X3_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761X3_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x3_STRBYTES 191 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x3_ITEMS 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x3(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761x4591.c b/crypto_kem/sntrup761/clean/crypto_decode_761x4591.c deleted file mode 100644 index 8402fcd2..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761x4591.c +++ /dev/null @@ -1,211 +0,0 @@ -#include "crypto_decode_761x4591.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t -#define uint64 uint64_t - -/* -CPU division instruction typically takes time depending on x. -This software is designed to take time independent of x. -Time still varies depending on m; user must ensure that m is constant. -Time also varies on CPUs where multiplication is variable-time. -There could be more CPU issues. -There could also be compiler issues. -*/ - -static void uint32_divmod_uint14(uint32 *q, uint16 *r, uint32 x, uint16 m) { - uint32 v = 0x80000000; - uint32 qpart; - uint32 mask; - - v /= m; - - /* caller guarantees m > 0 */ - /* caller guarantees m < 16384 */ - /* vm <= 2^31 <= vm+m-1 */ - /* xvm <= 2^31 x <= xvm+x(m-1) */ - - *q = 0; - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 2^31 qpart <= xv <= 2^31 qpart + 2^31-1 */ - /* 2^31 qpart m <= xvm <= 2^31 qpart m + (2^31-1)m */ - /* 2^31 qpart m <= 2^31 x <= 2^31 qpart m + (2^31-1)m + x(m-1) */ - /* 0 <= 2^31 newx <= (2^31-1)m + x(m-1) */ - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= (1-1/2^31)(2^14-1) + (2^32-1)((2^14-1)-1)/2^31 */ - - x -= qpart * m; - *q += qpart; - /* x <= 49146 */ - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= m + 49146(2^14-1)/2^31 */ - /* 0 <= newx <= m + 0.4 */ - /* 0 <= newx <= m */ - - x -= qpart * m; - *q += qpart; - /* x <= m */ - - x -= m; - *q += 1; - mask = (~(x >> 31) + 1); - x += mask & (uint32)m; - *q += mask; - /* x < m */ - - *r = (uint16) x; -} - -static uint16 uint32_mod_uint14(uint32 x, uint16 m) { - uint32 q; - uint16 r; - uint32_divmod_uint14(&q, &r, x, m); - return r; -} - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x4591(void *v, const unsigned char *s) { - int16 *R0 = v; - uint16 R1[381], R2[191], R3[96], R4[48], R5[24], R6[12], R7[6], R8[3], R9[2], R10[1]; - long long i; - uint16 r0; - uint32 r1, r2; - - s += PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x4591_STRBYTES; - r1 = 0; - r1 = (r1 << 8) | *--s; - r1 = (r1 << 8) | *--s; - r1 = uint32_mod_uint14(r1, 1608); /* needed only for invalid inputs */ - R10[0] = (uint16) r1; - - r2 = R10[0]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 9470); - R9[0] = r0; - r1 = uint32_mod_uint14(r1, 11127); /* needed only for invalid inputs */ - R9[1] = (uint16) r1; - - R8[2] = R9[1]; - r2 = R9[0]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1557); - R8[0] = r0; - r1 = uint32_mod_uint14(r1, 1557); /* needed only for invalid inputs */ - R8[1] = (uint16) r1; - - r2 = R8[2]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 10101); - R7[4] = r0; - r1 = uint32_mod_uint14(r1, 282); /* needed only for invalid inputs */ - R7[5] = (uint16) r1; - for (i = 1; i >= 0; --i) { - r2 = R8[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 10101); - R7[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 10101); /* needed only for invalid inputs */ - R7[2 * i + 1] = (uint16) r1; - } - - r2 = R7[5]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1608); - R6[10] = r0; - r1 = uint32_mod_uint14(r1, 11468); /* needed only for invalid inputs */ - R6[11] = (uint16) r1; - for (i = 4; i >= 0; --i) { - r2 = R7[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1608); - R6[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1608); /* needed only for invalid inputs */ - R6[2 * i + 1] = (uint16) r1; - } - - r2 = R6[11]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 10265); - R5[22] = r0; - r1 = uint32_mod_uint14(r1, 286); /* needed only for invalid inputs */ - R5[23] = (uint16) r1; - for (i = 10; i >= 0; --i) { - r2 = R6[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 10265); - R5[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 10265); /* needed only for invalid inputs */ - R5[2 * i + 1] = (uint16) r1; - } - - r2 = R5[23]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1621); - R4[46] = r0; - r1 = uint32_mod_uint14(r1, 11550); /* needed only for invalid inputs */ - R4[47] = (uint16) r1; - for (i = 22; i >= 0; --i) { - r2 = R5[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1621); - R4[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1621); /* needed only for invalid inputs */ - R4[2 * i + 1] = (uint16) r1; - } - - r2 = R4[47]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 644); - R3[94] = r0; - r1 = uint32_mod_uint14(r1, 4591); /* needed only for invalid inputs */ - R3[95] = (uint16) r1; - for (i = 46; i >= 0; --i) { - r2 = R4[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 644); - R3[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 644); /* needed only for invalid inputs */ - R3[2 * i + 1] = (uint16) r1; - } - - R2[190] = R3[95]; - for (i = 94; i >= 0; --i) { - r2 = R3[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 406); - R2[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 406); /* needed only for invalid inputs */ - R2[2 * i + 1] = (uint16) r1; - } - - R1[380] = R2[190]; - for (i = 189; i >= 0; --i) { - r2 = R2[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 322); - R1[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 322); /* needed only for invalid inputs */ - R1[2 * i + 1] = (uint16) r1; - } - - R0[760] = (int16) (R1[380] - 2295); - for (i = 379; i >= 0; --i) { - r2 = R1[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 4591); - R0[2 * i] = (int16) (r0 - 2295); - r1 = uint32_mod_uint14(r1, 4591); /* needed only for invalid inputs */ - R0[2 * i + 1] = (int16) (r1 - 2295); - } -} diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761x4591.h b/crypto_kem/sntrup761/clean/crypto_decode_761x4591.h deleted file mode 100644 index 49b80ca6..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761x4591.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761X4591_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761X4591_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x4591_STRBYTES 1158 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x4591_ITEMS 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x4591_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x4591(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761xint16.c b/crypto_kem/sntrup761/clean/crypto_decode_761xint16.c deleted file mode 100644 index 5d60473c..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761xint16.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_decode_761xint16.h" - - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint16(void *v, const unsigned char *s) { - uint16_t *x = v; - int i; - - for (i = 0; i < 761; ++i) { - uint16_t u0 = s[0]; - uint16_t u1 = s[1]; - *x = (uint16_t) (u0 | (u1 << 8)); - x += 1; - s += 2; - } -} diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761xint16.h b/crypto_kem/sntrup761/clean/crypto_decode_761xint16.h deleted file mode 100644 index 867054c9..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761XINT16_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761XINT16_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint16_STRBYTES 1522 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint16_ITEMS 761 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint16(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761xint32.c b/crypto_kem/sntrup761/clean/crypto_decode_761xint32.c deleted file mode 100644 index 71d4dcc4..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761xint32.c +++ /dev/null @@ -1,20 +0,0 @@ -#include "crypto_decode_761xint32.h" - - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint32(void *v, const unsigned char *s) { - uint32_t *x = v; - int i; - - for (i = 0; i < 761; ++i) { - uint32_t u0 = s[0]; - uint32_t u1 = s[1]; - uint32_t u2 = s[2]; - uint32_t u3 = s[3]; - u1 <<= 8; - u2 <<= 16; - u3 <<= 24; - *x = u0 | u1 | u2 | u3; - x += 1; - s += 4; - } -} diff --git a/crypto_kem/sntrup761/clean/crypto_decode_761xint32.h b/crypto_kem/sntrup761/clean/crypto_decode_761xint32.h deleted file mode 100644 index 7771a1e8..00000000 --- a/crypto_kem/sntrup761/clean/crypto_decode_761xint32.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761XINT32_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_DECODE_761XINT32_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint32_STRBYTES 3044 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint32_ITEMBYTES 4 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint32_ITEMS 761 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint32(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761x1531.c b/crypto_kem/sntrup761/clean/crypto_encode_761x1531.c deleted file mode 100644 index 412fa7a4..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761x1531.c +++ /dev/null @@ -1,119 +0,0 @@ -#include "crypto_encode_761x1531.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[381]; - long i; - uint16 r0, r1; - uint32 r2; - - for (i = 0; i < 380; ++i) { - r0 = (uint16) ((((R0[2 * i] + 2295) & 16383) * 10923) >> 15); - r1 = (uint16) ((((R0[2 * i + 1] + 2295) & 16383) * 10923) >> 15); - r2 = r0 + r1 * (uint32)1531; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[380] = (uint16) ((((R0[760] + 2295) & 16383) * 10923) >> 15); - - for (i = 0; i < 190; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)9157; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[190] = R[380]; - - for (i = 0; i < 95; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1280; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[95] = R[190]; - - for (i = 0; i < 48; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)6400; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 24; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)625; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 12; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1526; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 6; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)9097; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1263; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)6232; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)593; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761x1531.h b/crypto_kem/sntrup761/clean/crypto_encode_761x1531.h deleted file mode 100644 index cc4f332c..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761x1531.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761X1531_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761X1531_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531_STRBYTES 1007 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531_ITEMS 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761x1531round.c b/crypto_kem/sntrup761/clean/crypto_encode_761x1531round.c deleted file mode 100644 index 6906d3e2..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761x1531round.c +++ /dev/null @@ -1,17 +0,0 @@ -#include "crypto_encode_761x1531.h" -#include "crypto_encode_761x1531round.h" - -#define int16 int16_t - -#define p 761 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531round(unsigned char *out, const void *v) { - const int16 *a = v; - int16 x[p]; - int i; - - for (i = 0; i < p; ++i) { - x[i] = (int16) (3 * ((10923 * a[i] + 16384) >> 15)); - } - PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531(out, x); -} diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761x1531round.h b/crypto_kem/sntrup761/clean/crypto_encode_761x1531round.h deleted file mode 100644 index 64730f1f..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761x1531round.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761X1531ROUND_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761X1531ROUND_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531round_STRBYTES 1007 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531round_ITEMS 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531round_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531round(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761x3.c b/crypto_kem/sntrup761/clean/crypto_encode_761x3.c deleted file mode 100644 index 54deace0..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761x3.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "crypto_encode_761x3.h" - -#define uint8 uint8_t - -#define p 761 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x3(unsigned char *s, const void *v) { - const uint8 *f = v; - uint8 x; - int i; - - for (i = 0; i < p / 4; ++i) { - x = *f++ + 1; - x += (*f++ + 1) << 2; - x += (*f++ + 1) << 4; - x += (*f++ + 1) << 6; - *s++ = x; - } - x = *f++ + 1; - *s++ = x; -} diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761x3.h b/crypto_kem/sntrup761/clean/crypto_encode_761x3.h deleted file mode 100644 index e5ab1b17..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761X3_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761X3_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x3_STRBYTES 191 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x3_ITEMS 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761x4591.c b/crypto_kem/sntrup761/clean/crypto_encode_761x4591.c deleted file mode 100644 index c7364539..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761x4591.c +++ /dev/null @@ -1,147 +0,0 @@ -#include "crypto_encode_761x4591.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x4591(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[381]; - long i; - uint16 r0, r1; - uint32 r2; - - for (i = 0; i < 380; ++i) { - r0 = (uint16) ((R0[2 * i] + 2295) & 16383); - r1 = (uint16) ((R0[2 * i + 1] + 2295) & 16383); - r2 = r0 + r1 * (uint32)4591; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[380] = (uint16) ((R0[760] + 2295) & 16383); - - for (i = 0; i < 190; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)322; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[190] = R[380]; - - for (i = 0; i < 95; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)406; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[95] = R[190]; - - for (i = 0; i < 48; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)644; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 23; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1621; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[46]; - r1 = R[47]; - r2 = r0 + r1 * (uint32)1621; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[23] = (uint16) r2; - - for (i = 0; i < 11; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)10265; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[22]; - r1 = R[23]; - r2 = r0 + r1 * (uint32)10265; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[11] = (uint16) r2; - - for (i = 0; i < 5; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1608; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[10]; - r1 = R[11]; - r2 = r0 + r1 * (uint32)1608; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[5] = (uint16) r2; - - for (i = 0; i < 2; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)10101; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[4]; - r1 = R[5]; - r2 = r0 + r1 * (uint32)10101; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[2] = (uint16) r2; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)1557; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - R[1] = R[2]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)9470; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761x4591.h b/crypto_kem/sntrup761/clean/crypto_encode_761x4591.h deleted file mode 100644 index b1d5f998..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761x4591.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761X4591_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761X4591_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x4591_STRBYTES 1158 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x4591_ITEMS 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x4591_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x4591(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761xfreeze3.c b/crypto_kem/sntrup761/clean/crypto_encode_761xfreeze3.c deleted file mode 100644 index f196e033..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761xfreeze3.c +++ /dev/null @@ -1,25 +0,0 @@ -#include "crypto_encode_761xfreeze3.h" - -#define int16 int16_t - -#define p 761 - -/* valid inputs: -16384 <= x < 16384 */ -/* then 3 divides x-F3_freeze(x) */ -/* and F3_freeze(x) is in {-1,0,1} */ - -/* all inputs: 3 divides x-F3_freeze(x) */ -/* and F3_freeze(x) is in {-2,-1,0,1,2} */ - -static inline unsigned char F3_freeze(int16 x) { - return (unsigned char) (x - 3 * ((10923 * x + 16384) >> 15)); -} - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xfreeze3(unsigned char *s, const void *v) { - const int16 *r = v; - - int i; - for (i = 0; i < p; ++i) { - s[i] = F3_freeze(r[i]); - } -} diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761xfreeze3.h b/crypto_kem/sntrup761/clean/crypto_encode_761xfreeze3.h deleted file mode 100644 index 14517f13..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761xfreeze3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761XFREEZE3_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761XFREEZE3_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xfreeze3_STRBYTES 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xfreeze3_ITEMS 761 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xfreeze3_ITEMBYTES 2 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xfreeze3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761xint16.c b/crypto_kem/sntrup761/clean/crypto_encode_761xint16.c deleted file mode 100644 index c5dcf16a..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761xint16.c +++ /dev/null @@ -1,13 +0,0 @@ -#include "crypto_encode_761xint16.h" - - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xint16(unsigned char *s, const void *v) { - const uint16_t *x = v; - int i; - - for (i = 0; i < 761; ++i) { - uint16_t u = *x++; - *s++ = (unsigned char) u; - *s++ = (unsigned char) (u >> 8); - } -} diff --git a/crypto_kem/sntrup761/clean/crypto_encode_761xint16.h b/crypto_kem/sntrup761/clean/crypto_encode_761xint16.h deleted file mode 100644 index 081fe9cc..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_761xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761XINT16_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_761XINT16_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xint16_STRBYTES 1522 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xint16_ITEMS 761 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xint16(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_encode_int16.c b/crypto_kem/sntrup761/clean/crypto_encode_int16.c deleted file mode 100644 index 78b0d682..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_int16.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "crypto_encode_int16.h" - -#define uint16 uint16_t - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_int16(unsigned char *s, const void *x) { - uint16 u = *(const uint16 *) x; - s[0] = (unsigned char) u; - s[1] = (unsigned char) (u >> 8); -} diff --git a/crypto_kem/sntrup761/clean/crypto_encode_int16.h b/crypto_kem/sntrup761/clean/crypto_encode_int16.h deleted file mode 100644 index 1b96805e..00000000 --- a/crypto_kem/sntrup761/clean/crypto_encode_int16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_INT16_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_ENCODE_INT16_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_int16_STRBYTES 2 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_int16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP761_CLEAN_crypto_encode_int16_ITEMS 1 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_encode_int16(unsigned char *s, const void *x); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_sort_int32.c b/crypto_kem/sntrup761/clean/crypto_sort_int32.c deleted file mode 100644 index 014421db..00000000 --- a/crypto_kem/sntrup761/clean/crypto_sort_int32.c +++ /dev/null @@ -1,84 +0,0 @@ -#include "crypto_sort_int32.h" -#include - -#define int32 int32_t - -#define int32_MINMAX(a,b) \ - do { \ - int32_t ab = (b) ^ (a); \ - int32_t c = (int32_t)((int64_t)(b) - (int64_t)(a)); \ - c ^= ab & (c ^ (b)); \ - c >>= 31; \ - c &= ab; \ - (a) ^= c; \ - (b) ^= c; \ - } while(0) - -/* assume 2 <= n <= 0x40000000 */ -void PQCLEAN_SNTRUP761_CLEAN_crypto_sort_int32(int32_t *x, long long n) { - int32 top, p, q, r, i; - long long j; - - top = 1; - while (top < n - top) { - top += top; - } - - for (p = top; p >= 1; p >>= 1) { - i = 0; - while (i + 2 * p <= n) { - for (j = i; j < i + p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - i += 2 * p; - } - for (j = i; j < n - p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - - i = 0; - j = 0; - for (q = top; q > p; q >>= 1) { - if (j != i) { - for (;;) { - if (j == n - q) { - goto done; - } - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - if (j == i + p) { - i += 2 * p; - break; - } - } - } - while (i + p <= n - q) { - for (j = i; j < i + p; ++j) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - } - i += 2 * p; - } - /* now i + p > n - q */ - j = i; - while (j < n - q) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - } - -done: - ; - } - } -} diff --git a/crypto_kem/sntrup761/clean/crypto_sort_int32.h b/crypto_kem/sntrup761/clean/crypto_sort_int32.h deleted file mode 100644 index e603a7cc..00000000 --- a/crypto_kem/sntrup761/clean/crypto_sort_int32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_SORT_INT32_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_SORT_INT32_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_sort_int32_BYTES 4 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_sort_int32(int32_t *x, long long n); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_sort_uint32.c b/crypto_kem/sntrup761/clean/crypto_sort_uint32.c deleted file mode 100644 index 8ce0184d..00000000 --- a/crypto_kem/sntrup761/clean/crypto_sort_uint32.c +++ /dev/null @@ -1,18 +0,0 @@ -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" - - -/* can save time by vectorizing xor loops */ -/* can save time by integrating xor loops with int32_sort */ - -void PQCLEAN_SNTRUP761_CLEAN_crypto_sort_uint32(void *array, long long n) { - uint32_t *x = array; - long long j; - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } - PQCLEAN_SNTRUP761_CLEAN_crypto_sort_int32((int32_t *)array, n); - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } -} diff --git a/crypto_kem/sntrup761/clean/crypto_sort_uint32.h b/crypto_kem/sntrup761/clean/crypto_sort_uint32.h deleted file mode 100644 index 8d62e22d..00000000 --- a/crypto_kem/sntrup761/clean/crypto_sort_uint32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_SORT_UINT32_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_SORT_UINT32_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_sort_uint32_BYTES 4 - -void PQCLEAN_SNTRUP761_CLEAN_crypto_sort_uint32(void *array, long long n); -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_stream_aes256ctr.c b/crypto_kem/sntrup761/clean/crypto_stream_aes256ctr.c deleted file mode 100644 index bfa46323..00000000 --- a/crypto_kem/sntrup761/clean/crypto_stream_aes256ctr.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_stream_aes256ctr.h" - - -int PQCLEAN_SNTRUP761_CLEAN_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]) { - - aes256ctx state; - aes256_ctr_keyexp(&state, key); - aes256_ctr(out, outlen, nonce, &state); - aes256_ctx_release(&state); - return 0; -} diff --git a/crypto_kem/sntrup761/clean/crypto_stream_aes256ctr.h b/crypto_kem/sntrup761/clean/crypto_stream_aes256ctr.h deleted file mode 100644 index df9dfe9b..00000000 --- a/crypto_kem/sntrup761/clean/crypto_stream_aes256ctr.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_STREAM_AES256CTR_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_STREAM_AES256CTR_H -#include "aes.h" -#include -#include - - - -int PQCLEAN_SNTRUP761_CLEAN_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]); - -#endif diff --git a/crypto_kem/sntrup761/clean/crypto_verify_1039.c b/crypto_kem/sntrup761/clean/crypto_verify_1039.c deleted file mode 100644 index 9307fa45..00000000 --- a/crypto_kem/sntrup761/clean/crypto_verify_1039.c +++ /dev/null @@ -1,13 +0,0 @@ -#include "crypto_verify_1039.h" - - -int PQCLEAN_SNTRUP761_CLEAN_crypto_verify_1039(const unsigned char *x, const unsigned char *y) { - unsigned int differentbits = 0; - int i; - - for (i = 0; i < PQCLEAN_SNTRUP761_CLEAN_crypto_verify_1039_BYTES; ++i) { - differentbits |= x[i] ^ y[i]; - } - - return (int) (1 & ((differentbits - 1) >> 8)) - 1; -} diff --git a/crypto_kem/sntrup761/clean/crypto_verify_1039.h b/crypto_kem/sntrup761/clean/crypto_verify_1039.h deleted file mode 100644 index f3ad9ba6..00000000 --- a/crypto_kem/sntrup761/clean/crypto_verify_1039.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP761_CLEAN_CRYPTO_VERIFY_1039_H -#define PQCLEAN_SNTRUP761_CLEAN_CRYPTO_VERIFY_1039_H - -#include -#define PQCLEAN_SNTRUP761_CLEAN_crypto_verify_1039_BYTES 1039 - -int PQCLEAN_SNTRUP761_CLEAN_crypto_verify_1039(const unsigned char *x, const unsigned char *y); -#endif diff --git a/crypto_kem/sntrup761/clean/kem.c b/crypto_kem/sntrup761/clean/kem.c deleted file mode 100644 index ffc06b23..00000000 --- a/crypto_kem/sntrup761/clean/kem.c +++ /dev/null @@ -1,247 +0,0 @@ -#include "api.h" -#include "crypto_sort_uint32.h" -#include "params.h" -#include "randombytes.h" -#include "sha2.h" - - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - -/* ----- arithmetic mod 3 */ - -typedef int8 small; -/* F3 is always represented as -1,0,1 */ - -/* ----- arithmetic mod q */ - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* ----- small polynomials */ - -/* R3_fromR(R_fromRq(r)) */ -static void R3_fromRq(small *out, const Fq *r) { - crypto_encode_pxfreeze3((unsigned char *) out, (unsigned char *) r); -} - -/* h = f*g in the ring R3 */ -static void R3_mult(small *h, const small *f, const small *g) { - crypto_core_mult3((unsigned char *) h, (const unsigned char *) f, (const unsigned char *) g); -} - -/* ----- polynomials mod q */ - -/* h = h*g in the ring Rq */ -static void Rq_mult_small(Fq *h, const small *g) { - crypto_encode_pxint16((unsigned char *) h, h); - crypto_core_mult((unsigned char *) h, (const unsigned char *) h, (const unsigned char *) g); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* h = 3f in Rq */ -static void Rq_mult3(Fq *h, const Fq *f) { - crypto_encode_pxint16((unsigned char *) h, f); - crypto_core_scale3((unsigned char *) h, (const unsigned char *) h); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* out = 1/(3*in) in Rq */ -/* caller must have 2p+1 bytes free in out, not just 2p */ -static void Rq_recip3(Fq *out, const small *in) { - crypto_core_inv((unsigned char *) out, (const unsigned char *) in); - /* could check byte 2*p for failure; but, in context, inv always works */ - crypto_decode_pxint16(out, (unsigned char *) out); -} - -/* ----- underlying hash function */ - -#define Hash_bytes 32 - -static void Hash(unsigned char *out, const unsigned char *in, int inlen) { - unsigned char h[64]; - int i; - sha512(h, in, (size_t) inlen); - for (i = 0; i < 32; ++i) { - out[i] = h[i]; - } -} - -/* ----- higher-level randomness */ - -static void Short_random(small *out) { - uint32 L[ppadsort]; - int i; - - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < w; ++i) { - L[i] = L[i] & (uint32) - 2; - } - for (i = w; i < p; ++i) { - L[i] = (L[i] & (uint32) - 3) | 1; - } - for (i = p; i < ppadsort; ++i) { - L[i] = 0xffffffff; - } - PQCLEAN_SNTRUP761_CLEAN_crypto_sort_uint32(L, ppadsort); - for (i = 0; i < p; ++i) { - out[i] = (small) ((L[i] & 3) - 1); - } -} - -static void Small_random(small *out) { - uint32 L[p]; - int i; - - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < p; ++i) { - out[i] = (small) ((((L[i] & 0x3fffffff) * 3) >> 30) - 1); - } -} - -/* ----- Streamlined NTRU Prime */ - -typedef small Inputs[p]; /* passed by reference */ -#define Ciphertexts_bytes Rounded_bytes -#define SecretKeys_bytes (2*Small_bytes) -#define PublicKeys_bytes Rq_bytes -#define Confirm_bytes 32 - -/* c,r_enc[1:] = Hide(r,pk,cache); cache is Hash4(pk) */ -/* also set r_enc[0]=3 */ -/* also set x[0]=2, and x[1:1+Hash_bytes] = Hash3(r_enc) */ -/* also overwrite x[1+Hash_bytes:1+2*Hash_bytes] */ -static void Hide(unsigned char *x, unsigned char *c, unsigned char *r_enc, const Inputs r, const unsigned char *pk, const unsigned char *cache) { - Fq h[p]; - int i; - - Small_encode(r_enc + 1, r); - Rq_decode(h, pk); - Rq_mult_small(h, r); - Round_and_encode(c, h); - r_enc[0] = 3; - Hash(x + 1, r_enc, 1 + Small_bytes); - for (i = 0; i < Hash_bytes; ++i) { - x[1 + Hash_bytes + i] = cache[i]; - } - x[0] = 2; - Hash(c + Ciphertexts_bytes, x, 1 + Hash_bytes * 2); -} - - -int PQCLEAN_SNTRUP761_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - small g[p]; - for (;;) { - Small_random(g); - { - small v[p + 1]; - crypto_core_inv3((unsigned char *) v, (const unsigned char *) g); - if (v[p] == 0) { - Small_encode(sk + Small_bytes, v); - break; - } - } - } - { - small f[p]; - Short_random(f); - Small_encode(sk, f); - { - Fq h[p + 1]; - Rq_recip3(h, f); /* always works */ - Rq_mult_small(h, g); - Rq_encode(pk, h); - } - } - { - int i; - unsigned char sksave = sk[SecretKeys_bytes - 1]; - for (i = 0; i < PublicKeys_bytes; ++i) { - sk[SecretKeys_bytes + i] = pk[i]; - } - sk[SecretKeys_bytes - 1] = 4; - Hash(sk + SecretKeys_bytes + PublicKeys_bytes + Small_bytes, sk + SecretKeys_bytes - 1, 1 + PublicKeys_bytes); - sk[SecretKeys_bytes - 1] = sksave; - randombytes(sk + SecretKeys_bytes + PublicKeys_bytes, Small_bytes); - } - return 0; -} - -int PQCLEAN_SNTRUP761_CLEAN_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk) { - unsigned char cache[Hash_bytes]; - int i; - { - unsigned char y[1 + PublicKeys_bytes]; /* XXX: can eliminate with incremental hashing */ - for (i = 0; i < PublicKeys_bytes; ++i) { - y[1 + i] = pk[i]; - } - y[0] = 4; - Hash(cache, y, sizeof y); - } - { - Inputs r; - Short_random(r); - { - unsigned char r_enc[Small_bytes + 1]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - Hide(x, c, r_enc, r, pk, cache); - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = 1; - Hash(k, x, sizeof x); - } - } - return 0; -} - -int PQCLEAN_SNTRUP761_CLEAN_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) { - const unsigned char *pk = sk + SecretKeys_bytes; - const unsigned char *rho = pk + PublicKeys_bytes; - const unsigned char *cache = rho + Small_bytes; - int mask, i; - Inputs r; - { - Fq d[p]; - Rounded_decode(d, c); - { - small f[p]; - Small_decode(f, sk); - Rq_mult_small(d, f); - Rq_mult3(d, d); - } - { - small e[p]; - small v[p]; - R3_fromRq(e, d); - Small_decode(v, sk + Small_bytes); - R3_mult(r, e, v); - } - crypto_core_wforce((unsigned char *) r, (unsigned char *) r); - } - { - unsigned char r_enc[1 + Small_bytes]; - unsigned char cnew[Ciphertexts_bytes + Confirm_bytes]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - /* XXX: can use incremental hashing to reduce x size */ - - Hide(x, cnew, r_enc, r, pk, cache); - mask = crypto_verify_clen(c, cnew); - for (i = 0; i < Small_bytes; ++i) { - r_enc[i + 1] ^= (unsigned char) (mask & (r_enc[i + 1] ^ rho[i])); - } - Hash(x + 1, r_enc, 1 + Small_bytes); /* XXX: can instead do cmov on cached hash of rho */ - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = (unsigned char) (1 + mask); - Hash(k, x, sizeof x); - } - return 0; -} diff --git a/crypto_kem/sntrup761/clean/params.h b/crypto_kem/sntrup761/clean/params.h deleted file mode 100644 index 4e0ac26f..00000000 --- a/crypto_kem/sntrup761/clean/params.h +++ /dev/null @@ -1,70 +0,0 @@ -#ifndef params_H -#define params_H -#include "crypto_core_inv3sntrup761.h" -#include "crypto_core_invsntrup761.h" -#include "crypto_core_mult3sntrup761.h" -#include "crypto_core_multsntrup761.h" -#include "crypto_core_scale3sntrup761.h" -#include "crypto_core_weightsntrup761.h" -#include "crypto_core_wforcesntrup761.h" -#include "crypto_decode_761x1531.h" -#include "crypto_decode_761x3.h" -#include "crypto_decode_761x4591.h" -#include "crypto_decode_761xint16.h" -#include "crypto_decode_761xint32.h" -#include "crypto_encode_761x1531.h" -#include "crypto_encode_761x1531round.h" -#include "crypto_encode_761x3.h" -#include "crypto_encode_761x4591.h" -#include "crypto_encode_761xfreeze3.h" -#include "crypto_encode_761xint16.h" -#include "crypto_encode_int16.h" -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" -#include "crypto_verify_1039.h" - - -#define q27 29235 /* closest integer to 2^27/q */ -#define q18 57 /* closest integer to 2^18/q */ -#define p 761 -#define q 4591 -#define w 286 - -#define ppadsort 761 - -#define crypto_verify_clen PQCLEAN_SNTRUP761_CLEAN_crypto_verify_1039 - -#define Rq_bytes PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x4591_STRBYTES -#define Rq_encode PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x4591 -#define Rq_decode PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x4591 - -#define Rounded_bytes PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x1531_STRBYTES -#define Rounded_decode PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x1531 - -#define Round_and_encode PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x1531round - -#define Small_bytes PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x3_STRBYTES -#define Small_encode PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761x3 -#define Small_decode PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761x3 - -#define crypto_encode_pxfreeze3 PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xfreeze3 - -#define crypto_decode_pxint32 PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint32 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP761_CLEAN_crypto_decode_761xint16 - -#define crypto_encode_pxint16 PQCLEAN_SNTRUP761_CLEAN_crypto_encode_761xint16 - -#define crypto_core_wforce PQCLEAN_SNTRUP761_CLEAN_crypto_core_wforcesntrup761 - -#define crypto_core_scale3 PQCLEAN_SNTRUP761_CLEAN_crypto_core_scale3sntrup761 - -#define crypto_core_inv PQCLEAN_SNTRUP761_CLEAN_crypto_core_invsntrup761 - -#define crypto_core_inv3 PQCLEAN_SNTRUP761_CLEAN_crypto_core_inv3sntrup761 - -#define crypto_core_mult3 PQCLEAN_SNTRUP761_CLEAN_crypto_core_mult3sntrup761 - -#define crypto_core_mult PQCLEAN_SNTRUP761_CLEAN_crypto_core_multsntrup761 - -#endif diff --git a/crypto_kem/sntrup857/META.yml b/crypto_kem/sntrup857/META.yml deleted file mode 100644 index ac3b2de4..00000000 --- a/crypto_kem/sntrup857/META.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: sntrup857 -type: kem -claimed-nist-level: 4 -claimed-security: IND-CCA2 -length-public-key: 1322 -length-secret-key: 1999 -length-ciphertext: 1184 -length-shared-secret: 32 -nistkat-sha256: 8e58185a923122f15522eba1626f7f01f5bd5aa4503c1245df88f0e31a22d967 -principal-submitters: - - Daniel J. Bernstein - - Chitchanok Chuengsatiansup - - Tanja Lange - - Christine van Vredendaal -implementations: - - name: clean - version: supercop-20200826 - - name: avx2 - version: supercop-20200826 - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - avx2 diff --git a/crypto_kem/sntrup857/avx2/LICENSE b/crypto_kem/sntrup857/avx2/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/sntrup857/avx2/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/sntrup857/avx2/api.h b/crypto_kem/sntrup857/avx2/api.h deleted file mode 100644 index e21ba752..00000000 --- a/crypto_kem/sntrup857/avx2/api.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_API_H -#define PQCLEAN_SNTRUP857_AVX2_API_H - - - -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_ALGNAME "sntrup857" - -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_SECRETKEYBYTES 1999 -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_PUBLICKEYBYTES 1322 -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_CIPHERTEXTBYTES 1184 -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_BYTES 32 - -int PQCLEAN_SNTRUP857_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_SNTRUP857_AVX2_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk); -int PQCLEAN_SNTRUP857_AVX2_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_core_inv3sntrup857.c b/crypto_kem/sntrup857/avx2/crypto_core_inv3sntrup857.c deleted file mode 100644 index f359e6c6..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_inv3sntrup857.c +++ /dev/null @@ -1,658 +0,0 @@ -#include "crypto_core_inv3sntrup857.h" -#include - - -#define int8 int8_t -typedef int8 small; - -#define p 857 -#define ppad 1024 -#define numvec 4 - -typedef __m256i vec256; - -/* -This code stores 1024-coeff poly as vec256[4]. -Order of 256 coefficients in each vec256 -is optimized in light of costs of vector instructions: - 0,4,...,252 in 64-bit word; - 1,5,...,253 in 64-bit word; - 2,6,...,254 in 64-bit word; - 3,7,...,255 in 64-bit word. -*/ - -static inline void vec256_frombits(vec256 *v, const small *b) { - int i; - - for (i = 0; i < numvec; ++i) { - vec256 b0 = _mm256_loadu_si256((vec256 *) b); - b += 32; /* 0,1,...,31 */ - vec256 b1 = _mm256_loadu_si256((vec256 *) b); - b += 32; /* 32,33,... */ - vec256 b2 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b3 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b4 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b5 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b6 = _mm256_loadu_si256((vec256 *) b); - b += 32; - vec256 b7 = _mm256_loadu_si256((vec256 *) b); - b += 32; - - vec256 c0 = _mm256_unpacklo_epi32(b0, b1); /* 0 1 2 3 32 33 34 35 4 5 6 7 36 37 38 39 ... 55 */ - vec256 c1 = _mm256_unpackhi_epi32(b0, b1); /* 8 9 10 11 40 41 42 43 ... 63 */ - vec256 c2 = _mm256_unpacklo_epi32(b2, b3); - vec256 c3 = _mm256_unpackhi_epi32(b2, b3); - vec256 c4 = _mm256_unpacklo_epi32(b4, b5); - vec256 c5 = _mm256_unpackhi_epi32(b4, b5); - vec256 c6 = _mm256_unpacklo_epi32(b6, b7); - vec256 c7 = _mm256_unpackhi_epi32(b6, b7); - - vec256 d0 = c0 | _mm256_slli_epi32(c1, 2); /* 0 8, 1 9, 2 10, 3 11, 32 40, 33 41, ..., 55 63 */ - vec256 d2 = c2 | _mm256_slli_epi32(c3, 2); - vec256 d4 = c4 | _mm256_slli_epi32(c5, 2); - vec256 d6 = c6 | _mm256_slli_epi32(c7, 2); - - vec256 e0 = _mm256_unpacklo_epi64(d0, d2); - vec256 e2 = _mm256_unpackhi_epi64(d0, d2); - vec256 e4 = _mm256_unpacklo_epi64(d4, d6); - vec256 e6 = _mm256_unpackhi_epi64(d4, d6); - - vec256 f0 = e0 | _mm256_slli_epi32(e2, 1); - vec256 f4 = e4 | _mm256_slli_epi32(e6, 1); - - vec256 g0 = _mm256_permute2x128_si256(f0, f4, 0x20); - vec256 g4 = _mm256_permute2x128_si256(f0, f4, 0x31); - - vec256 h = g0 | _mm256_slli_epi32(g4, 4); - -#define TRANSPOSE _mm256_set_epi8( 31,27,23,19, 30,26,22,18, 29,25,21,17, 28,24,20,16, 15,11,7,3, 14,10,6,2, 13,9,5,1, 12,8,4,0 ) - h = _mm256_shuffle_epi8(h, TRANSPOSE); - h = _mm256_permute4x64_epi64(h, 0xd8); - h = _mm256_shuffle_epi32(h, 0xd8); - - *v++ = h; - } -} - -static inline void vec256_tobits(const vec256 *v, small *b) { - int i; - - for (i = 0; i < numvec; ++i) { - vec256 h = *v++; - - h = _mm256_shuffle_epi32(h, 0xd8); - h = _mm256_permute4x64_epi64(h, 0xd8); - h = _mm256_shuffle_epi8(h, TRANSPOSE); - - vec256 g0 = h & _mm256_set1_epi8(15); - vec256 g4 = _mm256_srli_epi32(h, 4) & _mm256_set1_epi8(15); - - vec256 f0 = _mm256_permute2x128_si256(g0, g4, 0x20); - vec256 f4 = _mm256_permute2x128_si256(g0, g4, 0x31); - - vec256 e0 = f0 & _mm256_set1_epi8(5); - vec256 e2 = _mm256_srli_epi32(f0, 1) & _mm256_set1_epi8(5); - vec256 e4 = f4 & _mm256_set1_epi8(5); - vec256 e6 = _mm256_srli_epi32(f4, 1) & _mm256_set1_epi8(5); - - vec256 d0 = _mm256_unpacklo_epi32(e0, e2); - vec256 d2 = _mm256_unpackhi_epi32(e0, e2); - vec256 d4 = _mm256_unpacklo_epi32(e4, e6); - vec256 d6 = _mm256_unpackhi_epi32(e4, e6); - - vec256 c0 = d0 & _mm256_set1_epi8(1); - vec256 c1 = _mm256_srli_epi32(d0, 2) & _mm256_set1_epi8(1); - vec256 c2 = d2 & _mm256_set1_epi8(1); - vec256 c3 = _mm256_srli_epi32(d2, 2) & _mm256_set1_epi8(1); - vec256 c4 = d4 & _mm256_set1_epi8(1); - vec256 c5 = _mm256_srli_epi32(d4, 2) & _mm256_set1_epi8(1); - vec256 c6 = d6 & _mm256_set1_epi8(1); - vec256 c7 = _mm256_srli_epi32(d6, 2) & _mm256_set1_epi8(1); - - vec256 b0 = _mm256_unpacklo_epi64(c0, c1); - vec256 b1 = _mm256_unpackhi_epi64(c0, c1); - vec256 b2 = _mm256_unpacklo_epi64(c2, c3); - vec256 b3 = _mm256_unpackhi_epi64(c2, c3); - vec256 b4 = _mm256_unpacklo_epi64(c4, c5); - vec256 b5 = _mm256_unpackhi_epi64(c4, c5); - vec256 b6 = _mm256_unpacklo_epi64(c6, c7); - vec256 b7 = _mm256_unpackhi_epi64(c6, c7); - - _mm256_storeu_si256((vec256 *) b, b0); - b += 32; - _mm256_storeu_si256((vec256 *) b, b1); - b += 32; - _mm256_storeu_si256((vec256 *) b, b2); - b += 32; - _mm256_storeu_si256((vec256 *) b, b3); - b += 32; - _mm256_storeu_si256((vec256 *) b, b4); - b += 32; - _mm256_storeu_si256((vec256 *) b, b5); - b += 32; - _mm256_storeu_si256((vec256 *) b, b6); - b += 32; - _mm256_storeu_si256((vec256 *) b, b7); - b += 32; - } -} - -static void vec256_init(vec256 *G0, vec256 *G1, const small *s) { - int i; - small srev[ppad + (ppad - p)]; - small si; - small g0[ppad]; - small g1[ppad]; - - for (i = 0; i < p; ++i) { - srev[ppad - 1 - i] = s[i]; - } - for (i = 0; i < ppad - p; ++i) { - srev[i] = 0; - } - for (i = p; i < ppad; ++i) { - srev[i + ppad - p] = 0; - } - - for (i = 0; i < ppad; ++i) { - si = srev[i + ppad - p]; - g0[i] = si & 1; - g1[i] = (si >> 1) & g0[i]; - } - - vec256_frombits(G0, g0); - vec256_frombits(G1, g1); -} - -static void vec256_final(small *out, const vec256 *V0, const vec256 *V1) { - int i; - small v0[ppad]; - small v1[ppad]; - small v[ppad]; - small vrev[ppad + (ppad - p)]; - - vec256_tobits(V0, v0); - vec256_tobits(V1, v1); - - for (i = 0; i < ppad; ++i) { - v[i] = (small) (v0[i] + 2 * v1[i] - 4 * (v0[i] & v1[i])); - } - - for (i = 0; i < ppad; ++i) { - vrev[i] = v[ppad - 1 - i]; - } - for (i = ppad; i < ppad + (ppad - p); ++i) { - vrev[i] = 0; - } - - for (i = 0; i < p; ++i) { - out[i] = vrev[i + ppad - p]; - } -} - -static inline int negative_mask(int x) { - return x >> 31; -} - -static inline void vec256_swap(vec256 *f, vec256 *g, int len, vec256 mask) { - vec256 flip; - int i; - - for (i = 0; i < len; ++i) { - flip = mask & (f[i] ^ g[i]); - f[i] ^= flip; - g[i] ^= flip; - } -} - -static inline void vec256_scale(vec256 *f0, vec256 *f1, const vec256 c0, const vec256 c1) { - int i; - - for (i = 0; i < numvec; ++i) { - vec256 f0i = f0[i]; - vec256 f1i = f1[i]; - - f0i &= c0; - f1i ^= c1; - f1i &= f0i; - - f0[i] = f0i; - f1[i] = f1i; - } -} - -static inline void vec256_eliminate(vec256 *f0, vec256 *f1, vec256 *g0, vec256 *g1, int len, const vec256 c0, const vec256 c1) { - int i; - - for (i = 0; i < len; ++i) { - vec256 f0i = f0[i]; - vec256 f1i = f1[i]; - vec256 g0i = g0[i]; - vec256 g1i = g1[i]; - vec256 t; - - f0i &= c0; - f1i ^= c1; - f1i &= f0i; - - t = g0i ^ f0i; - g0[i] = t | (g1i ^ f1i); - g1[i] = (g1i ^ f0i) & (f1i ^ t); - } -} - -static inline int vec256_bit0mask(vec256 *f) { - return -(_mm_cvtsi128_si32(_mm256_castsi256_si128(f[0])) & 1); -} - -static inline void vec256_divx_1(vec256 *f) { - vec256 f0 = f[0]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - - low0 = low0 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); -} - -static inline void vec256_divx_2(vec256 *f) { - vec256 f0 = f[0]; - vec256 f1 = f[1]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - - low0 = (low0 >> 1) | (low1 << 63); - low1 = low1 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); - f[1] = _mm256_permute4x64_epi64(f1, 0x39); -} - -static inline void vec256_divx_3(vec256 *f) { - vec256 f0 = f[0]; - vec256 f1 = f[1]; - vec256 f2 = f[2]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - unsigned long long low2 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f2)); - - low0 = (low0 >> 1) | (low1 << 63); - low1 = (low1 >> 1) | (low2 << 63); - low2 = low2 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - f2 = _mm256_blend_epi32(f2, _mm256_set_epi64x(0, 0, 0, (long long) low2), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); - f[1] = _mm256_permute4x64_epi64(f1, 0x39); - f[2] = _mm256_permute4x64_epi64(f2, 0x39); -} - -static inline void vec256_divx_4(vec256 *f) { - vec256 f0 = f[0]; - vec256 f1 = f[1]; - vec256 f2 = f[2]; - vec256 f3 = f[3]; - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - unsigned long long low2 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f2)); - unsigned long long low3 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f3)); - - low0 = (low0 >> 1) | (low1 << 63); - low1 = (low1 >> 1) | (low2 << 63); - low2 = (low2 >> 1) | (low3 << 63); - low3 = low3 >> 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - f2 = _mm256_blend_epi32(f2, _mm256_set_epi64x(0, 0, 0, (long long) low2), 0x3); - f3 = _mm256_blend_epi32(f3, _mm256_set_epi64x(0, 0, 0, (long long) low3), 0x3); - - f[0] = _mm256_permute4x64_epi64(f0, 0x39); - f[1] = _mm256_permute4x64_epi64(f1, 0x39); - f[2] = _mm256_permute4x64_epi64(f2, 0x39); - f[3] = _mm256_permute4x64_epi64(f3, 0x39); -} - -static inline void vec256_timesx_1(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - - low0 = low0 << 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - - f[0] = f0; -} - -static inline void vec256_timesx_2(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - vec256 f1 = _mm256_permute4x64_epi64(f[1], 0x93); - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - - low1 = (low1 << 1) | (low0 >> 63); - low0 = low0 << 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - - f[0] = f0; - f[1] = f1; -} - -static inline void vec256_timesx_3(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - vec256 f1 = _mm256_permute4x64_epi64(f[1], 0x93); - vec256 f2 = _mm256_permute4x64_epi64(f[2], 0x93); - - unsigned long long low0 = *(unsigned long long *) &f0; - unsigned long long low1 = *(unsigned long long *) &f1; - unsigned long long low2 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f2)); - - low2 = (low2 << 1) | (low1 >> 63); - low1 = (low1 << 1) | (low0 >> 63); - low0 = low0 << 1; - - *(unsigned long long *) &f0 = low0; - *(unsigned long long *) &f1 = low1; - f2 = _mm256_blend_epi32(f2, _mm256_set_epi64x(0, 0, 0, (long long) low2), 0x3); - - f[0] = f0; - f[1] = f1; - f[2] = f2; -} - -static inline void vec256_timesx_4(vec256 *f) { - vec256 f0 = _mm256_permute4x64_epi64(f[0], 0x93); - vec256 f1 = _mm256_permute4x64_epi64(f[1], 0x93); - vec256 f2 = _mm256_permute4x64_epi64(f[2], 0x93); - vec256 f3 = _mm256_permute4x64_epi64(f[3], 0x93); - - unsigned long long low0 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f0)); - unsigned long long low1 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f1)); - unsigned long long low2 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f2)); - unsigned long long low3 = (unsigned long long) _mm_cvtsi128_si64(_mm256_castsi256_si128(f3)); - - low3 = (low3 << 1) | (low2 >> 63); - low2 = (low2 << 1) | (low1 >> 63); - low1 = (low1 << 1) | (low0 >> 63); - low0 = low0 << 1; - - f0 = _mm256_blend_epi32(f0, _mm256_set_epi64x(0, 0, 0, (long long) low0), 0x3); - f1 = _mm256_blend_epi32(f1, _mm256_set_epi64x(0, 0, 0, (long long) low1), 0x3); - f2 = _mm256_blend_epi32(f2, _mm256_set_epi64x(0, 0, 0, (long long) low2), 0x3); - f3 = _mm256_blend_epi32(f3, _mm256_set_epi64x(0, 0, 0, (long long) low3), 0x3); - - f[0] = f0; - f[1] = f1; - f[2] = f2; - f[3] = f3; -} - - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_inv3sntrup857(unsigned char *outbytes, const unsigned char *inbytes) { - small *out = (void *) outbytes; - small *in = (void *) inbytes; - vec256 F0[numvec]; - vec256 F1[numvec]; - vec256 G0[numvec]; - vec256 G1[numvec]; - vec256 V0[numvec]; - vec256 V1[numvec]; - vec256 R0[numvec]; - vec256 R1[numvec]; - vec256 c0vec, c1vec; - int loop; - int c0, c1; - int minusdelta = -1; - int swapmask; - vec256 swapvec; - - vec256_init(G0, G1, in); - F0[0] = _mm256_set_epi32(0, 0, 0, 0, 0, 0, 0, 1); - F0[1] = _mm256_set1_epi32(0); - F0[2] = _mm256_set1_epi32(0); - F0[3] = _mm256_set_epi32(0, 0, 0, 0, 0, 4194304, 0, 4194304); - F1[0] = _mm256_set1_epi32(0); - F1[1] = _mm256_set1_epi32(0); - F1[2] = _mm256_set1_epi32(0); - F1[3] = _mm256_set_epi32(0, 0, 0, 0, 0, 4194304, 0, 4194304); - - V0[0] = _mm256_set1_epi32(0); - V1[0] = _mm256_set1_epi32(0); - V0[1] = _mm256_set1_epi32(0); - V1[1] = _mm256_set1_epi32(0); - V0[2] = _mm256_set1_epi32(0); - V1[2] = _mm256_set1_epi32(0); - V0[3] = _mm256_set1_epi32(0); - V1[3] = _mm256_set1_epi32(0); - - R0[0] = _mm256_set_epi32(0, 0, 0, 0, 0, 0, 0, 1); - R1[0] = _mm256_set1_epi32(0); - R0[1] = _mm256_set1_epi32(0); - R1[1] = _mm256_set1_epi32(0); - R0[2] = _mm256_set1_epi32(0); - R1[2] = _mm256_set1_epi32(0); - R0[3] = _mm256_set1_epi32(0); - R1[3] = _mm256_set1_epi32(0); - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_1(V0); - vec256_timesx_1(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 4, swapvec); - vec256_swap(F1, G1, 4, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 4, c0vec, c1vec); - vec256_divx_4(G0); - vec256_divx_4(G1); - - vec256_swap(V0, R0, 1, swapvec); - vec256_swap(V1, R1, 1, swapvec); - vec256_eliminate(V0, V1, R0, R1, 1, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_2(V0); - vec256_timesx_2(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 4, swapvec); - vec256_swap(F1, G1, 4, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 4, c0vec, c1vec); - vec256_divx_4(G0); - vec256_divx_4(G1); - - vec256_swap(V0, R0, 2, swapvec); - vec256_swap(V1, R1, 2, swapvec); - vec256_eliminate(V0, V1, R0, R1, 2, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_3(V0); - vec256_timesx_3(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 4, swapvec); - vec256_swap(F1, G1, 4, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 4, c0vec, c1vec); - vec256_divx_4(G0); - vec256_divx_4(G1); - - vec256_swap(V0, R0, 3, swapvec); - vec256_swap(V1, R1, 3, swapvec); - vec256_eliminate(V0, V1, R0, R1, 3, c0vec, c1vec); - } - - for (loop = 177; loop > 0; --loop) { - vec256_timesx_4(V0); - vec256_timesx_4(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 4, swapvec); - vec256_swap(F1, G1, 4, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 4, c0vec, c1vec); - vec256_divx_4(G0); - vec256_divx_4(G1); - - vec256_swap(V0, R0, 4, swapvec); - vec256_swap(V1, R1, 4, swapvec); - vec256_eliminate(V0, V1, R0, R1, 4, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_4(V0); - vec256_timesx_4(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 3, swapvec); - vec256_swap(F1, G1, 3, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 3, c0vec, c1vec); - vec256_divx_3(G0); - vec256_divx_3(G1); - - vec256_swap(V0, R0, 4, swapvec); - vec256_swap(V1, R1, 4, swapvec); - vec256_eliminate(V0, V1, R0, R1, 4, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_4(V0); - vec256_timesx_4(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 2, swapvec); - vec256_swap(F1, G1, 2, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 2, c0vec, c1vec); - vec256_divx_2(G0); - vec256_divx_2(G1); - - vec256_swap(V0, R0, 4, swapvec); - vec256_swap(V1, R1, 4, swapvec); - vec256_eliminate(V0, V1, R0, R1, 4, c0vec, c1vec); - } - - for (loop = 256; loop > 0; --loop) { - vec256_timesx_4(V0); - vec256_timesx_4(V1); - swapmask = negative_mask(minusdelta) & vec256_bit0mask(G0); - - c0 = vec256_bit0mask(F0) & vec256_bit0mask(G0); - c1 = vec256_bit0mask(F1) ^ vec256_bit0mask(G1); - c1 &= c0; - - minusdelta ^= swapmask & (minusdelta ^ -minusdelta); - minusdelta -= 1; - - swapvec = _mm256_set1_epi32(swapmask); - vec256_swap(F0, G0, 1, swapvec); - vec256_swap(F1, G1, 1, swapvec); - - c0vec = _mm256_set1_epi32(c0); - c1vec = _mm256_set1_epi32(c1); - - vec256_eliminate(F0, F1, G0, G1, 1, c0vec, c1vec); - vec256_divx_1(G0); - vec256_divx_1(G1); - - vec256_swap(V0, R0, 4, swapvec); - vec256_swap(V1, R1, 4, swapvec); - vec256_eliminate(V0, V1, R0, R1, 4, c0vec, c1vec); - } - - c0vec = _mm256_set1_epi32(vec256_bit0mask(F0)); - c1vec = _mm256_set1_epi32(vec256_bit0mask(F1)); - vec256_scale(V0, V1, c0vec, c1vec); - - vec256_final(out, V0, V1); - out[p] = (small) negative_mask(minusdelta); - return 0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_core_inv3sntrup857.h b/crypto_kem/sntrup857/avx2/crypto_core_inv3sntrup857.h deleted file mode 100644 index d86a59ee..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_inv3sntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_INV3SNTRUP857_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_INV3SNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_inv3sntrup857_OUTPUTBYTES 858 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_inv3sntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_inv3sntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_inv3sntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_inv3sntrup857(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_core_invsntrup857.c b/crypto_kem/sntrup857/avx2/crypto_core_invsntrup857.c deleted file mode 100644 index bc0fd1b4..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_invsntrup857.c +++ /dev/null @@ -1,202 +0,0 @@ -#include "crypto_core_invsntrup857.h" -#include "params.h" -#include - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - - - -/* ----- masks */ - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* return -1 if x<0; otherwise return 0 */ -static int int16_negative_mask(int16 x) { - return x >> 15; /* XXX: theoretically need gcc -fwrapv for this */ -} - -/* ----- arithmetic mod q */ - -typedef int8 small; - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* works for -14000000 < x < 14000000 if q in 4591, 4621, 5167 */ -static Fq Fq_freeze(int32 x) { - x -= q * ((q18 * x) >> 18); - x -= q * ((q27 * x + 67108864) >> 27); - return (Fq) x; -} - -/* nonnegative e */ -static Fq Fq_pow(Fq a, int e) { - if (e == 0) { - return 1; - } - if (e == 1) { - return a; - } - if (e & 1) { - return Fq_freeze(a * (int32)Fq_pow(a, e - 1)); - } - a = Fq_freeze(a * (int32)a); - return Fq_pow(a, e >> 1); -} - -static Fq Fq_recip(Fq a) { - return Fq_pow(a, q - 2); -} - -/* ----- more */ - -#define qvec _mm256_set1_epi16(q) -#define qinvvec _mm256_set1_epi16(qinv) - -static inline __m256i montproduct(__m256i x, __m256i y, __m256i yqinv) { - __m256i hi, d, e; - - d = _mm256_mullo_epi16(x, yqinv); - hi = _mm256_mulhi_epi16(x, y); - e = _mm256_mulhi_epi16(d, qvec); - return _mm256_sub_epi16(hi, e); -} - -static inline void vectormodq_swapeliminate(Fq *f, Fq *g, int len, const Fq f0, const Fq g0, int mask) { - __m256i f0vec = _mm256_set1_epi16(f0); - __m256i g0vec = _mm256_set1_epi16(g0); - __m256i f0vecqinv = _mm256_mullo_epi16(f0vec, qinvvec); - __m256i g0vecqinv = _mm256_mullo_epi16(g0vec, qinvvec); - __m256i maskvec = _mm256_set1_epi32(mask); - - while (len > 0) { - __m256i fi = _mm256_loadu_si256((__m256i *) f); - __m256i gi = _mm256_loadu_si256((__m256i *) g); - __m256i finew = _mm256_blendv_epi8(fi, gi, maskvec); - __m256i ginew = _mm256_blendv_epi8(gi, fi, maskvec); - ginew = _mm256_sub_epi16(montproduct(ginew, f0vec, f0vecqinv), montproduct(finew, g0vec, g0vecqinv)); - _mm256_storeu_si256((__m256i *) f, finew); - _mm256_storeu_si256((__m256i *) (g - 1), ginew); - f += 16; - g += 16; - len -= 16; - } -} - -static inline void vectormodq_xswapeliminate(Fq *f, Fq *g, int len, const Fq f0, const Fq g0, int mask) { - __m256i f0vec = _mm256_set1_epi16(f0); - __m256i g0vec = _mm256_set1_epi16(g0); - __m256i f0vecqinv = _mm256_mullo_epi16(f0vec, qinvvec); - __m256i g0vecqinv = _mm256_mullo_epi16(g0vec, qinvvec); - __m256i maskvec = _mm256_set1_epi32(mask); - - f += len + (-len & 15); - g += len + (-len & 15); - while (len > 0) { - f -= 16; - g -= 16; - len -= 16; - __m256i fi = _mm256_loadu_si256((__m256i *) f); - __m256i gi = _mm256_loadu_si256((__m256i *) g); - __m256i finew = _mm256_blendv_epi8(fi, gi, maskvec); - __m256i ginew = _mm256_blendv_epi8(gi, fi, maskvec); - ginew = _mm256_sub_epi16(montproduct(ginew, f0vec, f0vecqinv), montproduct(finew, g0vec, g0vecqinv)); - _mm256_storeu_si256((__m256i *) (f + 1), finew); - _mm256_storeu_si256((__m256i *) g, ginew); - } -} - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_invsntrup857(unsigned char *outbytes, const unsigned char *inbytes) { - small *in = (void *) inbytes; - int loop; - Fq out[p], f[ppad], g[ppad], v[ppad], r[ppad]; - Fq f0, g0; - Fq scale; - int i; - int delta = 1; - int minusdelta; - int fgflip; - int swap; - - for (i = 0; i < ppad; ++i) { - f[i] = 0; - } - f[0] = 1; - f[p - 1] = -1; - f[p] = -1; - /* generalization: initialize f to reversal of any deg-p polynomial m */ - - for (i = 0; i < p; ++i) { - g[i] = in[p - 1 - i]; - } - for (i = p; i < ppad; ++i) { - g[i] = 0; - } - - for (i = 0; i < ppad; ++i) { - r[i] = 0; - } - r[0] = Fq_recip(3); - - for (i = 0; i < ppad; ++i) { - v[i] = 0; - } - - for (loop = 0; loop < p; ++loop) { - g0 = Fq_freeze(g[0]); - f0 = f[0]; - - minusdelta = -delta; - swap = int16_negative_mask((int16) minusdelta) & int16_nonzero_mask(g0); - delta ^= swap & (delta ^ minusdelta); - delta += 1; - - fgflip = swap & (f0 ^ g0); - f0 ^= (Fq) fgflip; - g0 ^= (Fq) fgflip; - - f[0] = f0; - - vectormodq_swapeliminate(f + 1, g + 1, p, f0, g0, swap); - vectormodq_xswapeliminate(v, r, loop + 1, f0, g0, swap); - } - - for (loop = p - 1; loop > 0; --loop) { - g0 = Fq_freeze(g[0]); - f0 = f[0]; - - minusdelta = -delta; - swap = int16_negative_mask((int16) minusdelta) & int16_nonzero_mask(g0); - delta ^= swap & (delta ^ minusdelta); - delta += 1; - - fgflip = swap & (f0 ^ g0); - f0 ^= (Fq) fgflip; - g0 ^= (Fq) fgflip; - - f[0] = f0; - - vectormodq_swapeliminate(f + 1, g + 1, loop, f0, g0, swap); - vectormodq_xswapeliminate(v, r, p, f0, g0, swap); - } - - scale = Fq_recip(Fq_freeze(f[0])); - for (i = 0; i < p; ++i) { - out[i] = Fq_freeze(scale * (int32)Fq_freeze(v[p - i])); - } - - crypto_encode_pxint16(outbytes, out); - outbytes[2 * p] = (unsigned char) int16_nonzero_mask((int16) delta); - return 0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_core_invsntrup857.h b/crypto_kem/sntrup857/avx2/crypto_core_invsntrup857.h deleted file mode 100644 index 789e1a8b..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_invsntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_INVSNTRUP857_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_INVSNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_invsntrup857_OUTPUTBYTES 1715 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_invsntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_invsntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_invsntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_invsntrup857(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_core_mult3sntrup857.c b/crypto_kem/sntrup857/avx2/crypto_core_mult3sntrup857.c deleted file mode 100644 index ed13df3b..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_mult3sntrup857.c +++ /dev/null @@ -1,296 +0,0 @@ -#include "crypto_core_mult3sntrup857.h" -#include "crypto_core_multsntrup857_ntt.h" -#include "crypto_decode_857xint16.h" -#include "crypto_encode_857xint16.h" -#include - -typedef int8_t int8; -typedef int16_t int16; - -#define int16x16 __m256i -#define load_x16(p) _mm256_loadu_si256((int16x16 *) (p)) -#define store_x16(p,v) _mm256_storeu_si256((int16x16 *) (p),(v)) -#define const_x16 _mm256_set1_epi16 -#define add_x16 _mm256_add_epi16 -#define sub_x16 _mm256_sub_epi16 -#define mullo_x16 _mm256_mullo_epi16 -#define mulhi_x16 _mm256_mulhi_epi16 -#define mulhrs_x16 _mm256_mulhrs_epi16 -#define signmask_x16(x) _mm256_srai_epi16((x),15) - -typedef union { - int16 v[512]; - int16x16 _dummy; -} vec512; - -typedef union { - int16 v[4][512]; - int16x16 _dummy; -} vec4x512; - -typedef union { - int16 v[1024]; - int16x16 _dummy; -} vec1024; - -typedef union { - int16 v[4 * 512]; - int16x16 _dummy; -} vec2048; - -static int16x16 squeeze_3_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(10923)), const_x16(3))); -} - -static int16x16 squeeze_7681_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(4)), const_x16(7681))); -} - -static int16x16 mulmod_7681_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-7679)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(7681)); - return sub_x16(b, e); -} - -static void stride(int16 fpad[4][512], const int16 f[1024]) { - int16x16 f0, f1, f2, f3, g0, g1, g2, g3; - int i, j; - - for (j = 0; j < 256; j += 16) { - f0 = load_x16(&f[0]); - f1 = load_x16(&f[16]); - f2 = load_x16(&f[32]); - f3 = load_x16(&f[48]); - f += 64; - - g0 = _mm256_permute2x128_si256(f0, f2, 0x20); - g1 = _mm256_permute2x128_si256(f0, f2, 0x31); - g2 = _mm256_permute2x128_si256(f1, f3, 0x20); - g3 = _mm256_permute2x128_si256(f1, f3, 0x31); - f0 = _mm256_unpacklo_epi16(g0, g1); - f1 = _mm256_unpackhi_epi16(g0, g1); - f2 = _mm256_unpacklo_epi16(g2, g3); - f3 = _mm256_unpackhi_epi16(g2, g3); - g0 = _mm256_unpacklo_epi16(f0, f1); - g1 = _mm256_unpackhi_epi16(f0, f1); - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - f0 = _mm256_unpacklo_epi64(g0, g2); - f1 = _mm256_unpackhi_epi64(g0, g2); - f2 = _mm256_unpacklo_epi64(g1, g3); - f3 = _mm256_unpackhi_epi64(g1, g3); - - store_x16(&fpad[0][j], f0); - store_x16(&fpad[1][j], f1); - store_x16(&fpad[2][j], f2); - store_x16(&fpad[3][j], f3); - } - - for (i = 0; i < 4; ++i) { - for (j = 256; j < 512; ++j) { - fpad[i][j] = 0; - } - } -} - -static void unstride(int16 f[2048], const int16 fpad[4][512]) { - int16x16 f0, f1, f2, f3, g0, g1, g2, g3, h0, h1, h2, h3; - int j; - - for (j = 0; j < 512; j += 16) { - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - f3 = load_x16(&fpad[3][j]); - - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - g0 = _mm256_unpacklo_epi16(f0, f1); - h0 = _mm256_unpacklo_epi32(g0, g2); - h1 = _mm256_unpackhi_epi32(g0, g2); - g1 = _mm256_unpackhi_epi16(f0, f1); - h2 = _mm256_unpacklo_epi32(g1, g3); - h3 = _mm256_unpackhi_epi32(g1, g3); - f1 = _mm256_permute2x128_si256(h2, h3, 0x20); - f3 = _mm256_permute2x128_si256(h2, h3, 0x31); - f0 = _mm256_permute2x128_si256(h0, h1, 0x20); - f2 = _mm256_permute2x128_si256(h0, h1, 0x31); - - store_x16(&f[0], f0); - store_x16(&f[16], f1); - store_x16(&f[32], f2); - store_x16(&f[48], f3); - f += 64; - } -} - -static const vec512 y_7681 = { .v = { - -3593, -617, -2804, 3266, -2194, -1296, -1321, 810, 1414, 3706, -549, -396, -121, -2088, -2555, 1305, - -3777, 1921, 103, 3600, -2456, 1483, 1399, -1887, -1701, 2006, 1535, -3174, -2250, 2816, -2440, -1760, - -3625, 2830, 2043, -3689, 1100, 1525, -514, 7, 2876, -1599, 3153, -1881, -2495, -2237, -2535, 438, - 3182, 3364, -1431, 1738, 3696, -2557, -2956, 638, -2319, -1993, -2310, -3555, 834, -1986, 3772, -679, - 3593, 617, 2804, -3266, 2194, 1296, 1321, -810, -1414, -3706, 549, 396, 121, 2088, 2555, -1305, - 3777, -1921, -103, -3600, 2456, -1483, -1399, 1887, 1701, -2006, -1535, 3174, 2250, -2816, 2440, 1760, - 3625, -2830, -2043, 3689, -1100, -1525, 514, -7, -2876, 1599, -3153, 1881, 2495, 2237, 2535, -438, - -3182, -3364, 1431, -1738, -3696, 2557, 2956, -638, 2319, 1993, 2310, 3555, -834, 1986, -3772, 679, - 2665, 727, -2572, 2426, -2133, -1386, 1681, -1054, 2579, 3750, 373, 3417, 404, -2233, 3135, -3405, - -1799, 1521, 1497, -3831, -3480, -3428, 2883, -1698, -859, -2762, 2175, -194, -486, -3816, -1756, 2385, - -783, 1533, 3145, 2, 3310, -2743, 2224, -1166, 2649, -1390, 3692, 2789, 1919, 2835, -2391, -2732, - 1056, 1464, 1350, -915, -1168, -921, -3588, 3456, -2160, -1598, 730, 2919, 1532, -2764, -660, -2113, - -2665, -727, 2572, -2426, 2133, 1386, -1681, 1054, -2579, -3750, -373, -3417, -404, 2233, -3135, 3405, - 1799, -1521, -1497, 3831, 3480, 3428, -2883, 1698, 859, 2762, -2175, 194, 486, 3816, 1756, -2385, - 783, -1533, -3145, -2, -3310, 2743, -2224, 1166, -2649, 1390, -3692, -2789, -1919, -2835, 2391, 2732, - -1056, -1464, -1350, 915, 1168, 921, 3588, -3456, 2160, 1598, -730, -2919, -1532, 2764, 660, 2113, - 2005, -188, 2345, -3723, -1403, 2070, 83, -3214, -3752, -1012, 1837, -3208, 3287, 3335, -293, 796, - 592, 1519, -1338, 1931, 509, -2262, -3408, 3334, 3677, 2130, 642, 589, -2167, -1084, -370, -3163, - 3763, -893, -2303, -402, 2937, -1689, -1526, -3745, -2460, 2874, 2965, 124, -1669, -1441, -3312, 3781, - 2812, -2386, -2515, -429, -3343, 777, -826, -3366, -3657, -1404, -791, -2963, -692, 2532, 2083, 2258, - -2005, 188, -2345, 3723, 1403, -2070, -83, 3214, 3752, 1012, -1837, 3208, -3287, -3335, 293, -796, - -592, -1519, 1338, -1931, -509, 2262, 3408, -3334, -3677, -2130, -642, -589, 2167, 1084, 370, 3163, - -3763, 893, 2303, 402, -2937, 1689, 1526, 3745, 2460, -2874, -2965, -124, 1669, 1441, 3312, -3781, - -2812, 2386, 2515, 429, 3343, -777, 826, 3366, 3657, 1404, 791, 2963, 692, -2532, -2083, -2258, - 179, 1121, 2891, -3581, 3177, -658, -3314, -1509, -17, 151, 2815, 2786, 1278, -2767, -1072, -1151, - -1242, -2071, 2340, -1586, 2072, 1476, 2998, 2918, -3744, -3794, -1295, 451, -929, 2378, -1144, 434, - -1070, -436, -3550, -3568, 1649, 715, 3461, -1407, -2001, -1203, 3770, 1712, 2230, -3542, 2589, -3547, - -2059, -236, 3434, -3693, 2161, -670, 2719, 2339, -2422, 1181, 3450, 222, 1348, -226, 2247, -1779, - -179, -1121, -2891, 3581, -3177, 658, 3314, 1509, 17, -151, -2815, -2786, -1278, 2767, 1072, 1151, - 1242, 2071, -2340, 1586, -2072, -1476, -2998, -2918, 3744, 3794, 1295, -451, 929, -2378, 1144, -434, - 1070, 436, 3550, 3568, -1649, -715, -3461, 1407, 2001, 1203, -3770, -1712, -2230, 3542, -2589, 3547, - 2059, 236, -3434, 3693, -2161, 670, -2719, -2339, 2422, -1181, -3450, -222, -1348, 226, -2247, 1779, - } -} ; - -static void mult1024(int16 h[2048], const int16 f[1024], const int16 g[1024]) { - vec4x512 x1, x2; - vec2048 x3; -#define fpad (x1.v) -#define gpad (x2.v) -#define hpad fpad -#define h_7681 (x3.v) - int i; - - stride(fpad, f); - PQCLEAN_SNTRUP857_AVX2_ntt512_7681(fpad[0], 4); - - stride(gpad, g); - PQCLEAN_SNTRUP857_AVX2_ntt512_7681(gpad[0], 4); - - /* XXX: try arbitrary-degree Karatsuba */ - - for (i = 0; i < 512; i += 16) { - int16x16 f0 = squeeze_7681_x16(load_x16(&fpad[0][i])); - int16x16 f1 = squeeze_7681_x16(load_x16(&fpad[1][i])); - int16x16 f2 = squeeze_7681_x16(load_x16(&fpad[2][i])); - int16x16 f3 = squeeze_7681_x16(load_x16(&fpad[3][i])); - int16x16 g0 = squeeze_7681_x16(load_x16(&gpad[0][i])); - int16x16 g1 = squeeze_7681_x16(load_x16(&gpad[1][i])); - int16x16 g2 = squeeze_7681_x16(load_x16(&gpad[2][i])); - int16x16 g3 = squeeze_7681_x16(load_x16(&gpad[3][i])); - int16x16 d0 = mulmod_7681_x16(f0, g0); - int16x16 d1 = mulmod_7681_x16(f1, g1); - int16x16 d2 = mulmod_7681_x16(f2, g2); - int16x16 d3 = mulmod_7681_x16(f3, g3); - int16x16 d0d1 = add_x16(d0, d1); - int16x16 d0d1d2 = add_x16(d0d1, d2); - int16x16 d0d1d2d3 = squeeze_7681_x16(add_x16(d0d1d2, d3)); - int16x16 d2d3 = add_x16(d2, d3); - int16x16 d1d2d3 = add_x16(d1, d2d3); - int16x16 e01 = mulmod_7681_x16(sub_x16(f0, f1), sub_x16(g0, g1)); - int16x16 e02 = mulmod_7681_x16(sub_x16(f0, f2), sub_x16(g0, g2)); - int16x16 e03 = mulmod_7681_x16(sub_x16(f0, f3), sub_x16(g0, g3)); - int16x16 e12 = mulmod_7681_x16(sub_x16(f1, f2), sub_x16(g1, g2)); - int16x16 e13 = mulmod_7681_x16(sub_x16(f1, f3), sub_x16(g1, g3)); - int16x16 e23 = mulmod_7681_x16(sub_x16(f2, f3), sub_x16(g2, g3)); - int16x16 h0 = d0; - int16x16 h1 = sub_x16(d0d1, e01); - int16x16 h2 = sub_x16(d0d1d2, e02); - int16x16 h3 = sub_x16(d0d1d2d3, add_x16(e12, e03)); - int16x16 h4 = sub_x16(d1d2d3, e13); - int16x16 h5 = sub_x16(d2d3, e23); - int16x16 h6 = d3; - int16x16 twist = load_x16(&y_7681.v[i]); - h4 = mulmod_7681_x16(h4, twist); - h5 = mulmod_7681_x16(h5, twist); - h6 = mulmod_7681_x16(h6, twist); - h0 = add_x16(h0, h4); - h1 = add_x16(h1, h5); - h2 = add_x16(h2, h6); - store_x16(&hpad[0][i], squeeze_7681_x16(h0)); - store_x16(&hpad[1][i], squeeze_7681_x16(h1)); - store_x16(&hpad[2][i], squeeze_7681_x16(h2)); - store_x16(&hpad[3][i], squeeze_7681_x16(h3)); - } - - PQCLEAN_SNTRUP857_AVX2_invntt512_7681(hpad[0], 4); - unstride(h_7681, (const int16(*)[512]) hpad); - - for (i = 0; i < 2048; i += 16) { - int16x16 u = load_x16(&h_7681[i]); - u = mulmod_7681_x16(u, const_x16(956)); - store_x16(&h[i], u); - } -} - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xint16 - -#define p 857 - -static inline int16x16 freeze_3_x16(int16x16 x) { - int16x16 mask, x3; - x = add_x16(x, const_x16(3)&signmask_x16(x)); - mask = signmask_x16(sub_x16(x, const_x16(2))); - x3 = sub_x16(x, const_x16(3)); - x = _mm256_blendv_epi8(x3, x, mask); - return x; -} - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_mult3sntrup857(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - vec1024 x1, x2; - vec2048 x3; -#define f (x1.v) -#define g (x2.v) -#define fg (x3.v) -#define h f - int i; - int16x16 x; - - x = const_x16(0); - for (i = p & ~15; i < 1024; i += 16) { - store_x16(&f[i], x); - } - for (i = p & ~15; i < 1024; i += 16) { - store_x16(&g[i], x); - } - - for (i = 0; i < p; ++i) { - int8 fi = (int8) inbytes[i]; - int8 fi0 = fi & 1; - f[i] = (int16) (fi0 - (fi & (fi0 << 1))); - } - for (i = 0; i < p; ++i) { - int8 gi = (int8) kbytes[i]; - int8 gi0 = gi & 1; - g[i] = (int16) (gi0 - (gi & (gi0 << 1))); - } - - mult1024(fg, f, g); - - fg[0] = (int16) (fg[0] - fg[p - 1]); - for (i = 0; i < 1024; i += 16) { - int16x16 fgi = load_x16(&fg[i]); - int16x16 fgip = load_x16(&fg[i + p]); - int16x16 fgip1 = load_x16(&fg[i + p - 1]); - x = add_x16(fgi, add_x16(fgip, fgip1)); - x = freeze_3_x16(squeeze_3_x16(x)); - store_x16(&h[i], x); - } - - for (i = 0; i < p; ++i) { - outbytes[i] = (unsigned char) h[i]; - } - - return 0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_core_mult3sntrup857.h b/crypto_kem/sntrup857/avx2/crypto_core_mult3sntrup857.h deleted file mode 100644 index fc189828..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_mult3sntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_MULT3SNTRUP857_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_MULT3SNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_mult3sntrup857_OUTPUTBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_mult3sntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_mult3sntrup857_KEYBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_mult3sntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_mult3sntrup857(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857.c b/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857.c deleted file mode 100644 index dbaabc56..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857.c +++ /dev/null @@ -1,421 +0,0 @@ -#include "crypto_core_multsntrup857.h" -#include "crypto_core_multsntrup857_ntt.h" -#include "crypto_decode_857xint16.h" -#include "crypto_encode_857xint16.h" -#include - -typedef int8_t int8; -typedef int16_t int16; - -#define int16x16 __m256i -#define load_x16(p) _mm256_loadu_si256((int16x16 *) (p)) -#define store_x16(p,v) _mm256_storeu_si256((int16x16 *) (p),(v)) -#define const_x16 _mm256_set1_epi16 -#define add_x16 _mm256_add_epi16 -#define sub_x16 _mm256_sub_epi16 -#define mullo_x16 _mm256_mullo_epi16 -#define mulhi_x16 _mm256_mulhi_epi16 -#define mulhrs_x16 _mm256_mulhrs_epi16 -#define signmask_x16(x) _mm256_srai_epi16((x),15) - -typedef union { - int16 v[512]; - int16x16 _dummy; -} vec512; - -typedef union { - int16 v[4][512]; - int16x16 _dummy; -} vec4x512; - -typedef union { - int16 v[1024]; - int16x16 _dummy; -} vec1024; - -typedef union { - int16 v[4 * 512]; - int16x16 _dummy; -} vec2048; - -static inline int16x16 squeeze_5167_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(6)), const_x16(5167))); -} - -static inline int16x16 squeeze_7681_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(4)), const_x16(7681))); -} - -static inline int16x16 squeeze_10753_x16(int16x16 x) { - return sub_x16(x, mullo_x16(mulhrs_x16(x, const_x16(3)), const_x16(10753))); -} - -static inline int16x16 mulmod_5167_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-19761)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(5167)); - return sub_x16(b, e); -} - -static inline int16x16 mulmod_7681_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-7679)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(7681)); - return sub_x16(b, e); -} - -static inline int16x16 mulmod_10753_x16(int16x16 x, int16x16 y) { - int16x16 yqinv = mullo_x16(y, const_x16(-10751)); /* XXX: precompute */ - int16x16 b = mulhi_x16(x, y); - int16x16 d = mullo_x16(x, yqinv); - int16x16 e = mulhi_x16(d, const_x16(10753)); - return sub_x16(b, e); -} - -static void stride(int16 fpad[4][512], const int16 f[1024]) { - int16x16 f0, f1, f2, f3, g0, g1, g2, g3; - int i, j; - - for (j = 0; j < 256; j += 16) { - f0 = load_x16(&f[0]); - f1 = load_x16(&f[16]); - f2 = load_x16(&f[32]); - f3 = load_x16(&f[48]); - f += 64; - - g0 = _mm256_permute2x128_si256(f0, f2, 0x20); - g1 = _mm256_permute2x128_si256(f0, f2, 0x31); - g2 = _mm256_permute2x128_si256(f1, f3, 0x20); - g3 = _mm256_permute2x128_si256(f1, f3, 0x31); - f0 = _mm256_unpacklo_epi16(g0, g1); - f1 = _mm256_unpackhi_epi16(g0, g1); - f2 = _mm256_unpacklo_epi16(g2, g3); - f3 = _mm256_unpackhi_epi16(g2, g3); - g0 = _mm256_unpacklo_epi16(f0, f1); - g1 = _mm256_unpackhi_epi16(f0, f1); - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - f0 = _mm256_unpacklo_epi64(g0, g2); - f1 = _mm256_unpackhi_epi64(g0, g2); - f2 = _mm256_unpacklo_epi64(g1, g3); - f3 = _mm256_unpackhi_epi64(g1, g3); - - store_x16(&fpad[0][j], f0); - store_x16(&fpad[1][j], f1); - store_x16(&fpad[2][j], f2); - store_x16(&fpad[3][j], f3); - } - - for (i = 0; i < 4; ++i) { - for (j = 256; j < 512; ++j) { - fpad[i][j] = 0; - } - } -} - -static void unstride(int16 f[2048], const int16 fpad[4][512]) { - int16x16 f0, f1, f2, f3, g0, g1, g2, g3, h0, h1, h2, h3; - int j; - - for (j = 0; j < 512; j += 16) { - f0 = load_x16(&fpad[0][j]); - f1 = load_x16(&fpad[1][j]); - f2 = load_x16(&fpad[2][j]); - f3 = load_x16(&fpad[3][j]); - - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - g0 = _mm256_unpacklo_epi16(f0, f1); - h0 = _mm256_unpacklo_epi32(g0, g2); - h1 = _mm256_unpackhi_epi32(g0, g2); - g1 = _mm256_unpackhi_epi16(f0, f1); - h2 = _mm256_unpacklo_epi32(g1, g3); - h3 = _mm256_unpackhi_epi32(g1, g3); - f1 = _mm256_permute2x128_si256(h2, h3, 0x20); - f3 = _mm256_permute2x128_si256(h2, h3, 0x31); - f0 = _mm256_permute2x128_si256(h0, h1, 0x20); - f2 = _mm256_permute2x128_si256(h0, h1, 0x31); - - store_x16(&f[0], f0); - store_x16(&f[16], f1); - store_x16(&f[32], f2); - store_x16(&f[48], f3); - f += 64; - } -} - -static const vec512 y_7681 = { .v = { - -3593, -617, -2804, 3266, -2194, -1296, -1321, 810, 1414, 3706, -549, -396, -121, -2088, -2555, 1305, - -3777, 1921, 103, 3600, -2456, 1483, 1399, -1887, -1701, 2006, 1535, -3174, -2250, 2816, -2440, -1760, - -3625, 2830, 2043, -3689, 1100, 1525, -514, 7, 2876, -1599, 3153, -1881, -2495, -2237, -2535, 438, - 3182, 3364, -1431, 1738, 3696, -2557, -2956, 638, -2319, -1993, -2310, -3555, 834, -1986, 3772, -679, - 3593, 617, 2804, -3266, 2194, 1296, 1321, -810, -1414, -3706, 549, 396, 121, 2088, 2555, -1305, - 3777, -1921, -103, -3600, 2456, -1483, -1399, 1887, 1701, -2006, -1535, 3174, 2250, -2816, 2440, 1760, - 3625, -2830, -2043, 3689, -1100, -1525, 514, -7, -2876, 1599, -3153, 1881, 2495, 2237, 2535, -438, - -3182, -3364, 1431, -1738, -3696, 2557, 2956, -638, 2319, 1993, 2310, 3555, -834, 1986, -3772, 679, - 2665, 727, -2572, 2426, -2133, -1386, 1681, -1054, 2579, 3750, 373, 3417, 404, -2233, 3135, -3405, - -1799, 1521, 1497, -3831, -3480, -3428, 2883, -1698, -859, -2762, 2175, -194, -486, -3816, -1756, 2385, - -783, 1533, 3145, 2, 3310, -2743, 2224, -1166, 2649, -1390, 3692, 2789, 1919, 2835, -2391, -2732, - 1056, 1464, 1350, -915, -1168, -921, -3588, 3456, -2160, -1598, 730, 2919, 1532, -2764, -660, -2113, - -2665, -727, 2572, -2426, 2133, 1386, -1681, 1054, -2579, -3750, -373, -3417, -404, 2233, -3135, 3405, - 1799, -1521, -1497, 3831, 3480, 3428, -2883, 1698, 859, 2762, -2175, 194, 486, 3816, 1756, -2385, - 783, -1533, -3145, -2, -3310, 2743, -2224, 1166, -2649, 1390, -3692, -2789, -1919, -2835, 2391, 2732, - -1056, -1464, -1350, 915, 1168, 921, 3588, -3456, 2160, 1598, -730, -2919, -1532, 2764, 660, 2113, - 2005, -188, 2345, -3723, -1403, 2070, 83, -3214, -3752, -1012, 1837, -3208, 3287, 3335, -293, 796, - 592, 1519, -1338, 1931, 509, -2262, -3408, 3334, 3677, 2130, 642, 589, -2167, -1084, -370, -3163, - 3763, -893, -2303, -402, 2937, -1689, -1526, -3745, -2460, 2874, 2965, 124, -1669, -1441, -3312, 3781, - 2812, -2386, -2515, -429, -3343, 777, -826, -3366, -3657, -1404, -791, -2963, -692, 2532, 2083, 2258, - -2005, 188, -2345, 3723, 1403, -2070, -83, 3214, 3752, 1012, -1837, 3208, -3287, -3335, 293, -796, - -592, -1519, 1338, -1931, -509, 2262, 3408, -3334, -3677, -2130, -642, -589, 2167, 1084, 370, 3163, - -3763, 893, 2303, 402, -2937, 1689, 1526, 3745, 2460, -2874, -2965, -124, 1669, 1441, 3312, -3781, - -2812, 2386, 2515, 429, 3343, -777, 826, 3366, 3657, 1404, 791, 2963, 692, -2532, -2083, -2258, - 179, 1121, 2891, -3581, 3177, -658, -3314, -1509, -17, 151, 2815, 2786, 1278, -2767, -1072, -1151, - -1242, -2071, 2340, -1586, 2072, 1476, 2998, 2918, -3744, -3794, -1295, 451, -929, 2378, -1144, 434, - -1070, -436, -3550, -3568, 1649, 715, 3461, -1407, -2001, -1203, 3770, 1712, 2230, -3542, 2589, -3547, - -2059, -236, 3434, -3693, 2161, -670, 2719, 2339, -2422, 1181, 3450, 222, 1348, -226, 2247, -1779, - -179, -1121, -2891, 3581, -3177, 658, 3314, 1509, 17, -151, -2815, -2786, -1278, 2767, 1072, 1151, - 1242, 2071, -2340, 1586, -2072, -1476, -2998, -2918, 3744, 3794, 1295, -451, 929, -2378, 1144, -434, - 1070, 436, 3550, 3568, -1649, -715, -3461, 1407, 2001, 1203, -3770, -1712, -2230, 3542, -2589, 3547, - 2059, 236, -3434, 3693, -2161, 670, -2719, -2339, 2422, -1181, -3450, -222, -1348, 226, -2247, 1779, - } -} ; -static const vec512 y_10753 = { .v = { - 1018, -1520, -2935, -4189, 2413, 918, 4, 1299, -2695, 1341, -205, -4744, -3784, 2629, 2565, -3062, - 223, -4875, 2790, -2576, -3686, -2503, 3550, -3085, 730, 1931, -4513, 4876, -3364, 5213, 2178, 2984, - 4188, -4035, 4129, -544, 357, 4347, 1284, -2388, -4855, 341, -1287, 4102, 425, 5175, -4616, -4379, - -3688, 5063, 3091, 1085, -376, 3012, -268, -1009, -2236, -3823, 2982, -4742, -4544, -4095, 193, 847, - -1018, 1520, 2935, 4189, -2413, -918, -4, -1299, 2695, -1341, 205, 4744, 3784, -2629, -2565, 3062, - -223, 4875, -2790, 2576, 3686, 2503, -3550, 3085, -730, -1931, 4513, -4876, 3364, -5213, -2178, -2984, - -4188, 4035, -4129, 544, -357, -4347, -1284, 2388, 4855, -341, 1287, -4102, -425, -5175, 4616, 4379, - 3688, -5063, -3091, -1085, 376, -3012, 268, 1009, 2236, 3823, -2982, 4742, 4544, 4095, -193, -847, - -4734, 4977, -400, -864, 567, -5114, -4286, 635, 512, -1356, -779, -2973, 675, -5064, -1006, 1268, - 2998, 2981, -151, -3337, 3198, -909, 2737, -970, 2774, 886, 2206, 1324, 2271, 454, -326, -3715, - -3441, -4580, 636, 2234, -794, 3615, 578, -472, 3057, -5156, -2740, 2684, 1615, -1841, -336, -1586, - 5341, -116, 5294, 4123, 5023, -1458, -3169, 467, -2045, 4828, -1572, -5116, -2213, -4808, 2884, 1068, - 4734, -4977, 400, 864, -567, 5114, 4286, -635, -512, 1356, 779, 2973, -675, 5064, 1006, -1268, - -2998, -2981, 151, 3337, -3198, 909, -2737, 970, -2774, -886, -2206, -1324, -2271, -454, 326, 3715, - 3441, 4580, -636, -2234, 794, -3615, -578, 472, -3057, 5156, 2740, -2684, -1615, 1841, 336, 1586, - -5341, 116, -5294, -4123, -5023, 1458, 3169, -467, 2045, -4828, 1572, 5116, 2213, 4808, -2884, -1068, - 3453, 2196, 2118, 5005, 2428, -2062, -1930, 2283, 4601, 3524, -3241, -1409, -2230, -5015, 4359, 4254, - 5309, 2657, -2050, -4428, 4250, -2015, -3148, -778, 2624, -1573, 40, 2237, -573, -4447, 2909, 1122, - 854, -4782, 2439, 4408, 5172, 4784, 4144, 1639, 3760, 2139, 2680, -663, 4621, 3135, 1349, -97, - 5215, 3410, -2117, -1992, -1381, -1635, 274, -2419, 3570, 458, 2087, -2374, -1132, 2662, -1722, 5313, - -3453, -2196, -2118, -5005, -2428, 2062, 1930, -2283, -4601, -3524, 3241, 1409, 2230, 5015, -4359, -4254, - -5309, -2657, 2050, 4428, -4250, 2015, 3148, 778, -2624, 1573, -40, -2237, 573, 4447, -2909, -1122, - -854, 4782, -2439, -4408, -5172, -4784, -4144, -1639, -3760, -2139, -2680, 663, -4621, -3135, -1349, 97, - -5215, -3410, 2117, 1992, 1381, 1635, -274, 2419, -3570, -458, -2087, 2374, 1132, -2662, 1722, -5313, - -2487, -554, 4519, 2449, 73, 3419, 624, -1663, -1053, 4889, 279, 1893, 1111, 1510, 2279, -4540, - 2529, 2963, 5120, -3995, -5107, -3360, -5356, 2625, -4403, 152, -5083, -2807, 2113, -4000, -4328, 3125, - -2605, 4967, -1056, 1160, 1927, 693, -4003, 3827, -4670, -569, 3535, -5268, 1782, 825, 355, 5068, - 5334, 4859, -1689, -2788, -4891, -3260, 1204, 3891, -4720, -4973, 2813, 2205, 834, -4393, -2151, 3096, - 2487, 554, -4519, -2449, -73, -3419, -624, 1663, 1053, -4889, -279, -1893, -1111, -1510, -2279, 4540, - -2529, -2963, -5120, 3995, 5107, 3360, 5356, -2625, 4403, -152, 5083, 2807, -2113, 4000, 4328, -3125, - 2605, -4967, 1056, -1160, -1927, -693, 4003, -3827, 4670, 569, -3535, 5268, -1782, -825, -355, -5068, - -5334, -4859, 1689, 2788, 4891, 3260, -1204, -3891, 4720, 4973, -2813, -2205, -834, 4393, 2151, -3096, - } -} ; -/* - can also compute these on the fly, and share storage, - at expense of 2 NTTs on top of the 24 NTTs below: - ... - for (i = 0;i < 512;++i) y_7681[i] = 0; - y_7681[1] = -3593; - PQCLEAN_SNTRUP857_AVX2_ntt512_7681(y_7681,1); - ... - for (i = 0;i < 512;++i) y_10753[i] = 0; - y_10753[1] = 1018; - PQCLEAN_SNTRUP857_AVX2_ntt512_10753(y_10753,1); -*/ - -static void mult1024(int16 h[2048], const int16 f[1024], const int16 g[1024]) { - vec4x512 x1, x2; - vec2048 x3, x4; -#define fpad (x1.v) -#define gpad (x2.v) -#define hpad fpad -#define h_7681 (x3.v) -#define h_10753 (x4.v) - int i; - - stride(fpad, f); - PQCLEAN_SNTRUP857_AVX2_ntt512_7681(fpad[0], 4); - - stride(gpad, g); - PQCLEAN_SNTRUP857_AVX2_ntt512_7681(gpad[0], 4); - - for (i = 0; i < 512; i += 16) { - int16x16 f0 = squeeze_7681_x16(load_x16(&fpad[0][i])); - int16x16 f1 = squeeze_7681_x16(load_x16(&fpad[1][i])); - int16x16 f2 = squeeze_7681_x16(load_x16(&fpad[2][i])); - int16x16 f3 = squeeze_7681_x16(load_x16(&fpad[3][i])); - int16x16 g0 = squeeze_7681_x16(load_x16(&gpad[0][i])); - int16x16 g1 = squeeze_7681_x16(load_x16(&gpad[1][i])); - int16x16 g2 = squeeze_7681_x16(load_x16(&gpad[2][i])); - int16x16 g3 = squeeze_7681_x16(load_x16(&gpad[3][i])); - int16x16 d0 = mulmod_7681_x16(f0, g0); - int16x16 d1 = mulmod_7681_x16(f1, g1); - int16x16 d2 = mulmod_7681_x16(f2, g2); - int16x16 d3 = mulmod_7681_x16(f3, g3); - int16x16 d0d1 = add_x16(d0, d1); - int16x16 d0d1d2 = add_x16(d0d1, d2); - int16x16 d0d1d2d3 = squeeze_7681_x16(add_x16(d0d1d2, d3)); - int16x16 d2d3 = add_x16(d2, d3); - int16x16 d1d2d3 = add_x16(d1, d2d3); - int16x16 e01 = mulmod_7681_x16(sub_x16(f0, f1), sub_x16(g0, g1)); - int16x16 e02 = mulmod_7681_x16(sub_x16(f0, f2), sub_x16(g0, g2)); - int16x16 e03 = mulmod_7681_x16(sub_x16(f0, f3), sub_x16(g0, g3)); - int16x16 e12 = mulmod_7681_x16(sub_x16(f1, f2), sub_x16(g1, g2)); - int16x16 e13 = mulmod_7681_x16(sub_x16(f1, f3), sub_x16(g1, g3)); - int16x16 e23 = mulmod_7681_x16(sub_x16(f2, f3), sub_x16(g2, g3)); - int16x16 h0 = d0; - int16x16 h1 = sub_x16(d0d1, e01); - int16x16 h2 = sub_x16(d0d1d2, e02); - int16x16 h3 = sub_x16(d0d1d2d3, add_x16(e12, e03)); - int16x16 h4 = sub_x16(d1d2d3, e13); - int16x16 h5 = sub_x16(d2d3, e23); - int16x16 h6 = d3; - int16x16 twist = load_x16(&y_7681.v[i]); - h4 = mulmod_7681_x16(h4, twist); - h5 = mulmod_7681_x16(h5, twist); - h6 = mulmod_7681_x16(h6, twist); - h0 = add_x16(h0, h4); - h1 = add_x16(h1, h5); - h2 = add_x16(h2, h6); - store_x16(&hpad[0][i], squeeze_7681_x16(h0)); - store_x16(&hpad[1][i], squeeze_7681_x16(h1)); - store_x16(&hpad[2][i], squeeze_7681_x16(h2)); - store_x16(&hpad[3][i], squeeze_7681_x16(h3)); - } - - PQCLEAN_SNTRUP857_AVX2_invntt512_7681(hpad[0], 4); - unstride(h_7681, (const int16(*)[512]) hpad); - - stride(fpad, f); - PQCLEAN_SNTRUP857_AVX2_ntt512_10753(fpad[0], 4); - - stride(gpad, g); - PQCLEAN_SNTRUP857_AVX2_ntt512_10753(gpad[0], 4); - - for (i = 0; i < 512; i += 16) { - int16x16 f0 = squeeze_10753_x16(load_x16(&fpad[0][i])); - int16x16 f1 = squeeze_10753_x16(load_x16(&fpad[1][i])); - int16x16 f2 = squeeze_10753_x16(load_x16(&fpad[2][i])); - int16x16 f3 = squeeze_10753_x16(load_x16(&fpad[3][i])); - int16x16 g0 = squeeze_10753_x16(load_x16(&gpad[0][i])); - int16x16 g1 = squeeze_10753_x16(load_x16(&gpad[1][i])); - int16x16 g2 = squeeze_10753_x16(load_x16(&gpad[2][i])); - int16x16 g3 = squeeze_10753_x16(load_x16(&gpad[3][i])); - int16x16 d0 = mulmod_10753_x16(f0, g0); - int16x16 d1 = mulmod_10753_x16(f1, g1); - int16x16 d2 = mulmod_10753_x16(f2, g2); - int16x16 d3 = mulmod_10753_x16(f3, g3); - int16x16 d0d1 = add_x16(d0, d1); - int16x16 d0d1d2 = add_x16(d0d1, d2); - int16x16 d0d1d2d3 = squeeze_10753_x16(add_x16(d0d1d2, d3)); - int16x16 d2d3 = add_x16(d2, d3); - int16x16 d1d2d3 = add_x16(d1, d2d3); - int16x16 e01 = mulmod_10753_x16(sub_x16(f0, f1), sub_x16(g0, g1)); - int16x16 e02 = mulmod_10753_x16(sub_x16(f0, f2), sub_x16(g0, g2)); - int16x16 e03 = mulmod_10753_x16(sub_x16(f0, f3), sub_x16(g0, g3)); - int16x16 e12 = mulmod_10753_x16(sub_x16(f1, f2), sub_x16(g1, g2)); - int16x16 e13 = mulmod_10753_x16(sub_x16(f1, f3), sub_x16(g1, g3)); - int16x16 e23 = mulmod_10753_x16(sub_x16(f2, f3), sub_x16(g2, g3)); - int16x16 h0 = d0; - int16x16 h1 = sub_x16(d0d1, e01); - int16x16 h2 = sub_x16(d0d1d2, e02); - int16x16 h3 = sub_x16(d0d1d2d3, add_x16(e12, e03)); - int16x16 h4 = sub_x16(d1d2d3, e13); - int16x16 h5 = sub_x16(d2d3, e23); - int16x16 h6 = d3; - int16x16 twist = load_x16(&y_10753.v[i]); - h4 = mulmod_10753_x16(h4, twist); - h5 = mulmod_10753_x16(h5, twist); - h6 = mulmod_10753_x16(h6, twist); - h0 = add_x16(h0, h4); - h1 = add_x16(h1, h5); - h2 = add_x16(h2, h6); - store_x16(&hpad[0][i], squeeze_10753_x16(h0)); - store_x16(&hpad[1][i], squeeze_10753_x16(h1)); - store_x16(&hpad[2][i], squeeze_10753_x16(h2)); - store_x16(&hpad[3][i], squeeze_10753_x16(h3)); - } - - PQCLEAN_SNTRUP857_AVX2_invntt512_10753(hpad[0], 4); - unstride(h_10753, (const int16(*)[512]) hpad); - - for (i = 0; i < 2048; i += 16) { - int16x16 u1 = load_x16(&h_10753[i]); - int16x16 u2 = load_x16(&h_7681[i]); - int16x16 t; - u1 = mulmod_10753_x16(u1, const_x16(1268)); - u2 = mulmod_7681_x16(u2, const_x16(956)); - t = mulmod_7681_x16(sub_x16(u2, u1), const_x16(-2539)); - t = add_x16(u1, mulmod_5167_x16(t, const_x16(2146))); - store_x16(&h[i], t); - } -} - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xint16 - -#define p 857 -#define q 5167 - -static inline int16x16 freeze_5167_x16(int16x16 x) { - int16x16 mask, xq; - x = add_x16(x, const_x16(q)&signmask_x16(x)); - mask = signmask_x16(sub_x16(x, const_x16((q + 1) / 2))); - xq = sub_x16(x, const_x16(q)); - x = _mm256_blendv_epi8(xq, x, mask); - return x; -} - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - vec1024 x1, x2; - vec2048 x3; -#define f (x1.v) -#define g (x2.v) -#define fg (x3.v) -#define h f - int i; - int16x16 x; - - x = const_x16(0); - for (i = p & ~15; i < 1024; i += 16) { - store_x16(&f[i], x); - } - for (i = p & ~15; i < 1024; i += 16) { - store_x16(&g[i], x); - } - - crypto_decode_pxint16(f, inbytes); - - for (i = 0; i < 1024; i += 16) { - x = load_x16(&f[i]); - x = freeze_5167_x16(squeeze_5167_x16(x)); - store_x16(&f[i], x); - } - for (i = 0; i < p; ++i) { - int8 gi = (int8) kbytes[i]; - int8 gi0 = gi & 1; - g[i] = (int8) (gi0 - (gi & (gi0 << 1))); - } - - mult1024(fg, f, g); - - fg[0] = (int16) (fg[0] - fg[p - 1]); - for (i = 0; i < 1024; i += 16) { - int16x16 fgi = load_x16(&fg[i]); - int16x16 fgip = load_x16(&fg[i + p]); - int16x16 fgip1 = load_x16(&fg[i + p - 1]); - x = add_x16(fgi, add_x16(fgip, fgip1)); - x = freeze_5167_x16(squeeze_5167_x16(x)); - store_x16(&h[i], x); - } - - crypto_encode_pxint16(outbytes, h); - - return 0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857.h b/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857.h deleted file mode 100644 index db467cc1..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_MULTSNTRUP857_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_MULTSNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857_OUTPUTBYTES 1714 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857_INPUTBYTES 1714 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857_KEYBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857_ntt.c b/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857_ntt.c deleted file mode 100644 index 05fbade0..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857_ntt.c +++ /dev/null @@ -1,927 +0,0 @@ -#include "crypto_core_multsntrup857.h" -#include "crypto_core_multsntrup857_ntt.h" -#include -#include - -/* auto-generated; do not edit */ - - -typedef int8_t int8; -typedef int16_t int16; - -#define zeta(n,i) (((__m256i *) zeta_##n)[(i)]) -#define zeta_x4(n,i) (((__m256i *) zeta_x4_##n)[(i)]) -#define zeta_qinv(n,i) (((__m256i *) qinvzeta_##n)[(i)]) -#define zeta_x4_qinv(n,i) (((__m256i *) qinvzeta_x4_##n)[(i)]) -#define zetainv(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) zeta_##n+(n)/2+1-16*((i)+1))) -#define zetainv_x4(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) zeta_x4_##n+2*(n)+4-16*((i)+1))) -#define zetainv_qinv(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) qinvzeta_##n+(n)/2+1-16*((i)+1))) -#define zetainv_x4_qinv(n,i) _mm256_loadu_reverse16((__m256i *) ((int16 *) qinvzeta_x4_##n+2*(n)+4-16*((i)+1))) - -typedef union { - int16 data[93 * 16]; - __m256i _dummy; -} vec1488; - -static const vec1488 qdata_7681 = { .data = { - -#define q_x16 (qdata[0]) - 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, 7681, - -#define qrecip_x16 (qdata[1]) - 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, 17474, - -#define qshift_x16 (qdata[2]) - 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, - -#define zeta4_x16 (qdata[3]) - -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, -3777, - -#define zeta4_x16_qinv (qdata[4]) - -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, -28865, - -#define zeta8_x16 (qdata[5]) - -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, -3625, - -#define zeta8_x16_qinv (qdata[6]) - -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, -16425, - -#define zetainv8_x16 (qdata[7]) - -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, -3182, - -#define zetainv8_x16_qinv (qdata[8]) - -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, -10350, - -#define zeta_x4_16 (qdata+9) - -3593, -3593, -3593, -3593, -2194, -2194, -2194, -2194, -3625, -3625, -3625, -3625, 1100, 1100, 1100, 1100, - -3777, -3777, -3777, -3777, -2456, -2456, -2456, -2456, 3182, 3182, 3182, 3182, 3696, 3696, 3696, 3696, - 3593, 3593, 3593, 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_x4_16 (qdata+12) - -9, -9, -9, -9, 4974, 4974, 4974, 4974, -16425, -16425, -16425, -16425, 7244, 7244, 7244, 7244, - -28865, -28865, -28865, -28865, -14744, -14744, -14744, -14744, 10350, 10350, 10350, 10350, -4496, -4496, -4496, -4496, - 9, 9, 9, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_x4_32 (qdata+15) - -3593, -3593, -3593, -3593, 1414, 1414, 1414, 1414, -2194, -2194, -2194, -2194, -2495, -2495, -2495, -2495, - -3625, -3625, -3625, -3625, 2876, 2876, 2876, 2876, 1100, 1100, 1100, 1100, -2250, -2250, -2250, -2250, - -3777, -3777, -3777, -3777, -1701, -1701, -1701, -1701, -2456, -2456, -2456, -2456, 834, 834, 834, 834, - 3182, 3182, 3182, 3182, -2319, -2319, -2319, -2319, 3696, 3696, 3696, 3696, 121, 121, 121, 121, - 3593, 3593, 3593, 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_x4_32 (qdata+20) - -9, -9, -9, -9, 20870, 20870, 20870, 20870, 4974, 4974, 4974, 4974, 22593, 22593, 22593, 22593, - -16425, -16425, -16425, -16425, 828, 828, 828, 828, 7244, 7244, 7244, 7244, -23754, -23754, -23754, -23754, - -28865, -28865, -28865, -28865, 20315, 20315, 20315, 20315, -14744, -14744, -14744, -14744, 18242, 18242, 18242, 18242, - 10350, 10350, 10350, 10350, -18191, -18191, -18191, -18191, -4496, -4496, -4496, -4496, -11655, -11655, -11655, -11655, - 9, 9, 9, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_64 (qdata+25) - -3593, -617, 1414, 3706, -2194, -1296, -2495, -2237, -3625, 2830, 2876, -1599, 1100, 1525, -2250, 2816, - -3777, 1921, -1701, 2006, -2456, 1483, 834, -1986, 3182, 3364, -2319, -1993, 3696, -2557, 121, 2088, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_64 (qdata+28) - -9, 19351, 20870, -15750, 4974, -9488, 22593, 7491, -16425, 26382, 828, 23489, 7244, 20469, -23754, 2816, - -28865, -5759, 20315, -3114, -14744, 15307, 18242, -19394, 10350, -10972, -18191, -31177, -4496, -25597, -11655, 22568, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_128 (qdata+31) - -3593, -2804, -617, -396, 1414, -549, 3706, 810, -2194, -1321, -1296, 438, -2495, -2535, -2237, -3689, - -3625, 2043, 2830, -1881, 2876, 3153, -1599, 7, 1100, -514, 1525, -1760, -2250, -2440, 2816, 3600, - -3777, 103, 1921, -3174, -1701, 1535, 2006, -1887, -2456, 1399, 1483, -679, 834, 3772, -1986, 1738, - 3182, -1431, 3364, -3555, -2319, -2310, -1993, 638, 3696, -2956, -2557, -1305, 121, 2555, 2088, -3266, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_128 (qdata+36) - -9, -29428, 19351, 26228, 20870, 21467, -15750, 5930, 4974, -14121, -9488, -21066, 22593, 2073, 7491, 16279, - -16425, -25093, 26382, 26279, 828, -29103, 23489, 11783, 7244, 14846, 20469, 14624, -23754, -6536, 2816, 11792, - -28865, -4505, -5759, -6246, 20315, 9215, -3114, 6817, -14744, 4983, 15307, -28839, 18242, 1724, -19394, 23242, - 10350, -21399, -10972, -29667, -18191, -21766, -31177, 15998, -4496, 23668, -25597, -5913, -11655, -24581, 22568, -20674, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_256 (qdata+41) - -3593, 2665, -2804, -2572, -617, 727, -396, 3417, 1414, 2579, -549, 373, 3706, 3750, 810, -1054, - -2194, -2133, -1321, 1681, -1296, -1386, 438, -2732, -2495, 1919, -2535, -2391, -2237, 2835, -3689, 2, - -3625, -783, 2043, 3145, 2830, 1533, -1881, 2789, 2876, 2649, 3153, 3692, -1599, -1390, 7, -1166, - 1100, 3310, -514, 2224, 1525, -2743, -1760, 2385, -2250, -486, -2440, -1756, 2816, -3816, 3600, -3831, - -3777, -1799, 103, 1497, 1921, 1521, -3174, -194, -1701, -859, 1535, 2175, 2006, -2762, -1887, -1698, - -2456, -3480, 1399, 2883, 1483, -3428, -679, -2113, 834, 1532, 3772, -660, -1986, -2764, 1738, -915, - 3182, 1056, -1431, 1350, 3364, 1464, -3555, 2919, -2319, -2160, -2310, 730, -1993, -1598, 638, 3456, - 3696, -1168, -2956, -3588, -2557, -921, -1305, 3405, 121, -404, 2555, -3135, 2088, 2233, -3266, -2426, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_256 (qdata+50) - -9, -17303, -29428, 24052, 19351, -12073, 26228, -24743, 20870, -12269, 21467, 19317, -15750, -25946, 5930, 32738, - 4974, -4693, -14121, 2193, -9488, 26262, -21066, 7508, 22593, 9599, 2073, 10409, 7491, -12013, 16279, -15358, - -16425, -16655, -25093, 32329, 26382, 24573, 26279, 13541, 828, -25511, -29103, 26220, 23489, -8558, 11783, -24718, - 7244, 10478, 14846, 26800, 20469, 26441, 14624, -29871, -23754, -3558, -6536, -16092, 2816, 8472, 11792, -7415, - -28865, -13575, -4505, -26663, -5759, -14351, -6246, -17602, 20315, -22875, 9215, 9855, -3114, -24266, 6817, -2722, - -14744, -15768, 4983, 12611, 15307, -21860, -28839, -27201, 18242, 32252, 1724, 21868, -19394, -8908, 23242, 13933, - 10350, 17440, -21399, -11962, -10972, 30136, -29667, -1689, -18191, 6032, -21766, 30426, -31177, 15810, 15998, 3456, - -4496, -9360, 23668, 27132, -25597, -5529, -5913, 1869, -11655, 22124, -24581, 21953, 22568, 23225, -20674, 17030, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define zeta_512 (qdata+59) - -3593, 2005, 2665, 2891, -2804, 2345, -2572, 1121, -617, -188, 727, 2786, -396, -3208, 3417, -17, - 1414, -3752, 2579, 2815, -549, 1837, 373, 151, 3706, -1012, 3750, -1509, 810, -3214, -1054, 3177, - -2194, -1403, -2133, -3314, -1321, 83, 1681, -658, -1296, 2070, -1386, -3547, 438, 3781, -2732, 2230, - -2495, -1669, 1919, 2589, -2535, -3312, -2391, -3542, -2237, -1441, 2835, -3568, -3689, -402, 2, -1070, - -3625, 3763, -783, -3550, 2043, -2303, 3145, -436, 2830, -893, 1533, 1712, -1881, 124, 2789, -2001, - 2876, -2460, 2649, 3770, 3153, 2965, 3692, -1203, -1599, 2874, -1390, -1407, 7, -3745, -1166, 1649, - 1100, 2937, 3310, 3461, -514, -1526, 2224, 715, 1525, -1689, -2743, 434, -1760, -3163, 2385, -929, - -2250, -2167, -486, -1144, -2440, -370, -1756, 2378, 2816, -1084, -3816, -1586, 3600, 1931, -3831, -1242, - -3777, 592, -1799, 2340, 103, -1338, 1497, -2071, 1921, 1519, 1521, 451, -3174, 589, -194, -3744, - -1701, 3677, -859, -1295, 1535, 642, 2175, -3794, 2006, 2130, -2762, 2918, -1887, 3334, -1698, 2072, - -2456, 509, -3480, 2998, 1399, -3408, 2883, 1476, 1483, -2262, -3428, -1779, -679, 2258, -2113, 1348, - 834, -692, 1532, 2247, 3772, 2083, -660, -226, -1986, 2532, -2764, -3693, 1738, -429, -915, -2059, - 3182, 2812, 1056, 3434, -1431, -2515, 1350, -236, 3364, -2386, 1464, 222, -3555, -2963, 2919, -2422, - -2319, -3657, -2160, 3450, -2310, -791, 730, 1181, -1993, -1404, -1598, 2339, 638, -3366, 3456, 2161, - 3696, -3343, -1168, 2719, -2956, -826, -3588, -670, -2557, 777, -921, 1151, -1305, -796, 3405, -1278, - 121, -3287, -404, 1072, 2555, 293, -3135, 2767, 2088, -3335, 2233, 3581, -3266, 3723, -2426, -179, - 3593, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - -#define qinvzeta_512 (qdata+76) - -9, 4565, -17303, 16715, -29428, 15145, 24052, -22943, 19351, 1860, -12073, -28958, 26228, -7304, -24743, -529, - 20870, -24232, -12269, 10495, 21467, -16083, 19317, 20119, -15750, -27636, -25946, -12261, 5930, -26766, 32738, -16791, - 4974, 25733, -4693, 20238, -14121, 18003, 2193, 6510, -9488, 29718, 26262, -25563, -21066, -1851, 7508, -19274, - 22593, -28805, 9599, -23523, 2073, 4880, 10409, 1578, 7491, -10145, -12013, 4624, 16279, 6766, -15358, 24530, - -16425, 5299, -16655, -2526, -25093, -9983, 32329, 5708, 26382, -23933, 24573, 26288, 26279, 30844, 13541, 30255, - 828, 15972, -25511, 17082, -29103, -27243, 26220, -2739, 23489, 16186, -8558, -9087, 11783, -12449, -24718, -14223, - 7244, -8839, 10478, 30597, 14846, -12790, 26800, 14539, 20469, -6297, 26441, 9650, 14624, -25179, -29871, -9633, - -23754, -5751, -3558, 2952, -6536, 23182, -16092, 23882, 2816, 964, 8472, -10802, 11792, -17013, -7415, -30938, - -28865, -23984, -13575, -11996, -4505, -14650, -26663, -22039, -5759, 1007, -14351, 10179, -6246, -947, -17602, -20128, - 20315, 10333, -22875, -17167, 9215, -14718, 9855, -29394, -3114, 27730, -24266, 5990, 6817, 22790, -2722, 14360, - -14744, 23549, -15768, -18506, 4983, 21168, 12611, 3524, 15307, 2858, -21860, 29453, -28839, 27858, -27201, 3396, - 18242, 5452, 32252, -18745, 1724, -4573, 21868, 31518, -19394, 20964, -8908, -18541, 23242, 17491, 13933, 16885, - 10350, -32004, 17440, -24214, -21399, -20435, -11962, -22764, -10972, -27986, 30136, -802, -29667, 11885, -1689, -13686, - -18191, 32695, 6032, -16006, -21766, -20759, 30426, -24931, -31177, -32124, 15810, -4317, 15998, 26330, 3456, -13711, - -4496, -19215, -9360, 26783, 23668, -14138, 27132, -32414, -25597, -2807, -5529, 8831, -5913, 17636, 1869, -16638, - -11655, 9513, 22124, 25648, -24581, -21723, 21953, -14129, 22568, -15111, 23225, 26621, -20674, -15221, 17030, -1715, - 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - } -}; - -static const vec1488 qdata_10753 = { .data = { - - 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, 10753, - - 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, 24964, - - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - - 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, 223, - - 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, 27359, - - 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, 4188, - - -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, -1956, - - 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, 3688, - - -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, -408, - - 1018, 1018, 1018, 1018, 2413, 2413, 2413, 2413, 4188, 4188, 4188, 4188, 357, 357, 357, 357, - 223, 223, 223, 223, -3686, -3686, -3686, -3686, -3688, -3688, -3688, -3688, -376, -376, -376, -376, - -1018, -1018, -1018, -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -6, -6, -6, 10093, 10093, 10093, 10093, -1956, -1956, -1956, -1956, 28517, 28517, 28517, 28517, - 27359, 27359, 27359, 27359, -21094, -21094, -21094, -21094, 408, 408, 408, 408, -20856, -20856, -20856, -20856, - 6, 6, 6, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, 1018, 1018, 1018, -2695, -2695, -2695, -2695, 2413, 2413, 2413, 2413, 425, 425, 425, 425, - 4188, 4188, 4188, 4188, -4855, -4855, -4855, -4855, 357, 357, 357, 357, -3364, -3364, -3364, -3364, - 223, 223, 223, 223, 730, 730, 730, 730, -3686, -3686, -3686, -3686, -4544, -4544, -4544, -4544, - -3688, -3688, -3688, -3688, -2236, -2236, -2236, -2236, -376, -376, -376, -376, 3784, 3784, 3784, 3784, - -1018, -1018, -1018, -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -6, -6, -6, 7033, 7033, 7033, 7033, 10093, 10093, 10093, 10093, 18345, 18345, 18345, 18345, - -1956, -1956, -1956, -1956, 29449, 29449, 29449, 29449, 28517, 28517, 28517, 28517, -9508, -9508, -9508, -9508, - 27359, 27359, 27359, 27359, 16090, 16090, 16090, 16090, -21094, -21094, -21094, -21094, 28224, 28224, 28224, 28224, - 408, 408, 408, 408, -12476, -12476, -12476, -12476, -20856, -20856, -20856, -20856, 16072, 16072, 16072, 16072, - 6, 6, 6, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, -1520, -2695, 1341, 2413, 918, 425, 5175, 4188, -4035, -4855, 341, 357, 4347, -3364, 5213, - 223, -4875, 730, 1931, -3686, -2503, -4544, -4095, -3688, 5063, -2236, -3823, -376, 3012, 3784, -2629, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, 23056, 7033, 829, 10093, 26518, 18345, 3639, -1956, -4547, 29449, 3925, 28517, -7429, -9508, -11683, - 27359, -17675, 16090, 14731, -21094, -25543, 28224, -14847, 408, 28103, -12476, 10001, -20856, -7228, 16072, 18363, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, -2935, -1520, -4744, -2695, -205, 1341, 1299, 2413, 4, 918, -4379, 425, -4616, 5175, -544, - 4188, 4129, -4035, 4102, -4855, -1287, 341, -2388, 357, 1284, 4347, 2984, -3364, 2178, 5213, -2576, - 223, 2790, -4875, 4876, 730, -4513, 1931, -3085, -3686, 3550, -2503, 847, -4544, 193, -4095, 1085, - -3688, 3091, 5063, -4742, -2236, 2982, -3823, -1009, -376, -268, 3012, 3062, 3784, -2565, -2629, 4189, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, 31369, 23056, 15736, 7033, -24269, 829, -6381, 10093, 22532, 26518, 23781, 18345, 15864, 3639, 15840, - -1956, -23007, -4547, 5126, 29449, 8441, 3925, -16724, 28517, 23812, -7429, 31656, -9508, -19326, -11683, -27152, - 27359, 20198, -17675, 6924, 16090, 22623, 14731, 5619, -21094, -24098, -25543, 3407, 28224, 22209, -14847, 573, - 408, -4589, 28103, -5766, -12476, -12378, 10001, -31217, -20856, -2316, -7228, -20490, 16072, -14341, 18363, -12707, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, -4734, -2935, -400, -1520, 4977, -4744, -2973, -2695, 512, -205, -779, 1341, -1356, 1299, 635, - 2413, 567, 4, -4286, 918, -5114, -4379, -1586, 425, 1615, -4616, -336, 5175, -1841, -544, 2234, - 4188, -3441, 4129, 636, -4035, -4580, 4102, 2684, -4855, 3057, -1287, -2740, 341, -5156, -2388, -472, - 357, -794, 1284, 578, 4347, 3615, 2984, -3715, -3364, 2271, 2178, -326, 5213, 454, -2576, -3337, - 223, 2998, 2790, -151, -4875, 2981, 4876, 1324, 730, 2774, -4513, 2206, 1931, 886, -3085, -970, - -3686, 3198, 3550, 2737, -2503, -909, 847, 1068, -4544, -2213, 193, 2884, -4095, -4808, 1085, 4123, - -3688, 5341, 3091, 5294, 5063, -116, -4742, -5116, -2236, -2045, 2982, -1572, -3823, 4828, -1009, 467, - -376, 5023, -268, -3169, 3012, -1458, 3062, -1268, 3784, -675, -2565, 1006, -2629, 5064, 4189, 864, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -26238, 31369, -24976, 23056, -30351, 15736, -18845, 7033, 512, -24269, -13579, 829, 29364, -6381, -11141, - 10093, -969, 22532, 6978, 26518, -4090, 23781, 11726, 18345, 4175, 15864, 7856, 3639, 719, 15840, -31558, - -1956, 31887, -23007, -21892, -4547, 22044, 5126, -19844, 29449, -32271, 8441, 32076, 3925, -11300, -16724, 28200, - 28517, 16614, 23812, 11842, -7429, -2017, 31656, 28541, -9508, 29407, -19326, 31418, -11683, -31290, -27152, 27895, - 27359, 12214, 20198, -14999, -17675, -1627, 6924, -13012, 16090, -4394, 22623, 7326, 14731, -22666, 5619, 8246, - -21094, 24702, -24098, 177, -25543, 7795, 3407, -13268, 28224, 2395, 22209, -7356, -14847, -17096, 573, -24037, - 408, -11555, -4589, -30546, 28103, 1932, -5766, 17412, -12476, 31235, -12378, -7716, 10001, -1316, -31217, 25555, - -20856, -609, -2316, -8801, -7228, 11854, -20490, 780, 16072, -17571, -14341, -2066, 18363, 17352, -12707, 17248, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - 1018, 3453, -4734, 4519, -2935, 2118, -400, -554, -1520, 2196, 4977, 1893, -4744, -1409, -2973, -1053, - -2695, 4601, 512, 279, -205, -3241, -779, 4889, 1341, 3524, -1356, -1663, 1299, 2283, 635, 73, - 2413, 2428, 567, 624, 4, -1930, -4286, 3419, 918, -2062, -5114, 5068, -4379, -97, -1586, 1782, - 425, 4621, 1615, 355, -4616, 1349, -336, 825, 5175, 3135, -1841, 1160, -544, 4408, 2234, -2605, - 4188, 854, -3441, -1056, 4129, 2439, 636, 4967, -4035, -4782, -4580, -5268, 4102, -663, 2684, -4670, - -4855, 3760, 3057, 3535, -1287, 2680, -2740, -569, 341, 2139, -5156, 3827, -2388, 1639, -472, 1927, - 357, 5172, -794, -4003, 1284, 4144, 578, 693, 4347, 4784, 3615, 3125, 2984, 1122, -3715, 2113, - -3364, -573, 2271, -4328, 2178, 2909, -326, -4000, 5213, -4447, 454, -3995, -2576, -4428, -3337, 2529, - 223, 5309, 2998, 5120, 2790, -2050, -151, 2963, -4875, 2657, 2981, -2807, 4876, 2237, 1324, -4403, - 730, 2624, 2774, -5083, -4513, 40, 2206, 152, 1931, -1573, 886, 2625, -3085, -778, -970, -5107, - -3686, 4250, 3198, -5356, 3550, -3148, 2737, -3360, -2503, -2015, -909, 3096, 847, 5313, 1068, 834, - -4544, -1132, -2213, -2151, 193, -1722, 2884, -4393, -4095, 2662, -4808, -2788, 1085, -1992, 4123, 5334, - -3688, 5215, 5341, -1689, 3091, -2117, 5294, 4859, 5063, 3410, -116, 2205, -4742, -2374, -5116, -4720, - -2236, 3570, -2045, 2813, 2982, 2087, -1572, -4973, -3823, 458, 4828, 3891, -1009, -2419, 467, -4891, - -376, -1381, 5023, 1204, -268, 274, -3169, -3260, 3012, -1635, -1458, 4540, 3062, -4254, -1268, -1111, - 3784, 2230, -675, -2279, -2565, -4359, 1006, -1510, -2629, 5015, 5064, -2449, 4189, -5005, 864, 2487, - -1018, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - - -6, -29827, -26238, -21593, 31369, -29626, -24976, -7722, 23056, -16236, -30351, 30053, 15736, 9343, -18845, -16925, - 7033, 14329, 512, 15127, -24269, -21161, -13579, -1767, 829, -6716, 29364, -12415, -6381, 31467, -11141, 1609, - 10093, -20100, -969, -23952, 22532, -25482, 6978, 8027, 26518, 17394, -4090, -25652, 23781, -5729, 11726, -21770, - 18345, -4083, 4175, -15517, 15864, -19643, 7856, -22215, 3639, -18881, 719, -19320, 15840, -7880, -31558, 22483, - -1956, -6314, 31887, 15328, -23007, -7289, -21892, 11623, -4547, 31058, 22044, 13164, 5126, -15511, -19844, 6594, - 29449, 11952, -32271, 6095, 8441, 23160, 32076, 22471, 3925, 6747, -11300, 12531, -16724, 8295, 28200, -7801, - 28517, -29644, 16614, -20899, 23812, 12336, 11842, 20661, -7429, 12976, -2017, 23093, 31656, -3998, 28541, 24129, - -9508, -61, 29407, -232, -19326, -13987, 31418, 12384, -11683, -31583, -31290, 24165, -27152, 26292, 27895, 8161, - 27359, 4797, 12214, 5120, 20198, 19454, -14999, -4717, -17675, 8289, -1627, 31497, 6924, 1725, -13012, 19661, - 16090, -30144, -4394, -9691, 22623, 28712, 7326, 4248, 14731, 3035, -22666, 24641, 5619, -24330, 8246, -13811, - -21094, -13158, 24702, -23788, -24098, 27572, 177, 13024, -25543, -29151, 7795, 7192, 3407, 27329, -13268, 12098, - 28224, -19564, 2395, -8807, 22209, 32070, -7356, -22313, -14847, 20070, -17096, 23836, 573, -14280, -24037, -1834, - 408, 32351, -11555, 4967, -4589, 18875, -30546, -6917, 28103, -26286, 1932, 18077, -5766, 29370, 17412, 19856, - -12476, 23026, 31235, -30467, -12378, -24025, -7716, -12653, 10001, -8758, -1316, -20173, -31217, -11123, 25555, 23269, - -20856, -29541, -609, 31924, -2316, 3346, -8801, -13500, -7228, 14237, 11854, 14780, -20490, -9374, 780, 16809, - 16072, 11446, -17571, -8935, -14341, 5369, -2066, -18918, 18363, 19863, 17352, -16273, -12707, 3699, 17248, 951, - 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - } -}; - -static inline __m256i sub_x16(__m256i a, __m256i b) { - //__asm__("vpsubw %1,%0,%0" : "+x"(a),"+x"(b)); - return _mm256_sub_epi16(a, b); -} - -static inline __m256i add_x16(__m256i a, __m256i b) { - return _mm256_add_epi16(a, b); -} - -static inline __m256i reduce_x16(const __m256i *qdata, __m256i x) { - __m256i y = _mm256_mulhi_epi16(x, qrecip_x16); - y = _mm256_mulhrs_epi16(y, qshift_x16); - y = _mm256_mullo_epi16(y, q_x16); - return sub_x16(x, y); -} - -static inline __m256i mulmod_x16_scaled(const __m256i *qdata, __m256i x, __m256i y, __m256i yqinv) { - __m256i b = _mm256_mulhi_epi16(x, y); - __m256i d = _mm256_mullo_epi16(x, yqinv); - __m256i e = _mm256_mulhi_epi16(d, q_x16); - return sub_x16(b, e); -} - -typedef union { - int8 data[32]; - __m256i _dummy; -} byte32; -static const byte32 shuffle_buf = { .data = { - 14, 15, 12, 13, 10, 11, 8, 9, 6, 7, 4, 5, 2, 3, 0, 1, - 14, 15, 12, 13, 10, 11, 8, 9, 6, 7, 4, 5, 2, 3, 0, 1, - } -}; -#define shuffle (*(__m256i *) shuffle_buf.data) - -static inline __m256i _mm256_loadu_reverse16(const __m256i *p) { - __m256i x = _mm256_loadu_si256(p); - x = _mm256_permute2x128_si256(x, x, 1); - x = _mm256_shuffle_epi8(x, shuffle); - return x; -} - -static void ntt128(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3, h0, h1, h2, h3; - int16 *origf = f; - int rep; - __m256i zetainv_128_0 = zetainv(128, 0); - __m256i zetainv_qinv_128_0 = zetainv_qinv(128, 0); - __m256i zetainv_x4_32_0 = zetainv_x4(32, 0); - __m256i zetainv_x4_qinv_32_0 = zetainv_x4_qinv(32, 0); - __m256i zetainv_128_1 = zetainv(128, 1); - __m256i zetainv_qinv_128_1 = zetainv_qinv(128, 1); - __m256i zetainv_x4_32_1 = zetainv_x4(32, 1); - __m256i zetainv_x4_qinv_32_1 = zetainv_x4_qinv(32, 1); - for (rep = 0; rep < reps; ++rep) { - f1 = _mm256_loadu_si256((__m256i *) (f + 32)); - f3 = _mm256_loadu_si256((__m256i *) (f + 96)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 64)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_128_0, zetainv_qinv_128_0); - f2 = mulmod_x16_scaled(qdata, f2, zeta(128, 0), zeta_qinv(128, 0)); - - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta(64, 0), zeta_qinv(64, 0)); - f0 = reduce_x16(qdata, f0); - - g0 = _mm256_unpacklo_epi16(f0, f1); - h0 = _mm256_unpacklo_epi32(g0, g2); - h1 = _mm256_unpackhi_epi32(g0, g2); - g1 = _mm256_unpackhi_epi16(f0, f1); - h2 = _mm256_unpacklo_epi32(g1, g3); - h3 = _mm256_unpackhi_epi32(g1, g3); - f0 = _mm256_permute2x128_si256(h0, h1, 0x20); - f2 = _mm256_permute2x128_si256(h0, h1, 0x31); - f1 = _mm256_permute2x128_si256(h2, h3, 0x20); - f3 = _mm256_permute2x128_si256(h2, h3, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 64), f2); - _mm256_storeu_si256((__m256i *) (f + 32), f1); - _mm256_storeu_si256((__m256i *) (f + 96), f3); - - f1 = _mm256_loadu_si256((__m256i *) (f + 48)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16)); - f2 = _mm256_loadu_si256((__m256i *) (f + 80)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_128_1, zetainv_qinv_128_1); - f2 = mulmod_x16_scaled(qdata, f2, zeta(128, 1), zeta_qinv(128, 1)); - - g2 = _mm256_unpacklo_epi16(f2, f3); - g3 = _mm256_unpackhi_epi16(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta(64, 1), zeta_qinv(64, 1)); - f0 = reduce_x16(qdata, f0); - - g0 = _mm256_unpacklo_epi16(f0, f1); - h0 = _mm256_unpacklo_epi32(g0, g2); - h1 = _mm256_unpackhi_epi32(g0, g2); - g1 = _mm256_unpackhi_epi16(f0, f1); - h2 = _mm256_unpacklo_epi32(g1, g3); - h3 = _mm256_unpackhi_epi32(g1, g3); - f0 = _mm256_permute2x128_si256(h0, h1, 0x20); - f2 = _mm256_permute2x128_si256(h0, h1, 0x31); - f1 = _mm256_permute2x128_si256(h2, h3, 0x20); - f3 = _mm256_permute2x128_si256(h2, h3, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 16), f0); - _mm256_storeu_si256((__m256i *) (f + 80), f2); - _mm256_storeu_si256((__m256i *) (f + 48), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - f1 = _mm256_loadu_si256((__m256i *) (f + 64)); - f3 = _mm256_loadu_si256((__m256i *) (f + 80)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_x4_32_0, zetainv_x4_qinv_32_0); - f2 = mulmod_x16_scaled(qdata, f2, zeta_x4(32, 0), zeta_x4_qinv(32, 0)); - - g2 = _mm256_unpacklo_epi64(f2, f3); - g3 = _mm256_unpackhi_epi64(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta_x4(16, 0), zeta_x4_qinv(16, 0)); - f0 = reduce_x16(qdata, f0); - - g1 = _mm256_unpackhi_epi64(f0, f1); - g0 = _mm256_unpacklo_epi64(f0, f1); - f1 = _mm256_permute2x128_si256(g1, g3, 0x20); - f3 = _mm256_permute2x128_si256(g1, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g2, 0x20); - f2 = _mm256_permute2x128_si256(g0, g2, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 64), f1); - _mm256_storeu_si256((__m256i *) (f + 80), f3); - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 16), f2); - - f1 = _mm256_loadu_si256((__m256i *) (f + 96)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 32)); - f2 = _mm256_loadu_si256((__m256i *) (f + 48)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_x4_32_1, zetainv_x4_qinv_32_1); - f2 = mulmod_x16_scaled(qdata, f2, zeta_x4(32, 1), zeta_x4_qinv(32, 1)); - - g2 = _mm256_unpacklo_epi64(f2, f3); - g3 = _mm256_unpackhi_epi64(f2, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta_x4(16, 1), zeta_x4_qinv(16, 1)); - f0 = reduce_x16(qdata, f0); - - g1 = _mm256_unpackhi_epi64(f0, f1); - g0 = _mm256_unpacklo_epi64(f0, f1); - f1 = _mm256_permute2x128_si256(g1, g3, 0x20); - f3 = _mm256_permute2x128_si256(g1, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g2, 0x20); - f2 = _mm256_permute2x128_si256(g0, g2, 0x31); - - _mm256_storeu_si256((__m256i *) (f + 96), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - _mm256_storeu_si256((__m256i *) (f + 32), f0); - _mm256_storeu_si256((__m256i *) (f + 48), f2); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - - f1 = _mm256_loadu_si256((__m256i *) (f + 16)); - f3 = _mm256_loadu_si256((__m256i *) (f + 48)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 32)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f2 = add_x16(g2, g3); - f3 = sub_x16(g2, g3); - f2 = reduce_x16(qdata, f2); - f3 = reduce_x16(qdata, f3); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f0 = reduce_x16(qdata, f0); - - h0 = f0; - h1 = f1; - h2 = f2; - h3 = f3; - - f1 = _mm256_loadu_si256((__m256i *) (f + 80)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 64)); - f2 = _mm256_loadu_si256((__m256i *) (f + 96)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv8_x16, zetainv8_x16_qinv); - f2 = mulmod_x16_scaled(qdata, f2, zeta8_x16, zeta8_x16_qinv); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta4_x16, zeta4_x16_qinv); - f0 = reduce_x16(qdata, f0); - - g0 = add_x16(h0, f0); - g1 = add_x16(h1, f1); - g2 = add_x16(h2, f2); - g3 = add_x16(h3, f3); - _mm256_storeu_si256((__m256i *) (f + 0), g0); - _mm256_storeu_si256((__m256i *) (f + 16), g1); - _mm256_storeu_si256((__m256i *) (f + 32), g2); - _mm256_storeu_si256((__m256i *) (f + 48), g3); - g0 = sub_x16(h0, f0); - g1 = sub_x16(h1, f1); - g2 = sub_x16(h2, f2); - g3 = sub_x16(h3, f3); - _mm256_storeu_si256((__m256i *) (f + 64), g0); - _mm256_storeu_si256((__m256i *) (f + 80), g1); - _mm256_storeu_si256((__m256i *) (f + 96), g2); - _mm256_storeu_si256((__m256i *) (f + 112), g3); - f += 128; - } -} - -static void ntt512(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3; /* [-Werror=unused-variable] */ /* ,h0,h1,h2,h3; */ - int16 *origf = f; - int rep; - __m256i zetainv_512[8]; - __m256i zetainv_qinv_512[8]; - int i; - for (i = 0; i < 8; ++i) { - zetainv_512[i] = zetainv(512, i); - } - for (i = 0; i < 8; ++i) { - zetainv_qinv_512[i] = zetainv_qinv(512, i); - } - for (rep = 0; rep < reps; ++rep) { - for (i = 0; i < 8; ++i) { - f1 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 128)); - f3 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 384)); - g3 = sub_x16(f1, f3); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f1, f3); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16 * i)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 256)); - g2 = sub_x16(f0, f2); - g0 = add_x16(f0, f2); - - f3 = sub_x16(g3, g2); - f2 = add_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zetainv_512[i], zetainv_qinv_512[i]); - f2 = mulmod_x16_scaled(qdata, f2, zeta(512, i), zeta_qinv(512, i)); - - f1 = sub_x16(g0, g1); - f0 = add_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zeta(256, i), zeta_qinv(256, i)); - f0 = reduce_x16(qdata, f0); - - _mm256_storeu_si256((__m256i *) (f + 16 * i + 384), f3); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 256), f2); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 128), f1); - _mm256_storeu_si256((__m256i *) (f + 16 * i), f0); - - } - f += 512; - } - f = origf; - ntt128(f, reps * 4, qdata); -} - -void PQCLEAN_SNTRUP857_AVX2_ntt512_7681(int16 *f, int reps) { - ntt512(f, reps, (const __m256i *) qdata_7681.data); -} - -void PQCLEAN_SNTRUP857_AVX2_ntt512_10753(int16 *f, int reps) { - ntt512(f, reps, (const __m256i *) qdata_10753.data); -} - -static void invntt128(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3, h0, h1, h2, h3; - int16 *origf = f; - int rep; - __m256i zetainv_x4_16_0 = zetainv_x4(16, 0); - __m256i zetainv_x4_qinv_16_0 = zetainv_x4_qinv(16, 0); - __m256i zetainv_x4_32_0 = zetainv_x4(32, 0); - __m256i zetainv_x4_qinv_32_0 = zetainv_x4_qinv(32, 0); - __m256i zetainv_64_0 = zetainv(64, 0); - __m256i zetainv_qinv_64_0 = zetainv_qinv(64, 0); - __m256i zetainv_128_0 = zetainv(128, 0); - __m256i zetainv_qinv_128_0 = zetainv_qinv(128, 0); - __m256i zetainv_x4_16_1 = zetainv_x4(16, 1); - __m256i zetainv_x4_qinv_16_1 = zetainv_x4_qinv(16, 1); - __m256i zetainv_x4_32_1 = zetainv_x4(32, 1); - __m256i zetainv_x4_qinv_32_1 = zetainv_x4_qinv(32, 1); - __m256i zetainv_64_1 = zetainv(64, 1); - __m256i zetainv_qinv_64_1 = zetainv_qinv(64, 1); - __m256i zetainv_128_1 = zetainv(128, 1); - __m256i zetainv_qinv_128_1 = zetainv_qinv(128, 1); - for (rep = 0; rep < reps; ++rep) { - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f1 = _mm256_loadu_si256((__m256i *) (f + 64)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16)); - f3 = _mm256_loadu_si256((__m256i *) (f + 80)); - g0 = _mm256_loadu_si256((__m256i *) (f + 32)); - g1 = _mm256_loadu_si256((__m256i *) (f + 96)); - g2 = _mm256_loadu_si256((__m256i *) (f + 48)); - g3 = _mm256_loadu_si256((__m256i *) (f + 112)); - - h1 = sub_x16(f0, f1); - h1 = reduce_x16(qdata, h1); - h0 = add_x16(f0, f1); - h3 = sub_x16(f2, f3); - h3 = mulmod_x16_scaled(qdata, h3, zeta4_x16, zeta4_x16_qinv); - h2 = add_x16(f2, f3); - f1 = sub_x16(g0, g1); - f1 = mulmod_x16_scaled(qdata, f1, zetainv8_x16, zetainv8_x16_qinv); - f0 = add_x16(g0, g1); - f3 = sub_x16(g2, g3); - f3 = mulmod_x16_scaled(qdata, f3, zeta8_x16, zeta8_x16_qinv); - f2 = add_x16(g2, g3); - - g0 = add_x16(h0, h2); - g0 = reduce_x16(qdata, g0); - g2 = sub_x16(h0, h2); - g2 = reduce_x16(qdata, g2); - g1 = sub_x16(h1, h3); - g3 = add_x16(h1, h3); - h2 = sub_x16(f0, f2); - h2 = mulmod_x16_scaled(qdata, h2, zeta4_x16, zeta4_x16_qinv); - h0 = add_x16(f0, f2); - h3 = add_x16(f1, f3); - h3 = mulmod_x16_scaled(qdata, h3, zeta4_x16, zeta4_x16_qinv); - h1 = sub_x16(f1, f3); - - f0 = add_x16(g0, h0); - g0 = sub_x16(g0, h0); - f1 = add_x16(g1, h1); - g1 = sub_x16(g1, h1); - f2 = sub_x16(g2, h2); - g2 = add_x16(g2, h2); - f3 = sub_x16(g3, h3); - g3 = add_x16(g3, h3); - - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 32), g0); - _mm256_storeu_si256((__m256i *) (f + 64), f1); - _mm256_storeu_si256((__m256i *) (f + 96), g1); - _mm256_storeu_si256((__m256i *) (f + 16), f2); - _mm256_storeu_si256((__m256i *) (f + 48), g2); - _mm256_storeu_si256((__m256i *) (f + 80), f3); - _mm256_storeu_si256((__m256i *) (f + 112), g3); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f1 = _mm256_loadu_si256((__m256i *) (f + 64)); - f2 = _mm256_loadu_si256((__m256i *) (f + 16)); - f3 = _mm256_loadu_si256((__m256i *) (f + 80)); - - g0 = _mm256_unpacklo_epi64(f0, f1); - g1 = _mm256_unpacklo_epi64(f2, f3); - g2 = _mm256_unpackhi_epi64(f0, f1); - g3 = _mm256_unpackhi_epi64(f2, f3); - f2 = _mm256_permute2x128_si256(g0, g1, 0x31); - f3 = _mm256_permute2x128_si256(g2, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g1, 0x20); - f1 = _mm256_permute2x128_si256(g2, g3, 0x20); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_x4_32_0, zetainv_x4_qinv_32_0); - f3 = mulmod_x16_scaled(qdata, f3, zeta_x4(32, 0), zeta_x4_qinv(32, 0)); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g2 = sub_x16(f3, f2); - - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_x4_16_0, zetainv_x4_qinv_16_0); - - g1 = add_x16(f0, f1); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 64), f1); - _mm256_storeu_si256((__m256i *) (f + 80), f3); - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 16), f2); - - f0 = _mm256_loadu_si256((__m256i *) (f + 32)); - f1 = _mm256_loadu_si256((__m256i *) (f + 96)); - f2 = _mm256_loadu_si256((__m256i *) (f + 48)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - - g0 = _mm256_unpacklo_epi64(f0, f1); - g1 = _mm256_unpacklo_epi64(f2, f3); - g2 = _mm256_unpackhi_epi64(f0, f1); - g3 = _mm256_unpackhi_epi64(f2, f3); - f2 = _mm256_permute2x128_si256(g0, g1, 0x31); - f3 = _mm256_permute2x128_si256(g2, g3, 0x31); - f0 = _mm256_permute2x128_si256(g0, g1, 0x20); - f1 = _mm256_permute2x128_si256(g2, g3, 0x20); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_x4_32_1, zetainv_x4_qinv_32_1); - f3 = mulmod_x16_scaled(qdata, f3, zeta_x4(32, 1), zeta_x4_qinv(32, 1)); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g2 = sub_x16(f3, f2); - - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_x4_16_1, zetainv_x4_qinv_16_1); - - g1 = add_x16(f0, f1); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 96), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - _mm256_storeu_si256((__m256i *) (f + 32), f0); - _mm256_storeu_si256((__m256i *) (f + 48), f2); - - f += 128; - } - f = origf; - for (rep = 0; rep < reps; ++rep) { - f0 = _mm256_loadu_si256((__m256i *) (f + 0)); - f2 = _mm256_loadu_si256((__m256i *) (f + 64)); - f1 = _mm256_loadu_si256((__m256i *) (f + 32)); - f3 = _mm256_loadu_si256((__m256i *) (f + 96)); - - g0 = _mm256_permute2x128_si256(f0, f2, 0x20); - g2 = _mm256_permute2x128_si256(f0, f2, 0x31); - f0 = _mm256_unpacklo_epi16(g0, g2); - f2 = _mm256_unpackhi_epi16(g0, g2); - g1 = _mm256_permute2x128_si256(f1, f3, 0x20); - g3 = _mm256_permute2x128_si256(f1, f3, 0x31); - f1 = _mm256_unpacklo_epi16(g1, g3); - f3 = _mm256_unpackhi_epi16(g1, g3); - g1 = _mm256_unpackhi_epi16(f0, f2); - g0 = _mm256_unpacklo_epi16(f0, f2); - g3 = _mm256_unpackhi_epi16(f1, f3); - g2 = _mm256_unpacklo_epi16(f1, f3); - f2 = _mm256_unpacklo_epi64(g1, g3); - f3 = _mm256_unpackhi_epi64(g1, g3); - f0 = _mm256_unpacklo_epi64(g0, g2); - f1 = _mm256_unpackhi_epi64(g0, g2); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_128_0, zetainv_qinv_128_0); - f3 = mulmod_x16_scaled(qdata, f3, zeta(128, 0), zeta_qinv(128, 0)); - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_64_0, zetainv_qinv_64_0); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f0, f1); - g2 = sub_x16(f3, f2); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 32), f1); - _mm256_storeu_si256((__m256i *) (f + 96), f3); - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 64), f2); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16)); - f2 = _mm256_loadu_si256((__m256i *) (f + 80)); - f1 = _mm256_loadu_si256((__m256i *) (f + 48)); - f3 = _mm256_loadu_si256((__m256i *) (f + 112)); - - g0 = _mm256_permute2x128_si256(f0, f2, 0x20); - g2 = _mm256_permute2x128_si256(f0, f2, 0x31); - f0 = _mm256_unpacklo_epi16(g0, g2); - f2 = _mm256_unpackhi_epi16(g0, g2); - g1 = _mm256_permute2x128_si256(f1, f3, 0x20); - g3 = _mm256_permute2x128_si256(f1, f3, 0x31); - f1 = _mm256_unpacklo_epi16(g1, g3); - f3 = _mm256_unpackhi_epi16(g1, g3); - g1 = _mm256_unpackhi_epi16(f0, f2); - g0 = _mm256_unpacklo_epi16(f0, f2); - g3 = _mm256_unpackhi_epi16(f1, f3); - g2 = _mm256_unpacklo_epi16(f1, f3); - f2 = _mm256_unpacklo_epi64(g1, g3); - f3 = _mm256_unpackhi_epi64(g1, g3); - f0 = _mm256_unpacklo_epi64(g0, g2); - f1 = _mm256_unpackhi_epi64(g0, g2); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_128_1, zetainv_qinv_128_1); - f3 = mulmod_x16_scaled(qdata, f3, zeta(128, 1), zeta_qinv(128, 1)); - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_64_1, zetainv_qinv_64_1); - - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g1 = add_x16(f0, f1); - g2 = sub_x16(f3, f2); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 48), f1); - _mm256_storeu_si256((__m256i *) (f + 112), f3); - _mm256_storeu_si256((__m256i *) (f + 16), f0); - _mm256_storeu_si256((__m256i *) (f + 80), f2); - - f += 128; - } -} - -static void invntt512(int16 *f, int reps, const __m256i *qdata) { - __m256i f0, f1, f2, f3, g0, g1, g2, g3; /* [-Werror=unused-variable] */ /* ,h0,h1,h2,h3; */ - /* [-Werror=unused-variable] */ /* int16 *origf = f; */ - int rep; - __m256i zetainv_512[8]; - __m256i zetainv_qinv_512[8]; - __m256i zetainv_256[8]; - __m256i zetainv_qinv_256[8]; - int i; - for (i = 0; i < 8; ++i) { - zetainv_512[i] = zetainv(512, i); - } - for (i = 0; i < 8; ++i) { - zetainv_qinv_512[i] = zetainv_qinv(512, i); - } - for (i = 0; i < 8; ++i) { - zetainv_256[i] = zetainv(256, i); - } - for (i = 0; i < 8; ++i) { - zetainv_qinv_256[i] = zetainv_qinv(256, i); - } - invntt128(f, 4 * reps, qdata); - for (rep = 0; rep < reps; ++rep) { - for (i = 0; i < 8; ++i) { - f2 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 256)); - f3 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 384)); - - f2 = mulmod_x16_scaled(qdata, f2, zetainv_512[i], zetainv_qinv_512[i]); - f3 = mulmod_x16_scaled(qdata, f3, zeta(512, i), zeta_qinv(512, i)); - g3 = add_x16(f3, f2); - g3 = mulmod_x16_scaled(qdata, g3, zeta4_x16, zeta4_x16_qinv); - g2 = sub_x16(f3, f2); - - f0 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 0)); - f1 = _mm256_loadu_si256((__m256i *) (f + 16 * i + 128)); - - f0 = reduce_x16(qdata, f0); - f1 = mulmod_x16_scaled(qdata, f1, zetainv_256[i], zetainv_qinv_256[i]); - g1 = add_x16(f0, f1); - g0 = sub_x16(f0, f1); - - f1 = add_x16(g1, g3); - f3 = sub_x16(g1, g3); - f0 = add_x16(g0, g2); - f2 = sub_x16(g0, g2); - - _mm256_storeu_si256((__m256i *) (f + 16 * i + 128), f1); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 384), f3); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 16 * i + 256), f2); - } - f += 512; - } -} - -void PQCLEAN_SNTRUP857_AVX2_invntt512_7681(int16 *f, int reps) { - invntt512(f, reps, (const __m256i *) qdata_7681.data); -} - -void PQCLEAN_SNTRUP857_AVX2_invntt512_10753(int16 *f, int reps) { - invntt512(f, reps, (const __m256i *) qdata_10753.data); -} diff --git a/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857_ntt.h b/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857_ntt.h deleted file mode 100644 index a38bad6d..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_multsntrup857_ntt.h +++ /dev/null @@ -1,13 +0,0 @@ -#ifndef ntt_H -#define ntt_H - -#include - - - -extern void PQCLEAN_SNTRUP857_AVX2_ntt512_7681(int16_t *f, int reps); -extern void PQCLEAN_SNTRUP857_AVX2_ntt512_10753(int16_t *f, int reps); -extern void PQCLEAN_SNTRUP857_AVX2_invntt512_7681(int16_t *f, int reps); -extern void PQCLEAN_SNTRUP857_AVX2_invntt512_10753(int16_t *f, int reps); - -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_core_scale3sntrup857.c b/crypto_kem/sntrup857/avx2/crypto_core_scale3sntrup857.c deleted file mode 100644 index 6f4ae465..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_scale3sntrup857.c +++ /dev/null @@ -1,47 +0,0 @@ -#include "crypto_core_scale3sntrup857.h" -#include "crypto_decode_857xint16.h" -#include "crypto_encode_857xint16.h" -#include - -#define p 857 -#define q 5167 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xint16 - -typedef int16_t Fq; - -/* out = 3*in in Rq */ -int PQCLEAN_SNTRUP857_AVX2_crypto_core_scale3sntrup857(unsigned char *outbytes, const unsigned char *inbytes) { - int i = p - 16; - - __m256i save = _mm256_loadu_si256((__m256i *) (inbytes + 2 * i)); - /* in case outbytes = inbytes */ - - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) inbytes); - __m256i xneg; - x = _mm256_mullo_epi16(x, _mm256_set1_epi16(3)); - x = _mm256_sub_epi16(x, _mm256_set1_epi16((q + 1) / 2)); - xneg = _mm256_srai_epi16(x, 15); - x = _mm256_add_epi16(x, _mm256_set1_epi16(q)&xneg); - xneg = _mm256_srai_epi16(x, 15); - x = _mm256_add_epi16(x, _mm256_set1_epi16(q)&xneg); - x = _mm256_sub_epi16(x, _mm256_set1_epi16((q - 1) / 2)); - _mm256_storeu_si256((__m256i *) outbytes, x); - - inbytes += 32; - outbytes += 32; - i -= 16; - } while (i >= 0); - if (i <= -16) { - break; - } - inbytes += 2 * i; - outbytes += 2 * i; - _mm256_storeu_si256((__m256i *) outbytes, save); - } - - return 0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_core_scale3sntrup857.h b/crypto_kem/sntrup857/avx2/crypto_core_scale3sntrup857.h deleted file mode 100644 index 21f587e3..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_scale3sntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_SCALE3SNTRUP857_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_SCALE3SNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_scale3sntrup857_OUTPUTBYTES 1714 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_scale3sntrup857_INPUTBYTES 1714 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_scale3sntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_scale3sntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_scale3sntrup857(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_core_weightsntrup857.c b/crypto_kem/sntrup857/avx2/crypto_core_weightsntrup857.c deleted file mode 100644 index c8a37134..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_weightsntrup857.c +++ /dev/null @@ -1,45 +0,0 @@ -#include "crypto_core_weightsntrup857.h" -#include "crypto_encode_int16.h" -#include "params.h" -#include - -#define int8 int8_t -#define int16 int16_t - - -/* out = little-endian weight of bottom bits of in */ -int PQCLEAN_SNTRUP857_AVX2_crypto_core_weightsntrup857(unsigned char *outbytes, const unsigned char *inbytes) { - int8 *in = (void *) inbytes; - int i; - __m256i sum, sumhi; - int16 weight; - - sum = _mm256_loadu_si256((__m256i *) (in + p - 32)); - sum &= _mm256_set_epi8(1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0); - - for (i = p - 32; i >= 0; i -= 32) { - __m256i bits = _mm256_loadu_si256((__m256i *) in); - bits &= _mm256_set1_epi8(1); - sum = _mm256_add_epi8(sum, bits); - in += 32; - } - - /* sum is 32xint8; want to add these int8 */ - sumhi = _mm256_srli_epi16(sum, 8); - sum &= _mm256_set1_epi16(0xff); - sum = _mm256_add_epi16(sum, sumhi); - - /* sum is 16xint16; want to add these int16 */ - sum = _mm256_hadd_epi16(sum, sum); - /* want sum[0]+sum[1]+sum[2]+sum[3]+sum[8]+sum[9]+sum[10]+sum[11] */ - sum = _mm256_hadd_epi16(sum, sum); - /* want sum[0]+sum[1]+sum[8]+sum[9] */ - sum = _mm256_hadd_epi16(sum, sum); - /* want sum[0]+sum[8] */ - - weight = (int16) _mm256_extract_epi16(sum, 0); - weight += (int16) _mm256_extract_epi16(sum, 8); - - PQCLEAN_SNTRUP857_AVX2_crypto_encode_int16(outbytes, &weight); - return 0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_core_weightsntrup857.h b/crypto_kem/sntrup857/avx2/crypto_core_weightsntrup857.h deleted file mode 100644 index 1d5b2226..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_weightsntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_WEIGHTSNTRUP857_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_WEIGHTSNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_weightsntrup857_OUTPUTBYTES 2 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_weightsntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_weightsntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_weightsntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_weightsntrup857(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_core_wforcesntrup857.c b/crypto_kem/sntrup857/avx2/crypto_core_wforcesntrup857.c deleted file mode 100644 index 61264db3..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_wforcesntrup857.c +++ /dev/null @@ -1,61 +0,0 @@ -#include "crypto_core_wforcesntrup857.h" -#include "crypto_decode_int16.h" -#include "params.h" -#include - -#define int16 int16_t - - -/* out = in if bottom bits of in have weight w */ -/* otherwise out = (1,1,...,1,0,0,...,0) */ -int PQCLEAN_SNTRUP857_AVX2_crypto_core_wforcesntrup857(unsigned char *out, const unsigned char *in) { - int16 weight; - int16 mask; - __m256i maskvec; - int i; - - crypto_core_weight((unsigned char *) &weight, in); - PQCLEAN_SNTRUP857_AVX2_crypto_decode_int16(&weight, (unsigned char *) &weight); - - mask = (int16) ((weight - w) | (w - weight)); - mask >>= 15; - maskvec = _mm256_set1_epi16((short) ~mask); - - i = w - 32; - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) in); - x ^= _mm256_set1_epi8(1); - x &= maskvec; - x ^= _mm256_set1_epi8(1); - _mm256_storeu_si256((__m256i *) out, x); - in += 32; - out += 32; - i -= 32; - } while (i >= 0); - if (i <= -32) { - break; - } - in += i; - out += i; - } - - i = p - w - 32; - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) in); - x &= maskvec; - _mm256_storeu_si256((__m256i *) out, x); - in += 32; - out += 32; - i -= 32; - } while (i >= 0); - if (i <= -32) { - break; - } - in += i; - out += i; - } - - return 0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_core_wforcesntrup857.h b/crypto_kem/sntrup857/avx2/crypto_core_wforcesntrup857.h deleted file mode 100644 index d1155a07..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_core_wforcesntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_WFORCESNTRUP857_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_CORE_WFORCESNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_wforcesntrup857_OUTPUTBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_wforcesntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_wforcesntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_wforcesntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_AVX2_crypto_core_wforcesntrup857(unsigned char *out, const unsigned char *in); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857x1723.c b/crypto_kem/sntrup857/avx2/crypto_decode_857x1723.c deleted file mode 100644 index a0febc10..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857x1723.c +++ /dev/null @@ -1,426 +0,0 @@ -#include "crypto_decode_857x1723.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define int32 int32_t - -static inline int16 mullo(int16 x, int16 y) { - return x * y; -} - -static inline int16 mulhi(int16 x, int16 y) { - return (int16) ((x * (int32)y) >> 16); -} - -static inline __m256i add(__m256i x, __m256i y) { - return _mm256_add_epi16(x, y); -} - -static inline __m256i sub(__m256i x, __m256i y) { - return _mm256_sub_epi16(x, y); -} - -static inline __m256i shiftleftconst(__m256i x, int16 y) { - return _mm256_slli_epi16(x, y); -} - -static inline __m256i signedshiftrightconst(__m256i x, int16 y) { - return _mm256_srai_epi16(x, y); -} - -static inline __m256i subconst(__m256i x, int16 y) { - return sub(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulloconst(__m256i x, int16 y) { - return _mm256_mullo_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulhiconst(__m256i x, int16 y) { - return _mm256_mulhi_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i ifgesubconst(__m256i x, int16 y) { - __m256i y16 = _mm256_set1_epi16(y); - __m256i top16 = _mm256_set1_epi16((int16)(y - 1)); - return sub(x, _mm256_cmpgt_epi16(x, top16) & y16); -} - -static inline __m256i ifnegaddconst(__m256i x, int16 y) { - return add(x, signedshiftrightconst(x, 15) & _mm256_set1_epi16(y)); -} - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x1723(void *v, const unsigned char *s) { - int16 *R0 = v; - int16 R1[429], R2[215], R3[108], R4[54], R5[27], R6[14], R7[7], R8[4], R9[2], R10[1]; - long long i; - int16 a0, a1, a2; - __m256i A0, A1, A2, S0, S1, B0, B1, C0, C1; - - s += PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x1723_STRBYTES; - a1 = 0; - a1 += *--s; /* 0...255 */ - a1 -= 160; /* -160...95 */ - a1 += (a1 >> 15) & 160; /* 0...159 */ - R10[0] = a1; - - /* R10 ------> R9: reconstruct mod 1*[743]+[14044] */ - - i = 0; - s -= 2; - a0 = R10[0]; - a0 = mulhi(a0, 276) - mulhi(mullo(a0, -22580), 743); /* -372...440 */ - a0 += s[2 * i + 1]; /* -372...695 */ - a0 = mulhi(a0, 276) - mulhi(mullo(a0, -22580), 743); /* -374...374 */ - a0 += s[2 * i + 0]; /* -374...629 */ - a0 += (a0 >> 15) & 743; /* 0...742 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, -3881); - - /* invalid inputs might need reduction mod 14044 */ - a1 -= 14044; - a1 += (a1 >> 15) & 14044; - - R9[0] = a0; - R9[1] = a1; - s -= 0; - - /* R9 ------> R8: reconstruct mod 3*[436]+[8246] */ - - i = 0; - s -= 1; - a2 = a0 = R9[1]; - a0 = mulhi(a0, -64) - mulhi(mullo(a0, 27056), 436); /* -234...218 */ - a0 += s[1 * i + 0]; /* -234...473 */ - a0 -= 436; /* -670..>37 */ - a0 += (a0 >> 15) & 436; /* -234...435 */ - a0 += (a0 >> 15) & 436; /* 0...435 */ - a1 = (int16) ((a2 << 6) + ((s[i] - a0) >> 2)); - a1 = mullo(a1, 2405); - - /* invalid inputs might need reduction mod 8246 */ - a1 -= 8246; - a1 += (a1 >> 15) & 8246; - - R8[2] = a0; - R8[3] = a1; - s -= 1; - for (i = 0; i >= 0; --i) { - a2 = a0 = R9[i]; - a0 = mulhi(a0, -64) - mulhi(mullo(a0, 27056), 436); /* -234...218 */ - a0 += s[1 * i + 0]; /* -234...473 */ - a0 -= 436; /* -670..>37 */ - a0 += (a0 >> 15) & 436; /* -234...435 */ - a0 += (a0 >> 15) & 436; /* 0...435 */ - a1 = (int16) ((a2 << 6) + ((s[i] - a0) >> 2)); - a1 = mullo(a1, 2405); - - /* invalid inputs might need reduction mod 436 */ - a1 -= 436; - a1 += (a1 >> 15) & 436; - - R8[2 * i] = a0; - R8[2 * i + 1] = a1; - } - - /* R8 ------> R7: reconstruct mod 6*[334]+[8246] */ - - R7[6] = R8[3]; - s -= 3; - for (i = 2; i >= 0; --i) { - a2 = a0 = R8[i]; - a0 = mulhi(a0, 62) - mulhi(mullo(a0, 15305), 334); /* -167...182 */ - a0 += s[1 * i + 0]; /* -167...437 */ - a0 -= 334; /* -501..>103 */ - a0 += (a0 >> 15) & 334; /* -167...333 */ - a0 += (a0 >> 15) & 334; /* 0...333 */ - a1 = (int16) ((a2 << 7) + ((s[i] - a0) >> 1)); - a1 = mullo(a1, -22761); - - /* invalid inputs might need reduction mod 334 */ - a1 -= 334; - a1 += (a1 >> 15) & 334; - - R7[2 * i] = a0; - R7[2 * i + 1] = a1; - } - - /* R7 ------> R6: reconstruct mod 13*[292]+[7229] */ - - i = 0; - s -= 1; - a2 = a0 = R7[6]; - a0 = mulhi(a0, 64) - mulhi(mullo(a0, 8080), 292); /* -146...162 */ - a0 += s[1 * i + 0]; /* -146...417 */ - a0 -= 292; /* -438..>125 */ - a0 += (a0 >> 15) & 292; /* -146...291 */ - a0 += (a0 >> 15) & 292; /* 0...291 */ - a1 = (int16) ((a2 << 6) + ((s[i] - a0) >> 2)); - a1 = mullo(a1, -3591); - - /* invalid inputs might need reduction mod 7229 */ - a1 -= 7229; - a1 += (a1 >> 15) & 7229; - - R6[12] = a0; - R6[13] = a1; - s -= 6; - for (i = 5; i >= 0; --i) { - a2 = a0 = R7[i]; - a0 = mulhi(a0, 64) - mulhi(mullo(a0, 8080), 292); /* -146...162 */ - a0 += s[1 * i + 0]; /* -146...417 */ - a0 -= 292; /* -438..>125 */ - a0 += (a0 >> 15) & 292; /* -146...291 */ - a0 += (a0 >> 15) & 292; /* 0...291 */ - a1 = (int16) ((a2 << 6) + ((s[i] - a0) >> 2)); - a1 = mullo(a1, -3591); - - /* invalid inputs might need reduction mod 292 */ - a1 -= 292; - a1 += (a1 >> 15) & 292; - - R6[2 * i] = a0; - R6[2 * i + 1] = a1; - } - - /* R6 ------> R5: reconstruct mod 26*[273]+[7229] */ - - R5[26] = R6[13]; - s -= 13; - for (i = 12; i >= 0; --i) { - a2 = a0 = R6[i]; - a0 = mulhi(a0, 1) - mulhi(mullo(a0, 4081), 273); /* -137...136 */ - a0 += s[1 * i + 0]; /* -137...391 */ - a0 -= 273; /* -410..>118 */ - a0 += (a0 >> 15) & 273; /* -137...272 */ - a0 += (a0 >> 15) & 273; /* 0...272 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, 4081); - - /* invalid inputs might need reduction mod 273 */ - a1 -= 273; - a1 += (a1 >> 15) & 273; - - R5[2 * i] = a0; - R5[2 * i + 1] = a1; - } - - /* R5 ------> R4: reconstruct mod 53*[4225]+[438] */ - - i = 0; - s -= 1; - a2 = a0 = R5[26]; - a0 = mulhi(a0, -259) - mulhi(mullo(a0, -3971), 4225); /* -2178...2112 */ - a0 += s[1 * i + 0]; /* -2178...2367 */ - a0 += (a0 >> 15) & 4225; /* 0...4224 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, 12161); - - /* invalid inputs might need reduction mod 438 */ - a1 -= 438; - a1 += (a1 >> 15) & 438; - - R4[52] = a0; - R4[53] = a1; - s -= 52; - i = 10; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R5[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, -259), mulhiconst(mulloconst(A0, -3971), 4225)); /* -2178...2112 */ - A0 = add(A0, S1); /* -2178...2367 */ - A0 = sub(mulhiconst(A0, -259), mulhiconst(mulloconst(A0, -3971), 4225)); /* -2122...2121 */ - A0 = add(A0, S0); /* -2122...2376 */ - A0 = ifnegaddconst(A0, 4225); /* 0...4224 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, 12161); - - /* invalid inputs might need reduction mod 4225 */ - A1 = ifgesubconst(A1, 4225); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R4[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R4[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R4 ------> R3: reconstruct mod 107*[65]+[1723] */ - - i = 0; - s -= 1; - a2 = a0 = R4[53]; - a0 = mulhi(a0, 1) - mulhi(mullo(a0, 4033), 65); /* -33...32 */ - a0 += s[1 * i + 0]; /* -33...287 */ - a0 = mulhi(a0, 16) - mulhi(mullo(a0, -1008), 65); /* -33...32 */ - a0 += (a0 >> 15) & 65; /* 0...64 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, 4033); - - /* invalid inputs might need reduction mod 1723 */ - a1 -= 1723; - a1 += (a1 >> 15) & 1723; - - R3[106] = a0; - R3[107] = a1; - s -= 0; - i = 37; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R4[i]); - A0 = sub(mulhiconst(A0, 16), mulhiconst(mulloconst(A0, -1008), 65)); /* -33...36 */ - A0 = ifnegaddconst(A0, 65); /* 0...64 */ - A1 = signedshiftrightconst(sub(A2, A0), 0); - A1 = mulloconst(A1, 4033); - - /* invalid inputs might need reduction mod 65 */ - A1 = ifgesubconst(A1, 65); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R3[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R3[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R3 ------> R2: reconstruct mod 214*[2053]+[1723] */ - - R2[214] = R3[107]; - s -= 214; - i = 91; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R3[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, 100), mulhiconst(mulloconst(A0, -8172), 2053)); /* -1027...1051 */ - A0 = add(A0, S1); /* -1027...1306 */ - A0 = sub(mulhiconst(A0, 100), mulhiconst(mulloconst(A0, -8172), 2053)); /* -1029...1028 */ - A0 = add(A0, S0); /* -1029...1283 */ - A0 = ifnegaddconst(A0, 2053); /* 0...2052 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, -31539); - - /* invalid inputs might need reduction mod 2053 */ - A1 = ifgesubconst(A1, 2053); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R2[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R2[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R2 ------> R1: reconstruct mod 428*[11597]+[1723] */ - - R1[428] = R2[214]; - s -= 428; - i = 198; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R2[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, -3643), mulhiconst(mulloconst(A0, -1447), 11597)); /* -6710...5798 */ - A0 = add(A0, S1); /* -6710...6053 */ - A0 = sub(mulhiconst(A0, -3643), mulhiconst(mulloconst(A0, -1447), 11597)); /* -6135...6171 */ - A0 = add(A0, S0); /* -6135...6426 */ - A0 = ifnegaddconst(A0, 11597); /* 0...11596 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, -11387); - - /* invalid inputs might need reduction mod 11597 */ - A1 = ifgesubconst(A1, 11597); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R1[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R1[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R1 ------> R0: reconstruct mod 857*[1723] */ - - R0[856] = (int16) (3 * R1[428] - 2583); - s -= 428; - i = 412; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R1[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 365), mulhiconst(mulloconst(A0, -9737), 1723)); /* -862...952 */ - A0 = add(A0, S0); /* -862...1207 */ - A0 = ifnegaddconst(A0, 1723); /* 0...1722 */ - A1 = add(shiftleftconst(A2, 8), sub(S0, A0)); - A1 = mulloconst(A1, 20083); - - /* invalid inputs might need reduction mod 1723 */ - A1 = ifgesubconst(A1, 1723); - - A0 = mulloconst(A0, 3); - A1 = mulloconst(A1, 3); - A0 = subconst(A0, 2583); - A1 = subconst(A1, 2583); - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R0[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R0[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } -} diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857x1723.h b/crypto_kem/sntrup857/avx2/crypto_decode_857x1723.h deleted file mode 100644 index 6e1391f3..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857x1723.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857X1723_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857X1723_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x1723_STRBYTES 1152 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x1723_ITEMS 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x1723_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x1723(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857x3.c b/crypto_kem/sntrup857/avx2/crypto_decode_857x3.c deleted file mode 100644 index 681f90ad..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857x3.c +++ /dev/null @@ -1,65 +0,0 @@ -#include "crypto_decode_857x3.h" -#include -#define uint8 uint8_t - -#define p 857 -#define loops 7 -#define overshoot 10 - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x3(void *v, const unsigned char *s) { - uint8 *f = v; - int loop; - uint8 *nextf = f + 128 - 4 * overshoot; - const unsigned char *nexts = s + 32 - overshoot; - - for (loop = loops; loop > 0; --loop) { - __m256i s0 = _mm256_loadu_si256((const __m256i *) s); - s = nexts; - nexts += 32; - - __m256i s1 = _mm256_srli_epi16(s0 & _mm256_set1_epi8(-16), 4); - s0 &= _mm256_set1_epi8(15); - - __m256i a0 = _mm256_unpacklo_epi8(s0, s1); - /* 0 0>>4 1 1>>4 2 2>>4 3 3>>4 4 4>>4 5 5>>4 6 6>>4 7 7>>4 */ - /* 16 16>>4 ... */ - __m256i a1 = _mm256_unpackhi_epi8(s0, s1); - /* 8 8>>4 9 9>>4 10 10>>4 ... */ - /* 24 24>>4 ... */ - - __m256i a2 = _mm256_srli_epi16(a0 & _mm256_set1_epi8(12), 2); - __m256i a3 = _mm256_srli_epi16(a1 & _mm256_set1_epi8(12), 2); - a0 &= _mm256_set1_epi8(3); - a1 &= _mm256_set1_epi8(3); - - __m256i b0 = _mm256_unpacklo_epi8(a0, a2); - /* 0 0>>2 0>>4 0>>6 1 1>>2 1>>4 1>>6 */ - /* 2 2>>2 2>>4 2>>6 3 3>>2 3>>4 3>.6 */ - /* 16 16>>2 16>>4 16>>6 ... */ - __m256i b2 = _mm256_unpackhi_epi8(a0, a2); - /* 4 4>>2 ... */ - __m256i b1 = _mm256_unpacklo_epi8(a1, a3); - /* 8 8>>2 ... */ - __m256i b3 = _mm256_unpackhi_epi8(a1, a3); - /* 12 12>>2 ... */ - - __m256i f0 = _mm256_permute2x128_si256(b0, b2, 0x20); - __m256i f2 = _mm256_permute2x128_si256(b0, b2, 0x31); - __m256i f1 = _mm256_permute2x128_si256(b1, b3, 0x20); - __m256i f3 = _mm256_permute2x128_si256(b1, b3, 0x31); - - f0 = _mm256_add_epi8(f0, _mm256_set1_epi8(-1)); - f1 = _mm256_add_epi8(f1, _mm256_set1_epi8(-1)); - f2 = _mm256_add_epi8(f2, _mm256_set1_epi8(-1)); - f3 = _mm256_add_epi8(f3, _mm256_set1_epi8(-1)); - - _mm256_storeu_si256((__m256i *) (f + 0), f0); - _mm256_storeu_si256((__m256i *) (f + 32), f1); - _mm256_storeu_si256((__m256i *) (f + 64), f2); - _mm256_storeu_si256((__m256i *) (f + 96), f3); - f = nextf; - nextf += 128; - } - - *f = (uint8) ((*s & 3) - 1); -} diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857x3.h b/crypto_kem/sntrup857/avx2/crypto_decode_857x3.h deleted file mode 100644 index 8bac5dd0..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857X3_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857X3_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x3_STRBYTES 215 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x3_ITEMS 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x3(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857x5167.c b/crypto_kem/sntrup857/avx2/crypto_decode_857x5167.c deleted file mode 100644 index 15699a8b..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857x5167.c +++ /dev/null @@ -1,420 +0,0 @@ -#include "crypto_decode_857x5167.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define int32 int32_t - -static inline int16 mullo(int16 x, int16 y) { - return x * y; -} - -static inline int16 mulhi(int16 x, int16 y) { - return (int16) ((x * (int32)y) >> 16); -} - -static inline __m256i add(__m256i x, __m256i y) { - return _mm256_add_epi16(x, y); -} - -static inline __m256i sub(__m256i x, __m256i y) { - return _mm256_sub_epi16(x, y); -} - -static inline __m256i shiftleftconst(__m256i x, int16 y) { - return _mm256_slli_epi16(x, y); -} - -static inline __m256i signedshiftrightconst(__m256i x, int16 y) { - return _mm256_srai_epi16(x, y); -} - -static inline __m256i subconst(__m256i x, int16 y) { - return sub(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulloconst(__m256i x, int16 y) { - return _mm256_mullo_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i mulhiconst(__m256i x, int16 y) { - return _mm256_mulhi_epi16(x, _mm256_set1_epi16(y)); -} - -static inline __m256i ifgesubconst(__m256i x, int16 y) { - __m256i y16 = _mm256_set1_epi16(y); - __m256i top16 = _mm256_set1_epi16((int16)(y - 1)); - return sub(x, _mm256_cmpgt_epi16(x, top16) & y16); -} - -static inline __m256i ifnegaddconst(__m256i x, int16 y) { - return add(x, signedshiftrightconst(x, 15) & _mm256_set1_epi16(y)); -} - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x5167(void *v, const unsigned char *s) { - int16 *R0 = v; - int16 R1[429], R2[215], R3[108], R4[54], R5[27], R6[14], R7[7], R8[4], R9[2], R10[1]; - long long i; - int16 a0, a1, a2; - __m256i A0, A1, A2, S0, S1, B0, B1, C0, C1; - - s += PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x5167_STRBYTES; - a1 = 0; - a1 += *--s; /* 0...255 */ - a1 = mulhi(a1, 841) - mulhi(mullo(a1, -2695), 6225); - a1 += *--s; /* -3113...3370 */ - a1 += (a1 >> 15) & 6225; /* 0...6224 */ - R10[0] = a1; - - /* R10 ------> R9: reconstruct mod 1*[5476]+[291] */ - - i = 0; - s -= 1; - a2 = a0 = R10[0]; - a0 = mulhi(a0, -1248) - mulhi(mullo(a0, -3064), 5476); /* -3050...2738 */ - a0 += s[1 * i + 0]; /* -3050...2993 */ - a0 += (a0 >> 15) & 5476; /* 0...5475 */ - a1 = (int16) ((a2 << 6) + ((s[i] - a0) >> 2)); - a1 = mullo(a1, -3351); - - /* invalid inputs might need reduction mod 291 */ - a1 -= 291; - a1 += (a1 >> 15) & 291; - - R9[0] = a0; - R9[1] = a1; - s -= 0; - - /* R9 ------> R8: reconstruct mod 3*[74]+[1004] */ - - i = 0; - s -= 1; - a2 = a0 = R9[1]; - a0 = mulhi(a0, 10) - mulhi(mullo(a0, -30111), 74); /* -37...39 */ - a0 += s[1 * i + 0]; /* -37...294 */ - a0 = mulhi(a0, -28) - mulhi(mullo(a0, -886), 74); /* -38...37 */ - a0 += (a0 >> 15) & 74; /* 0...73 */ - a1 = (int16) ((a2 << 7) + ((s[i] - a0) >> 1)); - a1 = mullo(a1, 7085); - - /* invalid inputs might need reduction mod 1004 */ - a1 -= 1004; - a1 += (a1 >> 15) & 1004; - - R8[2] = a0; - R8[3] = a1; - s -= 0; - for (i = 0; i >= 0; --i) { - a2 = a0 = R9[i]; - a0 = mulhi(a0, -28) - mulhi(mullo(a0, -886), 74); /* -44...37 */ - a0 += (a0 >> 15) & 74; /* 0...73 */ - a1 = (int16) ((a2 - a0) >> 1); - a1 = mullo(a1, 7085); - - /* invalid inputs might need reduction mod 74 */ - a1 -= 74; - a1 += (a1 >> 15) & 74; - - R8[2 * i] = a0; - R8[2 * i + 1] = a1; - } - - /* R8 ------> R7: reconstruct mod 6*[2194]+[1004] */ - - R7[6] = R8[3]; - s -= 6; - for (i = 2; i >= 0; --i) { - a2 = a0 = R8[i]; - a0 = mulhi(a0, -302) - mulhi(mullo(a0, -7647), 2194); /* -1173...1097 */ - a0 += s[2 * i + 1]; /* -1173...1352 */ - a0 = mulhi(a0, -302) - mulhi(mullo(a0, -7647), 2194); /* -1104...1102 */ - a0 += s[2 * i + 0]; /* -1104...1357 */ - a0 += (a0 >> 15) & 2194; /* 0...2193 */ - a1 = (int16) ((a2 << 15) + (s[2 * i + 1] << 7) + ((s[2 * i] - a0) >> 1)); - a1 = mullo(a1, 11769); - - /* invalid inputs might need reduction mod 2194 */ - a1 -= 2194; - a1 += (a1 >> 15) & 2194; - - R7[2 * i] = a0; - R7[2 * i + 1] = a1; - } - - /* R7 ------> R6: reconstruct mod 13*[11991]+[5483] */ - - i = 0; - s -= 2; - a0 = R7[6]; - a0 = mulhi(a0, 1807) - mulhi(mullo(a0, -1399), 11991); /* -5996...6447 */ - a0 += s[2 * i + 1]; /* -5996...6702 */ - a0 = mulhi(a0, 1807) - mulhi(mullo(a0, -1399), 11991); /* -6161...6180 */ - a0 += s[2 * i + 0]; /* -6161...6435 */ - a0 += (a0 >> 15) & 11991; /* 0...11990 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, -23321); - - /* invalid inputs might need reduction mod 5483 */ - a1 -= 5483; - a1 += (a1 >> 15) & 5483; - - R6[12] = a0; - R6[13] = a1; - s -= 12; - for (i = 5; i >= 0; --i) { - a0 = R7[i]; - a0 = mulhi(a0, 1807) - mulhi(mullo(a0, -1399), 11991); /* -5996...6447 */ - a0 += s[2 * i + 1]; /* -5996...6702 */ - a0 = mulhi(a0, 1807) - mulhi(mullo(a0, -1399), 11991); /* -6161...6180 */ - a0 += s[2 * i + 0]; /* -6161...6435 */ - a0 += (a0 >> 15) & 11991; /* 0...11990 */ - a1 = (int16) ((s[2 * i + 1] << 8) + s[2 * i] - a0); - a1 = mullo(a1, -23321); - - /* invalid inputs might need reduction mod 11991 */ - a1 -= 11991; - a1 += (a1 >> 15) & 11991; - - R6[2 * i] = a0; - R6[2 * i + 1] = a1; - } - - /* R6 ------> R5: reconstruct mod 26*[1752]+[5483] */ - - R5[26] = R6[13]; - s -= 13; - for (i = 12; i >= 0; --i) { - a2 = a0 = R6[i]; - a0 = mulhi(a0, 64) - mulhi(mullo(a0, -9576), 1752); /* -876...892 */ - a0 += s[1 * i + 0]; /* -876...1147 */ - a0 += (a0 >> 15) & 1752; /* 0...1751 */ - a1 = (int16) ((a2 << 5) + ((s[i] - a0) >> 3)); - a1 = mullo(a1, -1197); - - /* invalid inputs might need reduction mod 1752 */ - a1 -= 1752; - a1 += (a1 >> 15) & 1752; - - R5[2 * i] = a0; - R5[2 * i + 1] = a1; - } - - /* R5 ------> R4: reconstruct mod 53*[10713]+[131] */ - - i = 0; - s -= 1; - a2 = a0 = R5[26]; - a0 = mulhi(a0, 658) - mulhi(mullo(a0, -1566), 10713); /* -5357...5521 */ - a0 += s[1 * i + 0]; /* -5357...5776 */ - a0 += (a0 >> 15) & 10713; /* 0...10712 */ - a1 = (int16) ((a2 << 8) + s[i] - a0); - a1 = mullo(a1, -14743); - - /* invalid inputs might need reduction mod 131 */ - a1 -= 131; - a1 += (a1 >> 15) & 131; - - R4[52] = a0; - R4[53] = a1; - s -= 52; - i = 10; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R5[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, 658), mulhiconst(mulloconst(A0, -1566), 10713)); /* -5357...5521 */ - A0 = add(A0, S1); /* -5357...5776 */ - A0 = sub(mulhiconst(A0, 658), mulhiconst(mulloconst(A0, -1566), 10713)); /* -5411...5414 */ - A0 = add(A0, S0); /* -5411...5669 */ - A0 = ifnegaddconst(A0, 10713); /* 0...10712 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, -14743); - - /* invalid inputs might need reduction mod 10713 */ - A1 = ifgesubconst(A1, 10713); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R4[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R4[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R4 ------> R3: reconstruct mod 107*[1656]+[5167] */ - - i = 0; - s -= 2; - a2 = a0 = R4[53]; - a0 = mulhi(a0, 280) - mulhi(mullo(a0, -10131), 1656); /* -828...898 */ - a0 += s[2 * i + 1]; /* -828...1153 */ - a0 = mulhi(a0, 280) - mulhi(mullo(a0, -10131), 1656); /* -832...832 */ - a0 += s[2 * i + 0]; /* -832...1087 */ - a0 += (a0 >> 15) & 1656; /* 0...1655 */ - a1 = (int16) ((a2 << 13) + (s[2 * i + 1] << 5) + ((s[2 * i] - a0) >> 3)); - a1 = mullo(a1, 1583); - - /* invalid inputs might need reduction mod 5167 */ - a1 -= 5167; - a1 += (a1 >> 15) & 5167; - - R3[106] = a0; - R3[107] = a1; - s -= 53; - i = 37; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R4[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 280), mulhiconst(mulloconst(A0, -10131), 1656)); /* -828...898 */ - A0 = add(A0, S0); /* -828...1153 */ - A0 = ifnegaddconst(A0, 1656); /* 0...1655 */ - A1 = add(shiftleftconst(A2, 5), signedshiftrightconst(sub(S0, A0), 3)); - A1 = mulloconst(A1, 1583); - - /* invalid inputs might need reduction mod 1656 */ - A1 = ifgesubconst(A1, 1656); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R3[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R3[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R3 ------> R2: reconstruct mod 214*[651]+[5167] */ - - R2[214] = R3[107]; - s -= 107; - i = 91; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R3[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, 295), mulhiconst(mulloconst(A0, -25771), 651)); /* -326...399 */ - A0 = add(A0, S0); /* -326...654 */ - A0 = subconst(A0, 651); /* -977...3 */ - A0 = ifnegaddconst(A0, 651); /* -326...650 */ - A0 = ifnegaddconst(A0, 651); /* 0...650 */ - A1 = add(shiftleftconst(A2, 8), sub(S0, A0)); - A1 = mulloconst(A1, -10973); - - /* invalid inputs might need reduction mod 651 */ - A1 = ifgesubconst(A1, 651); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R2[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R2[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R2 ------> R1: reconstruct mod 428*[408]+[5167] */ - - R1[428] = R2[214]; - s -= 214; - i = 198; - for (;;) { - A2 = A0 = _mm256_loadu_si256((__m256i *) &R2[i]); - S0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *) (s + i))); - A0 = sub(mulhiconst(A0, -152), mulhiconst(mulloconst(A0, 24415), 408)); /* -242...204 */ - A0 = add(A0, S0); /* -242...459 */ - A0 = subconst(A0, 408); /* -650...51 */ - A0 = ifnegaddconst(A0, 408); /* -242...407 */ - A0 = ifnegaddconst(A0, 408); /* 0...407 */ - A1 = add(shiftleftconst(A2, 5), signedshiftrightconst(sub(S0, A0), 3)); - A1 = mulloconst(A1, -1285); - - /* invalid inputs might need reduction mod 408 */ - A1 = ifgesubconst(A1, 408); - - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R1[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R1[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } - - /* R1 ------> R0: reconstruct mod 857*[5167] */ - - R0[856] = R1[428] - 2583; - s -= 856; - i = 412; - for (;;) { - A0 = _mm256_loadu_si256((__m256i *) &R1[i]); - S0 = _mm256_loadu_si256((__m256i *) (s + 2 * i)); - S1 = _mm256_srli_epi16(S0, 8); - S0 &= _mm256_set1_epi16(255); - A0 = sub(mulhiconst(A0, -33), mulhiconst(mulloconst(A0, -3247), 5167)); /* -2592...2583 */ - A0 = add(A0, S1); /* -2592...2838 */ - A0 = sub(mulhiconst(A0, -33), mulhiconst(mulloconst(A0, -3247), 5167)); /* -2585...2584 */ - A0 = add(A0, S0); /* -2585...2839 */ - A0 = ifnegaddconst(A0, 5167); /* 0...5166 */ - A1 = add(shiftleftconst(S1, 8), sub(S0, A0)); - A1 = mulloconst(A1, -19761); - - /* invalid inputs might need reduction mod 5167 */ - A1 = ifgesubconst(A1, 5167); - - A0 = subconst(A0, 2583); - A1 = subconst(A1, 2583); - /* A0: r0r2r4r6r8r10r12r14 r16r18r20r22r24r26r28r30 */ - /* A1: r1r3r5r7r9r11r13r15 r17r19r21r23r25r27r29r31 */ - B0 = _mm256_unpacklo_epi16(A0, A1); - B1 = _mm256_unpackhi_epi16(A0, A1); - /* B0: r0r1r2r3r4r5r6r7 r16r17r18r19r20r21r22r23 */ - /* B1: r8r9r10r11r12r13r14r15 r24r25r26r27r28r29r30r31 */ - C0 = _mm256_permute2x128_si256(B0, B1, 0x20); - C1 = _mm256_permute2x128_si256(B0, B1, 0x31); - /* C0: r0r1r2r3r4r5r6r7 r8r9r10r11r12r13r14r15 */ - /* C1: r16r17r18r19r20r21r22r23 r24r25r26r27r28r29r30r31 */ - _mm256_storeu_si256((__m256i *) (&R0[2 * i]), C0); - _mm256_storeu_si256((__m256i *) (16 + &R0[2 * i]), C1); - if (!i) { - break; - } - i = -16 - ((~15) & -i); - } -} diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857x5167.h b/crypto_kem/sntrup857/avx2/crypto_decode_857x5167.h deleted file mode 100644 index fbd13dbf..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857x5167.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857X5167_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857X5167_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x5167_STRBYTES 1322 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x5167_ITEMS 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x5167_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x5167(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857xint16.c b/crypto_kem/sntrup857/avx2/crypto_decode_857xint16.c deleted file mode 100644 index 8fc25e62..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857xint16.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_decode_857xint16.h" - - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint16(void *v, const unsigned char *s) { - uint16_t *x = v; - int i; - - for (i = 0; i < 857; ++i) { - uint16_t u0 = s[0]; - uint16_t u1 = s[1]; - *x = (uint16_t) (u0 | (u1 << 8)); - x += 1; - s += 2; - } -} diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857xint16.h b/crypto_kem/sntrup857/avx2/crypto_decode_857xint16.h deleted file mode 100644 index 2c626a2c..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857XINT16_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857XINT16_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint16_STRBYTES 1714 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint16_ITEMS 857 - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint16(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857xint32.c b/crypto_kem/sntrup857/avx2/crypto_decode_857xint32.c deleted file mode 100644 index cfd87ef9..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857xint32.c +++ /dev/null @@ -1,20 +0,0 @@ -#include "crypto_decode_857xint32.h" - - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint32(void *v, const unsigned char *s) { - uint32_t *x = v; - int i; - - for (i = 0; i < 857; ++i) { - uint32_t u0 = s[0]; - uint32_t u1 = s[1]; - uint32_t u2 = s[2]; - uint32_t u3 = s[3]; - u1 <<= 8; - u2 <<= 16; - u3 <<= 24; - *x = u0 | u1 | u2 | u3; - x += 1; - s += 4; - } -} diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_857xint32.h b/crypto_kem/sntrup857/avx2/crypto_decode_857xint32.h deleted file mode 100644 index 23ca858e..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_857xint32.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857XINT32_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_857XINT32_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint32_STRBYTES 3428 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint32_ITEMBYTES 4 -#define PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint32_ITEMS 857 - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint32(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_int16.c b/crypto_kem/sntrup857/avx2/crypto_decode_int16.c deleted file mode 100644 index d92e2bf3..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_int16.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "crypto_decode_int16.h" - - -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_int16(void *x, const unsigned char *s) { - uint16_t u0 = s[0]; - uint16_t u1 = s[1]; - u1 = (uint16_t) (u1 << 8); - *(uint16_t *) x = u0 | u1; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_decode_int16.h b/crypto_kem/sntrup857/avx2/crypto_decode_int16.h deleted file mode 100644 index fcaa1f3f..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_decode_int16.h +++ /dev/null @@ -1,9 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_INT16_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_DECODE_INT16_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857_STRBYTES 2 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857_ITEMBYTES 2 -#define PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857_ITEMS 1 -void PQCLEAN_SNTRUP857_AVX2_crypto_decode_int16(void *x, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857x1723.c b/crypto_kem/sntrup857/avx2/crypto_encode_857x1723.c deleted file mode 100644 index cb14f97e..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857x1723.c +++ /dev/null @@ -1,283 +0,0 @@ -#include "crypto_encode_857x1723.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[429]; - long i; - const uint16 *reading; - uint16 *writing; - uint16 r0, r1; - uint32 r2; - uint32 s0; - - reading = (uint16 *) R0; - writing = R; - i = 54; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) reading); - x = _mm256_add_epi16(x, _mm256_set1_epi16(2583)); - x &= _mm256_set1_epi16(16383); - x = _mm256_mulhi_epi16(x, _mm256_set1_epi16(21846)); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1723)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[428] = (uint16) ((((R0[856] + 2583) & 16383) * 10923) >> 15); - - reading = (uint16 *) R; - writing = R; - i = 14; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 20; - writing -= 10; - out -= 20; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(11597)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(11597)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[214] = R[428]; - - reading = (uint16 *) R; - writing = R; - i = 7; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 10; - writing -= 5; - out -= 10; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(2053)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(2053)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[107] = R[214]; - - for (i = 0; i < 53; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)65; - R[i] = (uint16) r2; - } - r0 = R[106]; - r1 = R[107]; - r2 = r0 + r1 * (uint32)65; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[53] = (uint16) r2; - - reading = (uint16 *) R; - writing = R; - i = 2; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 12; - writing -= 6; - out -= 12; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(4225)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(4225)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - r0 = R[52]; - r1 = R[53]; - r2 = r0 + r1 * (uint32)4225; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[26] = (uint16) r2; - - reading = (uint16 *) R; - writing = R; - i = 2; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 6; - writing -= 3; - out -= 3; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(273)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[13] = R[26]; - - for (i = 0; i < 7; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)292; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)334; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[3] = R[6]; - - for (i = 0; i < 2; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)436; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)743; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857x1723.h b/crypto_kem/sntrup857/avx2/crypto_encode_857x1723.h deleted file mode 100644 index 66a9e6ae..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857x1723.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857X1723_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857X1723_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723_STRBYTES 1152 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723_ITEMS 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857x1723round.c b/crypto_kem/sntrup857/avx2/crypto_encode_857x1723round.c deleted file mode 100644 index 39fad8f2..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857x1723round.c +++ /dev/null @@ -1,285 +0,0 @@ -#include "crypto_encode_857x1723round.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723round(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[429]; - long i; - const uint16 *reading; - uint16 *writing; - uint16 r0, r1; - uint32 r2; - uint32 s0; - - reading = (uint16 *) R0; - writing = R; - i = 54; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 4; - } - x = _mm256_loadu_si256((__m256i *) reading); - x = _mm256_mulhrs_epi16(x, _mm256_set1_epi16(10923)); - x = _mm256_add_epi16(x, _mm256_add_epi16(x, x)); - x = _mm256_add_epi16(x, _mm256_set1_epi16(2583)); - x &= _mm256_set1_epi16(16383); - x = _mm256_mulhi_epi16(x, _mm256_set1_epi16(21846)); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1723)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[428] = (uint16) ((((3 * ((10923 * R0[856] + 16384) >> 15) + 2583) & 16383) * 10923) >> 15); - - reading = (uint16 *) R; - writing = R; - i = 14; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 20; - writing -= 10; - out -= 20; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(11597)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(11597)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[214] = R[428]; - - reading = (uint16 *) R; - writing = R; - i = 7; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 10; - writing -= 5; - out -= 10; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(2053)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(2053)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[107] = R[214]; - - for (i = 0; i < 53; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)65; - R[i] = (uint16) r2; - } - r0 = R[106]; - r1 = R[107]; - r2 = r0 + r1 * (uint32)65; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[53] = (uint16) r2; - - reading = (uint16 *) R; - writing = R; - i = 2; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 12; - writing -= 6; - out -= 12; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(4225)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(4225)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - r0 = R[52]; - r1 = R[53]; - r2 = r0 + r1 * (uint32)4225; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[26] = (uint16) r2; - - reading = (uint16 *) R; - writing = R; - i = 2; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 6; - writing -= 3; - out -= 3; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(273)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[13] = R[26]; - - for (i = 0; i < 7; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)292; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)334; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[3] = R[6]; - - for (i = 0; i < 2; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)436; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)743; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857x1723round.h b/crypto_kem/sntrup857/avx2/crypto_encode_857x1723round.h deleted file mode 100644 index be2cb158..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857x1723round.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857X1723ROUND_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857X1723ROUND_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723round_STRBYTES 1152 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723round_ITEMS 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723round_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723round(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857x3.c b/crypto_kem/sntrup857/avx2/crypto_encode_857x3.c deleted file mode 100644 index 44e734f5..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857x3.c +++ /dev/null @@ -1,64 +0,0 @@ -#include "crypto_encode_857x3.h" -#include -#define uint8 uint8_t - -#define p 857 -#define loops 7 -#define overshoot 10 - -static const union { - uint8 init[32]; - __m256i val; -} lobytes_buf = { .init = { - 255, 0, 255, 0, 255, 0, 255, 0, - 255, 0, 255, 0, 255, 0, 255, 0, - 255, 0, 255, 0, 255, 0, 255, 0, - 255, 0, 255, 0, 255, 0, 255, 0, - } -}; -#define lobytes (lobytes_buf.val) - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x3(unsigned char *s, const void *v) { - const uint8 *f = v; - int loop; - const uint8 *nextf = f + 128 - 4 * overshoot; - unsigned char *nexts = s + 32 - overshoot; - - for (loop = loops; loop > 0; --loop) { - __m256i f0 = _mm256_loadu_si256((const __m256i *) (f + 0)); - __m256i f1 = _mm256_loadu_si256((const __m256i *) (f + 32)); - __m256i f2 = _mm256_loadu_si256((const __m256i *) (f + 64)); - __m256i f3 = _mm256_loadu_si256((const __m256i *) (f + 96)); - f = nextf; - nextf += 128; - - __m256i a0 = _mm256_packus_epi16(f0 & lobytes, f1 & lobytes); - /* 0 2 4 6 8 10 12 14 32 34 36 38 40 42 44 46 */ - /* 16 18 20 22 24 26 28 30 48 50 52 54 56 58 60 62 */ - __m256i a1 = _mm256_packus_epi16(_mm256_srli_epi16(f0, 8), _mm256_srli_epi16(f1, 8)); - /* 1 3 ... */ - __m256i a2 = _mm256_packus_epi16(f2 & lobytes, f3 & lobytes); - __m256i a3 = _mm256_packus_epi16(_mm256_srli_epi16(f2, 8), _mm256_srli_epi16(f3, 8)); - - a0 = _mm256_add_epi8(a0, _mm256_slli_epi16(a1 & _mm256_set1_epi8(63), 2)); - a2 = _mm256_add_epi8(a2, _mm256_slli_epi16(a3 & _mm256_set1_epi8(63), 2)); - - __m256i b0 = _mm256_packus_epi16(a0 & lobytes, a2 & lobytes); - /* 0 4 8 12 32 36 40 44 64 68 72 76 96 100 104 108 */ - /* 16 20 24 28 48 52 56 60 80 84 88 92 112 116 120 124 */ - __m256i b2 = _mm256_packus_epi16(_mm256_srli_epi16(a0, 8), _mm256_srli_epi16(a2, 8)); - /* 2 6 ... */ - - b0 = _mm256_add_epi8(b0, _mm256_slli_epi16(b2 & _mm256_set1_epi8(15), 4)); - - b0 = _mm256_permutevar8x32_epi32(b0, _mm256_set_epi32(7, 3, 6, 2, 5, 1, 4, 0)); - - b0 = _mm256_add_epi8(b0, _mm256_set1_epi8(85)); - - _mm256_storeu_si256((__m256i *) s, b0); - s = nexts; - nexts += 32; - } - - *s++ = *f++ + 1; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857x3.h b/crypto_kem/sntrup857/avx2/crypto_encode_857x3.h deleted file mode 100644 index 13c61537..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857X3_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857X3_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x3_STRBYTES 215 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x3_ITEMS 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857x5167.c b/crypto_kem/sntrup857/avx2/crypto_encode_857x5167.c deleted file mode 100644 index 36713cbb..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857x5167.c +++ /dev/null @@ -1,331 +0,0 @@ -#include "crypto_encode_857x5167.h" -#include -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x5167(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[429]; - long i; - const uint16 *reading; - uint16 *writing; - uint16 r0, r1; - uint32 r2; - uint32 s0; - - reading = (uint16 *) R0; - writing = R; - i = 27; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 8; - writing -= 4; - out -= 8; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - x = _mm256_add_epi16(x, _mm256_set1_epi16(2583)); - x2 = _mm256_add_epi16(x2, _mm256_set1_epi16(2583)); - x &= _mm256_set1_epi16(16383); - x2 &= _mm256_set1_epi16(16383); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(5167)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(5167)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - R[428] = (uint16) (((R0[856] + 2583) & 16383)); - - reading = (uint16 *) R; - writing = R; - i = 27; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 4; - writing -= 2; - out -= 2; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(408)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[214] = R[428]; - - reading = (uint16 *) R; - writing = R; - i = 14; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 10; - writing -= 5; - out -= 5; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(651)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[107] = R[214]; - - reading = (uint16 *) R; - writing = R; - i = 7; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 6; - writing -= 3; - out -= 3; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1656)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - r0 = R[106]; - r1 = R[107]; - r2 = r0 + r1 * (uint32)1656; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[53] = (uint16) r2; - - reading = (uint16 *) R; - writing = R; - i = 2; - while (i > 0) { - __m256i x, x2, y, y2; - --i; - if (!i) { - reading -= 12; - writing -= 6; - out -= 12; - } - x = _mm256_loadu_si256((__m256i *) (reading + 0)); - x2 = _mm256_loadu_si256((__m256i *) (reading + 16)); - y = x & _mm256_set1_epi32(65535); - y2 = x2 & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x2 = _mm256_srli_epi32(x2, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(10713)); - x2 = _mm256_mullo_epi32(x2, _mm256_set1_epi32(10713)); - x = _mm256_add_epi32(y, x); - x2 = _mm256_add_epi32(y2, x2); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x2 = _mm256_shuffle_epi8(x2, _mm256_set_epi8( - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0, - 15, 14, 11, 10, 7, 6, 3, 2, 13, 12, 9, 8, 5, 4, 1, 0 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - x2 = _mm256_permute4x64_epi64(x2, 0xd8); - _mm256_storeu_si256((__m256i *) writing, _mm256_permute2f128_si256(x, x2, 0x31)); - _mm256_storeu_si256((__m256i *) out, _mm256_permute2f128_si256(x, x2, 0x20)); - reading += 32; - writing += 16; - out += 32; - } - r0 = R[52]; - r1 = R[53]; - r2 = r0 + r1 * (uint32)10713; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[26] = (uint16) r2; - - reading = (uint16 *) R; - writing = R; - i = 2; - while (i > 0) { - __m256i x, y; - --i; - if (!i) { - reading -= 6; - writing -= 3; - out -= 3; - } - x = _mm256_loadu_si256((__m256i *) reading); - y = x & _mm256_set1_epi32(65535); - x = _mm256_srli_epi32(x, 16); - x = _mm256_mullo_epi32(x, _mm256_set1_epi32(1752)); - x = _mm256_add_epi32(y, x); - x = _mm256_shuffle_epi8(x, _mm256_set_epi8( - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1, - 12, 8, 4, 0, 12, 8, 4, 0, 14, 13, 10, 9, 6, 5, 2, 1 - )); - x = _mm256_permute4x64_epi64(x, 0xd8); - _mm_storeu_si128((__m128i *) writing, _mm256_extractf128_si256(x, 0)); - s0 = (uint32) _mm256_extract_epi32(x, 4); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 = (uint32) _mm256_extract_epi32(x, 6); - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - s0 >>= 8; - *out++ = (unsigned char) s0; - reading += 16; - writing += 8; - } - R[13] = R[26]; - - for (i = 0; i < 7; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)11991; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)2194; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[3] = R[6]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)74; - R[0] = (uint16) r2; - r0 = R[2]; - r1 = R[3]; - r2 = r0 + r1 * (uint32)74; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[1] = (uint16) r2; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)5476; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857x5167.h b/crypto_kem/sntrup857/avx2/crypto_encode_857x5167.h deleted file mode 100644 index 0c513509..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857x5167.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857X5167_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857X5167_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x5167_STRBYTES 1322 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x5167_ITEMS 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x5167_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x5167(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857xfreeze3.c b/crypto_kem/sntrup857/avx2/crypto_encode_857xfreeze3.c deleted file mode 100644 index 108da266..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857xfreeze3.c +++ /dev/null @@ -1,31 +0,0 @@ -#include "crypto_encode_857xfreeze3.h" -#include -#define int16 int16_t - -#define p 857 - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xfreeze3(unsigned char *s, const void *v) { - const int16 *r = v; - - int i = p - 16; - for (;;) { - do { - __m256i x = _mm256_loadu_si256((__m256i *) r); - __m256i y = _mm256_mulhrs_epi16(x, _mm256_set1_epi16(10923)); - x = _mm256_sub_epi16(x, y); - y = _mm256_add_epi16(y, y); - x = _mm256_sub_epi16(x, y); - __m128i x0 = _mm256_extractf128_si256(x, 0); - __m128i x1 = _mm256_extractf128_si256(x, 1); - _mm_storeu_si128((__m128i *) s, _mm_packs_epi16(x0, x1)); - i -= 16; - r += 16; - s += 16; - } while (i >= 0); - if (i <= -16) { - break; - } - r += i; - s += i; - } -} diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857xfreeze3.h b/crypto_kem/sntrup857/avx2/crypto_encode_857xfreeze3.h deleted file mode 100644 index 99052e21..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857xfreeze3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857XFREEZE3_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857XFREEZE3_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xfreeze3_STRBYTES 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xfreeze3_ITEMS 857 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xfreeze3_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xfreeze3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857xint16.c b/crypto_kem/sntrup857/avx2/crypto_encode_857xint16.c deleted file mode 100644 index 9ae26814..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857xint16.c +++ /dev/null @@ -1,13 +0,0 @@ -#include "crypto_encode_857xint16.h" - - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xint16(unsigned char *s, const void *v) { - const uint16_t *x = v; - int i; - - for (i = 0; i < 857; ++i) { - uint16_t u = *x++; - *s++ = (unsigned char) u; - *s++ = (unsigned char) (u >> 8); - } -} diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_857xint16.h b/crypto_kem/sntrup857/avx2/crypto_encode_857xint16.h deleted file mode 100644 index e131a942..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_857xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857XINT16_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_857XINT16_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xint16_STRBYTES 1714 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xint16_ITEMS 857 - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xint16(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_int16.c b/crypto_kem/sntrup857/avx2/crypto_encode_int16.c deleted file mode 100644 index 5696d24c..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_int16.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "crypto_encode_int16.h" - -#define uint16 uint16_t - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_int16(unsigned char *s, const void *x) { - uint16 u = *(const uint16 *) x; - s[0] = (unsigned char) u; - s[1] = (unsigned char) (u >> 8); -} diff --git a/crypto_kem/sntrup857/avx2/crypto_encode_int16.h b/crypto_kem/sntrup857/avx2/crypto_encode_int16.h deleted file mode 100644 index 1ca7ca0a..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_encode_int16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_INT16_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_ENCODE_INT16_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_int16_STRBYTES 2 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_int16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP857_AVX2_crypto_encode_int16_ITEMS 1 - -void PQCLEAN_SNTRUP857_AVX2_crypto_encode_int16(unsigned char *s, const void *x); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_sort_int32.c b/crypto_kem/sntrup857/avx2/crypto_sort_int32.c deleted file mode 100644 index bd96995a..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_sort_int32.c +++ /dev/null @@ -1,1215 +0,0 @@ -#include "crypto_sort_int32.h" -#include - -#define int32 int32_t - -typedef __m256i int32x8; -#define int32x8_load(z) _mm256_loadu_si256((__m256i *) (z)) -#define int32x8_store(z,i) _mm256_storeu_si256((__m256i *) (z),(i)) -#define int32x8_min _mm256_min_epi32 -#define int32x8_max _mm256_max_epi32 - -#define int32x8_MINMAX(a,b) \ - do { \ - int32x8 c = int32x8_min((a),(b)); \ - (b) = int32x8_max((a),(b)); \ - (a) = c; \ - } while(0) - -static inline void int32_MINMAX(int32 *a, int32 *b) { - int32 ab = *b ^ *a; - int32 c = (int32)((int64_t) * b - (int64_t) * a); - c ^= ab & (c ^ *b); - c >>= 31; - c &= ab; - *a ^= c; - *b ^= c; -} - -static void minmax_vector(int32 *x, int32 *y, long long n) { - if (n < 8) { - while (n > 0) { - int32_MINMAX(x, y); - ++x; - ++y; - --n; - } - return; - } - if (n & 7) { - int32x8 x0 = int32x8_load(x + n - 8); - int32x8 y0 = int32x8_load(y + n - 8); - int32x8_MINMAX(x0, y0); - int32x8_store(x + n - 8, x0); - int32x8_store(y + n - 8, y0); - n &= ~7; - } - do { - int32x8 x0 = int32x8_load(x); - int32x8 y0 = int32x8_load(y); - int32x8_MINMAX(x0, y0); - int32x8_store(x, x0); - int32x8_store(y, y0); - x += 8; - y += 8; - n -= 8; - } while (n); -} - -/* stages 8,4,2,1 of size-16 bitonic merging */ -static void merge16_finish(int32 *x, int32x8 x0, int32x8 x1, int flagdown) { - int32x8 b0, b1, c0, c1, mask; - - int32x8_MINMAX(x0, x1); - - b0 = _mm256_permute2x128_si256(x0, x1, 0x20); /* A0123B0123 */ - b1 = _mm256_permute2x128_si256(x0, x1, 0x31); /* A4567B4567 */ - - int32x8_MINMAX(b0, b1); - - c0 = _mm256_unpacklo_epi64(b0, b1); /* A0145B0145 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* A2367B2367 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A0213B0213 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A4657B4657 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* A0246B0246 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* A1357B1357 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A0123B0123 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A4567B4567 */ - - x0 = _mm256_permute2x128_si256(b0, b1, 0x20); /* A01234567 */ - x1 = _mm256_permute2x128_si256(b0, b1, 0x31); /* A01234567 */ - - if (flagdown) { - mask = _mm256_set1_epi32(-1); - x0 ^= mask; - x1 ^= mask; - } - - int32x8_store(&x[0], x0); - int32x8_store(&x[8], x1); -} - -/* stages 64,32 of bitonic merging; n is multiple of 128 */ -static void int32_twostages_32(int32 *x, long long n) { - long long i; - - while (n > 0) { - for (i = 0; i < 32; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + 32]); - int32x8 x2 = int32x8_load(&x[i + 64]); - int32x8 x3 = int32x8_load(&x[i + 96]); - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + 32], x1); - int32x8_store(&x[i + 64], x2); - int32x8_store(&x[i + 96], x3); - } - x += 128; - n -= 128; - } -} - -/* stages 4q,2q,q of bitonic merging */ -static long long int32_threestages(int32 *x, long long n, long long q) { - long long k, i; - - for (k = 0; k + 8 * q <= n; k += 8 * q) { - for (i = k; i < k + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - } - - return k; -} - -/* n is a power of 2; n >= 8; if n == 8 then flagdown */ -// NOLINTNEXTLINE(google-readability-function-size) -static void int32_sort_2power(int32 *x, long long n, int flagdown) { - long long p, q, i, j, k; - int32x8 mask; - - if (n == 8) { - int32 x0 = x[0]; - int32 x1 = x[1]; - int32 x2 = x[2]; - int32 x3 = x[3]; - int32 x4 = x[4]; - int32 x5 = x[5]; - int32 x6 = x[6]; - int32 x7 = x[7]; - - /* odd-even sort instead of bitonic sort */ - - int32_MINMAX(&x1, &x0); - int32_MINMAX(&x3, &x2); - int32_MINMAX(&x2, &x0); - int32_MINMAX(&x3, &x1); - int32_MINMAX(&x2, &x1); - - int32_MINMAX(&x5, &x4); - int32_MINMAX(&x7, &x6); - int32_MINMAX(&x6, &x4); - int32_MINMAX(&x7, &x5); - int32_MINMAX(&x6, &x5); - - int32_MINMAX(&x4, &x0); - int32_MINMAX(&x6, &x2); - int32_MINMAX(&x4, &x2); - - int32_MINMAX(&x5, &x1); - int32_MINMAX(&x7, &x3); - int32_MINMAX(&x5, &x3); - - int32_MINMAX(&x2, &x1); - int32_MINMAX(&x4, &x3); - int32_MINMAX(&x6, &x5); - - x[0] = x0; - x[1] = x1; - x[2] = x2; - x[3] = x3; - x[4] = x4; - x[5] = x5; - x[6] = x6; - x[7] = x7; - return; - } - - if (n == 16) { - int32x8 x0, x1, b0, b1, c0, c1; - - x0 = int32x8_load(&x[0]); - x1 = int32x8_load(&x[8]); - - mask = _mm256_set_epi32(0, 0, -1, -1, 0, 0, -1, -1); - - x0 ^= mask; /* A01234567 */ - x1 ^= mask; /* B01234567 */ - - b0 = _mm256_unpacklo_epi32(x0, x1); /* AB0AB1AB4AB5 */ - b1 = _mm256_unpackhi_epi32(x0, x1); /* AB2AB3AB6AB7 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* AB0AB2AB4AB6 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* AB1AB3AB5AB7 */ - - int32x8_MINMAX(c0, c1); - - mask = _mm256_set_epi32(0, 0, -1, -1, -1, -1, 0, 0); - c0 ^= mask; - c1 ^= mask; - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A01B01A45B45 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A23B23A67B67 */ - - int32x8_MINMAX(b0, b1); - - x0 = _mm256_unpacklo_epi64(b0, b1); /* A01234567 */ - x1 = _mm256_unpackhi_epi64(b0, b1); /* B01234567 */ - - b0 = _mm256_unpacklo_epi32(x0, x1); /* AB0AB1AB4AB5 */ - b1 = _mm256_unpackhi_epi32(x0, x1); /* AB2AB3AB6AB7 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* AB0AB2AB4AB6 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* AB1AB3AB5AB7 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A01B01A45B45 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A23B23A67B67 */ - - b0 ^= mask; - b1 ^= mask; - - c0 = _mm256_permute2x128_si256(b0, b1, 0x20); /* A01B01A23B23 */ - c1 = _mm256_permute2x128_si256(b0, b1, 0x31); /* A45B45A67B67 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_permute2x128_si256(c0, c1, 0x20); /* A01B01A45B45 */ - b1 = _mm256_permute2x128_si256(c0, c1, 0x31); /* A23B23A67B67 */ - - int32x8_MINMAX(b0, b1); - - x0 = _mm256_unpacklo_epi64(b0, b1); /* A01234567 */ - x1 = _mm256_unpackhi_epi64(b0, b1); /* B01234567 */ - - b0 = _mm256_unpacklo_epi32(x0, x1); /* AB0AB1AB4AB5 */ - b1 = _mm256_unpackhi_epi32(x0, x1); /* AB2AB3AB6AB7 */ - - c0 = _mm256_unpacklo_epi64(b0, b1); /* AB0AB2AB4AB6 */ - c1 = _mm256_unpackhi_epi64(b0, b1); /* AB1AB3AB5AB7 */ - - int32x8_MINMAX(c0, c1); - - b0 = _mm256_unpacklo_epi32(c0, c1); /* A01B01A45B45 */ - b1 = _mm256_unpackhi_epi32(c0, c1); /* A23B23A67B67 */ - - x0 = _mm256_unpacklo_epi64(b0, b1); /* A01234567 */ - x1 = _mm256_unpackhi_epi64(b0, b1); /* B01234567 */ - - mask = _mm256_set1_epi32(-1); - if (flagdown) { - x1 ^= mask; - } else { - x0 ^= mask; - } - - merge16_finish(x, x0, x1, flagdown); - return; - } - - if (n == 32) { - int32x8 x0, x1, x2, x3; - - int32_sort_2power(x, 16, 1); - int32_sort_2power(x + 16, 16, 0); - - x0 = int32x8_load(&x[0]); - x1 = int32x8_load(&x[8]); - x2 = int32x8_load(&x[16]); - x3 = int32x8_load(&x[24]); - - if (flagdown) { - mask = _mm256_set1_epi32(-1); - x0 ^= mask; - x1 ^= mask; - x2 ^= mask; - x3 ^= mask; - } - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - - merge16_finish(x, x0, x1, flagdown); - merge16_finish(x + 16, x2, x3, flagdown); - return; - } - - p = n >> 3; - for (i = 0; i < p; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x2 = int32x8_load(&x[i + 2 * p]); - int32x8 x4 = int32x8_load(&x[i + 4 * p]); - int32x8 x6 = int32x8_load(&x[i + 6 * p]); - - /* odd-even stage instead of bitonic stage */ - - int32x8_MINMAX(x4, x0); - int32x8_MINMAX(x6, x2); - int32x8_MINMAX(x2, x0); - int32x8_MINMAX(x6, x4); - int32x8_MINMAX(x2, x4); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + 2 * p], x2); - int32x8_store(&x[i + 4 * p], x4); - int32x8_store(&x[i + 6 * p], x6); - - int32x8 x1 = int32x8_load(&x[i + p]); - int32x8 x3 = int32x8_load(&x[i + 3 * p]); - int32x8 x5 = int32x8_load(&x[i + 5 * p]); - int32x8 x7 = int32x8_load(&x[i + 7 * p]); - - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x5, x3); - - int32x8_store(&x[i + p], x1); - int32x8_store(&x[i + 3 * p], x3); - int32x8_store(&x[i + 5 * p], x5); - int32x8_store(&x[i + 7 * p], x7); - } - - if (n >= 128) { - int flip, flipflip; - - mask = _mm256_set1_epi32(-1); - - for (j = 0; j < n; j += 32) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 16]); - x0 ^= mask; - x1 ^= mask; - int32x8_store(&x[j], x0); - int32x8_store(&x[j + 16], x1); - } - - p = 8; - for (;;) { /* for p in [8, 16, ..., n/16] */ - q = p >> 1; - while (q >= 128) { - int32_threestages(x, n, q >> 2); - q >>= 3; - } - if (q == 64) { - int32_twostages_32(x, n); - q = 16; - } - if (q == 32) { - q = 8; - for (k = 0; k < n; k += 8 * q) { - for (i = k; i < k + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - } - q = 4; - } - if (q == 16) { - q = 8; - for (k = 0; k < n; k += 4 * q) { - for (i = k; i < k + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - } - } - q = 4; - } - if (q == 8) { - for (k = 0; k < n; k += q + q) { - int32x8 x0 = int32x8_load(&x[k]); - int32x8 x1 = int32x8_load(&x[k + q]); - - int32x8_MINMAX(x0, x1); - - int32x8_store(&x[k], x0); - int32x8_store(&x[k + q], x1); - } - } - - q = n >> 3; - flip = 0; - if (p << 1 == q) { - flip = 1; - } - flipflip = 1 - flip; - for (j = 0; j < q; j += p + p) { - for (k = j; k < j + p + p; k += p) { - for (i = k; i < k + p; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - - if (flip) { - x0 ^= mask; - x1 ^= mask; - x2 ^= mask; - x3 ^= mask; - x4 ^= mask; - x5 ^= mask; - x6 ^= mask; - x7 ^= mask; - } - - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - flip ^= 1; - } - flip ^= flipflip; - } - - if (p << 4 == n) { - break; - } - p <<= 1; - } - } - - for (p = 4; p >= 1; p >>= 1) { - int32 *z = x; - int32 *target = x + n; - if (p == 4) { - mask = _mm256_set_epi32(0, 0, 0, 0, -1, -1, -1, -1); - while (z != target) { - int32x8 x0 = int32x8_load(&z[0]); - int32x8 x1 = int32x8_load(&z[8]); - x0 ^= mask; - x1 ^= mask; - int32x8_store(&z[0], x0); - int32x8_store(&z[8], x1); - z += 16; - } - } else if (p == 2) { - mask = _mm256_set_epi32(0, 0, -1, -1, -1, -1, 0, 0); - while (z != target) { - int32x8 x0 = int32x8_load(&z[0]); - int32x8 x1 = int32x8_load(&z[8]); - x0 ^= mask; - x1 ^= mask; - int32x8 b0 = _mm256_permute2x128_si256(x0, x1, 0x20); - int32x8 b1 = _mm256_permute2x128_si256(x0, x1, 0x31); - int32x8_MINMAX(b0, b1); - int32x8 c0 = _mm256_permute2x128_si256(b0, b1, 0x20); - int32x8 c1 = _mm256_permute2x128_si256(b0, b1, 0x31); - int32x8_store(&z[0], c0); - int32x8_store(&z[8], c1); - z += 16; - } - } else { /* p == 1 */ - mask = _mm256_set_epi32(0, -1, -1, 0, 0, -1, -1, 0); - while (z != target) { - int32x8 x0 = int32x8_load(&z[0]); - int32x8 x1 = int32x8_load(&z[8]); - x0 ^= mask; - x1 ^= mask; - int32x8 b0 = _mm256_permute2x128_si256(x0, x1, 0x20); /* A0123B0123 */ - int32x8 b1 = _mm256_permute2x128_si256(x0, x1, 0x31); /* A4567B4567 */ - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); /* A0145B0145 */ - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); /* A2367B2367 */ - int32x8_MINMAX(c0, c1); - int32x8 d0 = _mm256_unpacklo_epi64(c0, c1); /* A0123B0123 */ - int32x8 d1 = _mm256_unpackhi_epi64(c0, c1); /* A4567B4567 */ - int32x8_MINMAX(d0, d1); - int32x8 e0 = _mm256_permute2x128_si256(d0, d1, 0x20); - int32x8 e1 = _mm256_permute2x128_si256(d0, d1, 0x31); - int32x8_store(&z[0], e0); - int32x8_store(&z[8], e1); - z += 16; - } - } - - q = n >> 4; - while (q >= 128 || q == 32) { - int32_threestages(x, n, q >> 2); - q >>= 3; - } - while (q >= 16) { - q >>= 1; - for (j = 0; j < n; j += 4 * q) { - for (k = j; k < j + q; k += 8) { - int32x8 x0 = int32x8_load(&x[k]); - int32x8 x1 = int32x8_load(&x[k + q]); - int32x8 x2 = int32x8_load(&x[k + 2 * q]); - int32x8 x3 = int32x8_load(&x[k + 3 * q]); - - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - - int32x8_store(&x[k], x0); - int32x8_store(&x[k + q], x1); - int32x8_store(&x[k + 2 * q], x2); - int32x8_store(&x[k + 3 * q], x3); - } - } - q >>= 1; - } - if (q == 8) { - for (j = 0; j < n; j += 2 * q) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + q]); - - int32x8_MINMAX(x0, x1); - - int32x8_store(&x[j], x0); - int32x8_store(&x[j + q], x1); - } - } - - q = n >> 3; - for (k = 0; k < q; k += 8) { - int32x8 x0 = int32x8_load(&x[k]); - int32x8 x1 = int32x8_load(&x[k + q]); - int32x8 x2 = int32x8_load(&x[k + 2 * q]); - int32x8 x3 = int32x8_load(&x[k + 3 * q]); - int32x8 x4 = int32x8_load(&x[k + 4 * q]); - int32x8 x5 = int32x8_load(&x[k + 5 * q]); - int32x8 x6 = int32x8_load(&x[k + 6 * q]); - int32x8 x7 = int32x8_load(&x[k + 7 * q]); - - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - - int32x8_store(&x[k], x0); - int32x8_store(&x[k + q], x1); - int32x8_store(&x[k + 2 * q], x2); - int32x8_store(&x[k + 3 * q], x3); - int32x8_store(&x[k + 4 * q], x4); - int32x8_store(&x[k + 5 * q], x5); - int32x8_store(&x[k + 6 * q], x6); - int32x8_store(&x[k + 7 * q], x7); - } - } - - /* everything is still masked with _mm256_set_epi32(0,-1,0,-1,0,-1,0,-1); */ - mask = _mm256_set1_epi32(-1); - - for (i = 0; i < n; i += 64) { - int32x8 a0 = int32x8_load(&x[i]); - int32x8 a1 = int32x8_load(&x[i + 8]); - int32x8 a2 = int32x8_load(&x[i + 16]); - int32x8 a3 = int32x8_load(&x[i + 24]); - int32x8 a4 = int32x8_load(&x[i + 32]); - int32x8 a5 = int32x8_load(&x[i + 40]); - int32x8 a6 = int32x8_load(&x[i + 48]); - int32x8 a7 = int32x8_load(&x[i + 56]); - - int32x8 b0 = _mm256_unpacklo_epi32(a0, a1); /* AB0AB1AB4AB5 */ - int32x8 b1 = _mm256_unpackhi_epi32(a0, a1); /* AB2AB3AB6AB7 */ - int32x8 b2 = _mm256_unpacklo_epi32(a2, a3); /* CD0CD1CD4CD5 */ - int32x8 b3 = _mm256_unpackhi_epi32(a2, a3); /* CD2CD3CD6CD7 */ - int32x8 b4 = _mm256_unpacklo_epi32(a4, a5); /* EF0EF1EF4EF5 */ - int32x8 b5 = _mm256_unpackhi_epi32(a4, a5); /* EF2EF3EF6EF7 */ - int32x8 b6 = _mm256_unpacklo_epi32(a6, a7); /* GH0GH1GH4GH5 */ - int32x8 b7 = _mm256_unpackhi_epi32(a6, a7); /* GH2GH3GH6GH7 */ - - int32x8 c0 = _mm256_unpacklo_epi64(b0, b2); /* ABCD0ABCD4 */ - int32x8 c1 = _mm256_unpacklo_epi64(b1, b3); /* ABCD2ABCD6 */ - int32x8 c2 = _mm256_unpackhi_epi64(b0, b2); /* ABCD1ABCD5 */ - int32x8 c3 = _mm256_unpackhi_epi64(b1, b3); /* ABCD3ABCD7 */ - int32x8 c4 = _mm256_unpacklo_epi64(b4, b6); /* EFGH0EFGH4 */ - int32x8 c5 = _mm256_unpacklo_epi64(b5, b7); /* EFGH2EFGH6 */ - int32x8 c6 = _mm256_unpackhi_epi64(b4, b6); /* EFGH1EFGH5 */ - int32x8 c7 = _mm256_unpackhi_epi64(b5, b7); /* EFGH3EFGH7 */ - - if (flagdown) { - c2 ^= mask; - c3 ^= mask; - c6 ^= mask; - c7 ^= mask; - } else { - c0 ^= mask; - c1 ^= mask; - c4 ^= mask; - c5 ^= mask; - } - - int32x8 d0 = _mm256_permute2x128_si256(c0, c4, 0x20); /* ABCDEFGH0 */ - int32x8 d1 = _mm256_permute2x128_si256(c2, c6, 0x20); /* ABCDEFGH1 */ - int32x8 d2 = _mm256_permute2x128_si256(c1, c5, 0x20); /* ABCDEFGH2 */ - int32x8 d3 = _mm256_permute2x128_si256(c3, c7, 0x20); /* ABCDEFGH5 */ - int32x8 d4 = _mm256_permute2x128_si256(c0, c4, 0x31); /* ABCDEFGH4 */ - int32x8 d5 = _mm256_permute2x128_si256(c2, c6, 0x31); /* ABCDEFGH3 */ - int32x8 d6 = _mm256_permute2x128_si256(c1, c5, 0x31); /* ABCDEFGH6 */ - int32x8 d7 = _mm256_permute2x128_si256(c3, c7, 0x31); /* ABCDEFGH7 */ - - int32x8_MINMAX(d0, d1); - int32x8_MINMAX(d2, d3); - int32x8_MINMAX(d4, d5); - int32x8_MINMAX(d6, d7); - int32x8_MINMAX(d0, d2); - int32x8_MINMAX(d1, d3); - int32x8_MINMAX(d4, d6); - int32x8_MINMAX(d5, d7); - int32x8_MINMAX(d0, d4); - int32x8_MINMAX(d1, d5); - int32x8_MINMAX(d2, d6); - int32x8_MINMAX(d3, d7); - - int32x8 e0 = _mm256_unpacklo_epi32(d0, d1); - int32x8 e1 = _mm256_unpackhi_epi32(d0, d1); - int32x8 e2 = _mm256_unpacklo_epi32(d2, d3); - int32x8 e3 = _mm256_unpackhi_epi32(d2, d3); - int32x8 e4 = _mm256_unpacklo_epi32(d4, d5); - int32x8 e5 = _mm256_unpackhi_epi32(d4, d5); - int32x8 e6 = _mm256_unpacklo_epi32(d6, d7); - int32x8 e7 = _mm256_unpackhi_epi32(d6, d7); - - int32x8 f0 = _mm256_unpacklo_epi64(e0, e2); - int32x8 f1 = _mm256_unpacklo_epi64(e1, e3); - int32x8 f2 = _mm256_unpackhi_epi64(e0, e2); - int32x8 f3 = _mm256_unpackhi_epi64(e1, e3); - int32x8 f4 = _mm256_unpacklo_epi64(e4, e6); - int32x8 f5 = _mm256_unpacklo_epi64(e5, e7); - int32x8 f6 = _mm256_unpackhi_epi64(e4, e6); - int32x8 f7 = _mm256_unpackhi_epi64(e5, e7); - - int32x8 g0 = _mm256_permute2x128_si256(f0, f4, 0x20); - int32x8 g1 = _mm256_permute2x128_si256(f2, f6, 0x20); - int32x8 g2 = _mm256_permute2x128_si256(f1, f5, 0x20); - int32x8 g3 = _mm256_permute2x128_si256(f3, f7, 0x20); - int32x8 g4 = _mm256_permute2x128_si256(f0, f4, 0x31); - int32x8 g5 = _mm256_permute2x128_si256(f2, f6, 0x31); - int32x8 g6 = _mm256_permute2x128_si256(f1, f5, 0x31); - int32x8 g7 = _mm256_permute2x128_si256(f3, f7, 0x31); - - int32x8_store(&x[i], g0); - int32x8_store(&x[i + 8], g1); - int32x8_store(&x[i + 16], g2); - int32x8_store(&x[i + 24], g3); - int32x8_store(&x[i + 32], g4); - int32x8_store(&x[i + 40], g5); - int32x8_store(&x[i + 48], g6); - int32x8_store(&x[i + 56], g7); - } - - q = n >> 4; - while (q >= 128 || q == 32) { - q >>= 2; - for (j = 0; j < n; j += 8 * q) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - int32x8_store(&x[i + 4 * q], x4); - int32x8_store(&x[i + 5 * q], x5); - int32x8_store(&x[i + 6 * q], x6); - int32x8_store(&x[i + 7 * q], x7); - } - } - q >>= 1; - } - while (q >= 16) { - q >>= 1; - for (j = 0; j < n; j += 4 * q) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - } - } - q >>= 1; - } - if (q == 8) { - for (j = 0; j < n; j += q + q) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + q]); - int32x8_MINMAX(x0, x1); - int32x8_store(&x[j], x0); - int32x8_store(&x[j + q], x1); - } - } - - q = n >> 3; - for (i = 0; i < q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8 x4 = int32x8_load(&x[i + 4 * q]); - int32x8 x5 = int32x8_load(&x[i + 5 * q]); - int32x8 x6 = int32x8_load(&x[i + 6 * q]); - int32x8 x7 = int32x8_load(&x[i + 7 * q]); - - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - - int32x8 b0 = _mm256_unpacklo_epi32(x0, x4); /* AE0AE1AE4AE5 */ - int32x8 b1 = _mm256_unpackhi_epi32(x0, x4); /* AE2AE3AE6AE7 */ - int32x8 b2 = _mm256_unpacklo_epi32(x1, x5); /* BF0BF1BF4BF5 */ - int32x8 b3 = _mm256_unpackhi_epi32(x1, x5); /* BF2BF3BF6BF7 */ - int32x8 b4 = _mm256_unpacklo_epi32(x2, x6); /* CG0CG1CG4CG5 */ - int32x8 b5 = _mm256_unpackhi_epi32(x2, x6); /* CG2CG3CG6CG7 */ - int32x8 b6 = _mm256_unpacklo_epi32(x3, x7); /* DH0DH1DH4DH5 */ - int32x8 b7 = _mm256_unpackhi_epi32(x3, x7); /* DH2DH3DH6DH7 */ - - int32x8 c0 = _mm256_unpacklo_epi64(b0, b4); /* AECG0AECG4 */ - int32x8 c1 = _mm256_unpacklo_epi64(b1, b5); /* AECG2AECG6 */ - int32x8 c2 = _mm256_unpackhi_epi64(b0, b4); /* AECG1AECG5 */ - int32x8 c3 = _mm256_unpackhi_epi64(b1, b5); /* AECG3AECG7 */ - int32x8 c4 = _mm256_unpacklo_epi64(b2, b6); /* BFDH0BFDH4 */ - int32x8 c5 = _mm256_unpacklo_epi64(b3, b7); /* BFDH2BFDH6 */ - int32x8 c6 = _mm256_unpackhi_epi64(b2, b6); /* BFDH1BFDH5 */ - int32x8 c7 = _mm256_unpackhi_epi64(b3, b7); /* BFDH3BFDH7 */ - - int32x8 d0 = _mm256_permute2x128_si256(c0, c4, 0x20); /* AECGBFDH0 */ - int32x8 d1 = _mm256_permute2x128_si256(c1, c5, 0x20); /* AECGBFDH2 */ - int32x8 d2 = _mm256_permute2x128_si256(c2, c6, 0x20); /* AECGBFDH1 */ - int32x8 d3 = _mm256_permute2x128_si256(c3, c7, 0x20); /* AECGBFDH3 */ - int32x8 d4 = _mm256_permute2x128_si256(c0, c4, 0x31); /* AECGBFDH4 */ - int32x8 d5 = _mm256_permute2x128_si256(c1, c5, 0x31); /* AECGBFDH6 */ - int32x8 d6 = _mm256_permute2x128_si256(c2, c6, 0x31); /* AECGBFDH5 */ - int32x8 d7 = _mm256_permute2x128_si256(c3, c7, 0x31); /* AECGBFDH7 */ - - if (flagdown) { - d0 ^= mask; - d1 ^= mask; - d2 ^= mask; - d3 ^= mask; - d4 ^= mask; - d5 ^= mask; - d6 ^= mask; - d7 ^= mask; - } - - int32x8_store(&x[i], d0); - int32x8_store(&x[i + q], d4); - int32x8_store(&x[i + 2 * q], d1); - int32x8_store(&x[i + 3 * q], d5); - int32x8_store(&x[i + 4 * q], d2); - int32x8_store(&x[i + 5 * q], d6); - int32x8_store(&x[i + 6 * q], d3); - int32x8_store(&x[i + 7 * q], d7); - } -} - -static void int32_sort(int32 *x, long long n) { - long long q, i, j; - - if (n <= 8) { - if (n == 8) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - int32_MINMAX(&x[4], &x[5]); - int32_MINMAX(&x[5], &x[6]); - int32_MINMAX(&x[6], &x[7]); - } - if (n >= 7) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - int32_MINMAX(&x[4], &x[5]); - int32_MINMAX(&x[5], &x[6]); - } - if (n >= 6) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - int32_MINMAX(&x[4], &x[5]); - } - if (n >= 5) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - int32_MINMAX(&x[3], &x[4]); - } - if (n >= 4) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - int32_MINMAX(&x[2], &x[3]); - } - if (n >= 3) { - int32_MINMAX(&x[0], &x[1]); - int32_MINMAX(&x[1], &x[2]); - } - if (n >= 2) { - int32_MINMAX(&x[0], &x[1]); - } - return; - } - - if (!(n & (n - 1))) { - int32_sort_2power(x, n, 0); - return; - } - - q = 8; - while (q < n - q) { - q += q; - } - /* n > q >= 8 */ - - if (q <= 128) { /* n <= 256 */ - int32x8 y[32]; - for (i = q >> 3; i < q >> 2; ++i) { - y[i] = _mm256_set1_epi32(0x7fffffff); - } - for (i = 0; i < n; ++i) { - ((int32 *) y)[i] = x[i]; - } - int32_sort_2power((int32 *) y, 2 * q, 0); - for (i = 0; i < n; ++i) { - x[i] = ((int32 *) y)[i]; - } - return; - } - - int32_sort_2power(x, q, 1); - int32_sort(x + q, n - q); - - while (q >= 64) { - q >>= 2; - j = int32_threestages(x, n, q); - minmax_vector(x + j, x + j + 4 * q, n - 4 * q - j); - if (j + 4 * q <= n) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8 x2 = int32x8_load(&x[i + 2 * q]); - int32x8 x3 = int32x8_load(&x[i + 3 * q]); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - int32x8_store(&x[i + 2 * q], x2); - int32x8_store(&x[i + 3 * q], x3); - } - j += 4 * q; - } - minmax_vector(x + j, x + j + 2 * q, n - 2 * q - j); - if (j + 2 * q <= n) { - for (i = j; i < j + q; i += 8) { - int32x8 x0 = int32x8_load(&x[i]); - int32x8 x1 = int32x8_load(&x[i + q]); - int32x8_MINMAX(x0, x1); - int32x8_store(&x[i], x0); - int32x8_store(&x[i + q], x1); - } - j += 2 * q; - } - minmax_vector(x + j, x + j + q, n - q - j); - q >>= 1; - } - if (q == 32) { - j = 0; - for (; j + 64 <= n; j += 64) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 8]); - int32x8 x2 = int32x8_load(&x[j + 16]); - int32x8 x3 = int32x8_load(&x[j + 24]); - int32x8 x4 = int32x8_load(&x[j + 32]); - int32x8 x5 = int32x8_load(&x[j + 40]); - int32x8 x6 = int32x8_load(&x[j + 48]); - int32x8 x7 = int32x8_load(&x[j + 56]); - int32x8_MINMAX(x0, x4); - int32x8_MINMAX(x1, x5); - int32x8_MINMAX(x2, x6); - int32x8_MINMAX(x3, x7); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x4, x6); - int32x8_MINMAX(x5, x7); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8_MINMAX(x4, x5); - int32x8_MINMAX(x6, x7); - int32x8 a0 = _mm256_permute2x128_si256(x0, x1, 0x20); - int32x8 a1 = _mm256_permute2x128_si256(x0, x1, 0x31); - int32x8 a2 = _mm256_permute2x128_si256(x2, x3, 0x20); - int32x8 a3 = _mm256_permute2x128_si256(x2, x3, 0x31); - int32x8 a4 = _mm256_permute2x128_si256(x4, x5, 0x20); - int32x8 a5 = _mm256_permute2x128_si256(x4, x5, 0x31); - int32x8 a6 = _mm256_permute2x128_si256(x6, x7, 0x20); - int32x8 a7 = _mm256_permute2x128_si256(x6, x7, 0x31); - int32x8_MINMAX(a0, a1); - int32x8_MINMAX(a2, a3); - int32x8_MINMAX(a4, a5); - int32x8_MINMAX(a6, a7); - int32x8 b0 = _mm256_permute2x128_si256(a0, a1, 0x20); - int32x8 b1 = _mm256_permute2x128_si256(a0, a1, 0x31); - int32x8 b2 = _mm256_permute2x128_si256(a2, a3, 0x20); - int32x8 b3 = _mm256_permute2x128_si256(a2, a3, 0x31); - int32x8 b4 = _mm256_permute2x128_si256(a4, a5, 0x20); - int32x8 b5 = _mm256_permute2x128_si256(a4, a5, 0x31); - int32x8 b6 = _mm256_permute2x128_si256(a6, a7, 0x20); - int32x8 b7 = _mm256_permute2x128_si256(a6, a7, 0x31); - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); - int32x8 c2 = _mm256_unpacklo_epi64(b2, b3); - int32x8 c3 = _mm256_unpackhi_epi64(b2, b3); - int32x8 c4 = _mm256_unpacklo_epi64(b4, b5); - int32x8 c5 = _mm256_unpackhi_epi64(b4, b5); - int32x8 c6 = _mm256_unpacklo_epi64(b6, b7); - int32x8 c7 = _mm256_unpackhi_epi64(b6, b7); - int32x8_MINMAX(c0, c1); - int32x8_MINMAX(c2, c3); - int32x8_MINMAX(c4, c5); - int32x8_MINMAX(c6, c7); - int32x8 d0 = _mm256_unpacklo_epi32(c0, c1); - int32x8 d1 = _mm256_unpackhi_epi32(c0, c1); - int32x8 d2 = _mm256_unpacklo_epi32(c2, c3); - int32x8 d3 = _mm256_unpackhi_epi32(c2, c3); - int32x8 d4 = _mm256_unpacklo_epi32(c4, c5); - int32x8 d5 = _mm256_unpackhi_epi32(c4, c5); - int32x8 d6 = _mm256_unpacklo_epi32(c6, c7); - int32x8 d7 = _mm256_unpackhi_epi32(c6, c7); - int32x8 e0 = _mm256_unpacklo_epi64(d0, d1); - int32x8 e1 = _mm256_unpackhi_epi64(d0, d1); - int32x8 e2 = _mm256_unpacklo_epi64(d2, d3); - int32x8 e3 = _mm256_unpackhi_epi64(d2, d3); - int32x8 e4 = _mm256_unpacklo_epi64(d4, d5); - int32x8 e5 = _mm256_unpackhi_epi64(d4, d5); - int32x8 e6 = _mm256_unpacklo_epi64(d6, d7); - int32x8 e7 = _mm256_unpackhi_epi64(d6, d7); - int32x8_MINMAX(e0, e1); - int32x8_MINMAX(e2, e3); - int32x8_MINMAX(e4, e5); - int32x8_MINMAX(e6, e7); - int32x8 f0 = _mm256_unpacklo_epi32(e0, e1); - int32x8 f1 = _mm256_unpackhi_epi32(e0, e1); - int32x8 f2 = _mm256_unpacklo_epi32(e2, e3); - int32x8 f3 = _mm256_unpackhi_epi32(e2, e3); - int32x8 f4 = _mm256_unpacklo_epi32(e4, e5); - int32x8 f5 = _mm256_unpackhi_epi32(e4, e5); - int32x8 f6 = _mm256_unpacklo_epi32(e6, e7); - int32x8 f7 = _mm256_unpackhi_epi32(e6, e7); - int32x8_store(&x[j], f0); - int32x8_store(&x[j + 8], f1); - int32x8_store(&x[j + 16], f2); - int32x8_store(&x[j + 24], f3); - int32x8_store(&x[j + 32], f4); - int32x8_store(&x[j + 40], f5); - int32x8_store(&x[j + 48], f6); - int32x8_store(&x[j + 56], f7); - } - minmax_vector(x + j, x + j + 32, n - 32 - j); - goto continue16; - } - if (q == 16) { - j = 0; -continue16: - for (; j + 32 <= n; j += 32) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 8]); - int32x8 x2 = int32x8_load(&x[j + 16]); - int32x8 x3 = int32x8_load(&x[j + 24]); - int32x8_MINMAX(x0, x2); - int32x8_MINMAX(x1, x3); - int32x8_MINMAX(x0, x1); - int32x8_MINMAX(x2, x3); - int32x8 a0 = _mm256_permute2x128_si256(x0, x1, 0x20); - int32x8 a1 = _mm256_permute2x128_si256(x0, x1, 0x31); - int32x8 a2 = _mm256_permute2x128_si256(x2, x3, 0x20); - int32x8 a3 = _mm256_permute2x128_si256(x2, x3, 0x31); - int32x8_MINMAX(a0, a1); - int32x8_MINMAX(a2, a3); - int32x8 b0 = _mm256_permute2x128_si256(a0, a1, 0x20); - int32x8 b1 = _mm256_permute2x128_si256(a0, a1, 0x31); - int32x8 b2 = _mm256_permute2x128_si256(a2, a3, 0x20); - int32x8 b3 = _mm256_permute2x128_si256(a2, a3, 0x31); - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); - int32x8 c2 = _mm256_unpacklo_epi64(b2, b3); - int32x8 c3 = _mm256_unpackhi_epi64(b2, b3); - int32x8_MINMAX(c0, c1); - int32x8_MINMAX(c2, c3); - int32x8 d0 = _mm256_unpacklo_epi32(c0, c1); - int32x8 d1 = _mm256_unpackhi_epi32(c0, c1); - int32x8 d2 = _mm256_unpacklo_epi32(c2, c3); - int32x8 d3 = _mm256_unpackhi_epi32(c2, c3); - int32x8 e0 = _mm256_unpacklo_epi64(d0, d1); - int32x8 e1 = _mm256_unpackhi_epi64(d0, d1); - int32x8 e2 = _mm256_unpacklo_epi64(d2, d3); - int32x8 e3 = _mm256_unpackhi_epi64(d2, d3); - int32x8_MINMAX(e0, e1); - int32x8_MINMAX(e2, e3); - int32x8 f0 = _mm256_unpacklo_epi32(e0, e1); - int32x8 f1 = _mm256_unpackhi_epi32(e0, e1); - int32x8 f2 = _mm256_unpacklo_epi32(e2, e3); - int32x8 f3 = _mm256_unpackhi_epi32(e2, e3); - int32x8_store(&x[j], f0); - int32x8_store(&x[j + 8], f1); - int32x8_store(&x[j + 16], f2); - int32x8_store(&x[j + 24], f3); - } - minmax_vector(x + j, x + j + 16, n - 16 - j); - goto continue8; - } - /* q == 8 */ - j = 0; -continue8: - for (; j + 16 <= n; j += 16) { - int32x8 x0 = int32x8_load(&x[j]); - int32x8 x1 = int32x8_load(&x[j + 8]); - int32x8_MINMAX(x0, x1); - int32x8_store(&x[j], x0); - int32x8_store(&x[j + 8], x1); - int32x8 a0 = _mm256_permute2x128_si256(x0, x1, 0x20); /* x0123y0123 */ - int32x8 a1 = _mm256_permute2x128_si256(x0, x1, 0x31); /* x4567y4567 */ - int32x8_MINMAX(a0, a1); - int32x8 b0 = _mm256_permute2x128_si256(a0, a1, 0x20); /* x01234567 */ - int32x8 b1 = _mm256_permute2x128_si256(a0, a1, 0x31); /* y01234567 */ - int32x8 c0 = _mm256_unpacklo_epi64(b0, b1); /* x01y01x45y45 */ - int32x8 c1 = _mm256_unpackhi_epi64(b0, b1); /* x23y23x67y67 */ - int32x8_MINMAX(c0, c1); - int32x8 d0 = _mm256_unpacklo_epi32(c0, c1); /* x02x13x46x57 */ - int32x8 d1 = _mm256_unpackhi_epi32(c0, c1); /* y02y13y46y57 */ - int32x8 e0 = _mm256_unpacklo_epi64(d0, d1); /* x02y02x46y46 */ - int32x8 e1 = _mm256_unpackhi_epi64(d0, d1); /* x13y13x57y57 */ - int32x8_MINMAX(e0, e1); - int32x8 f0 = _mm256_unpacklo_epi32(e0, e1); /* x01234567 */ - int32x8 f1 = _mm256_unpackhi_epi32(e0, e1); /* y01234567 */ - int32x8_store(&x[j], f0); - int32x8_store(&x[j + 8], f1); - } - minmax_vector(x + j, x + j + 8, n - 8 - j); - if (j + 8 <= n) { - int32_MINMAX(&x[j], &x[j + 4]); - int32_MINMAX(&x[j + 1], &x[j + 5]); - int32_MINMAX(&x[j + 2], &x[j + 6]); - int32_MINMAX(&x[j + 3], &x[j + 7]); - int32_MINMAX(&x[j], &x[j + 2]); - int32_MINMAX(&x[j + 1], &x[j + 3]); - int32_MINMAX(&x[j], &x[j + 1]); - int32_MINMAX(&x[j + 2], &x[j + 3]); - int32_MINMAX(&x[j + 4], &x[j + 6]); - int32_MINMAX(&x[j + 5], &x[j + 7]); - int32_MINMAX(&x[j + 4], &x[j + 5]); - int32_MINMAX(&x[j + 6], &x[j + 7]); - j += 8; - } - minmax_vector(x + j, x + j + 4, n - 4 - j); - if (j + 4 <= n) { - int32_MINMAX(&x[j], &x[j + 2]); - int32_MINMAX(&x[j + 1], &x[j + 3]); - int32_MINMAX(&x[j], &x[j + 1]); - int32_MINMAX(&x[j + 2], &x[j + 3]); - j += 4; - } - if (j + 3 <= n) { - int32_MINMAX(&x[j], &x[j + 2]); - } - if (j + 2 <= n) { - int32_MINMAX(&x[j], &x[j + 1]); - } -} - -void PQCLEAN_SNTRUP857_AVX2_crypto_sort_int32(void *array, long long n) { - int32_sort(array, n); -} diff --git a/crypto_kem/sntrup857/avx2/crypto_sort_int32.h b/crypto_kem/sntrup857/avx2/crypto_sort_int32.h deleted file mode 100644 index feea501f..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_sort_int32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_SORT_INT32_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_SORT_INT32_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_sort_int32_BYTES 4 - -void PQCLEAN_SNTRUP857_AVX2_crypto_sort_int32(void *array, long long n); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_sort_uint32.c b/crypto_kem/sntrup857/avx2/crypto_sort_uint32.c deleted file mode 100644 index 25968272..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_sort_uint32.c +++ /dev/null @@ -1,18 +0,0 @@ -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" - - -/* can save time by vectorizing xor loops */ -/* can save time by integrating xor loops with int32_sort */ - -void PQCLEAN_SNTRUP857_AVX2_crypto_sort_uint32(void *array, long long n) { - uint32_t *x = array; - long long j; - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } - PQCLEAN_SNTRUP857_AVX2_crypto_sort_int32((int32_t *)array, n); - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } -} diff --git a/crypto_kem/sntrup857/avx2/crypto_sort_uint32.h b/crypto_kem/sntrup857/avx2/crypto_sort_uint32.h deleted file mode 100644 index a30ecb99..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_sort_uint32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_SORT_UINT32_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_SORT_UINT32_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_sort_uint32_BYTES 4 - -void PQCLEAN_SNTRUP857_AVX2_crypto_sort_uint32(void *array, long long n); -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_stream_aes256ctr.c b/crypto_kem/sntrup857/avx2/crypto_stream_aes256ctr.c deleted file mode 100644 index 048a6a0c..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_stream_aes256ctr.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_stream_aes256ctr.h" - - -int PQCLEAN_SNTRUP857_AVX2_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]) { - - aes256ctx state; - aes256_ctr_keyexp(&state, key); - aes256_ctr(out, outlen, nonce, &state); - aes256_ctx_release(&state); - return 0; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_stream_aes256ctr.h b/crypto_kem/sntrup857/avx2/crypto_stream_aes256ctr.h deleted file mode 100644 index 6c43671d..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_stream_aes256ctr.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_STREAM_AES256CTR_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_STREAM_AES256CTR_H -#include "aes.h" -#include -#include - - - -int PQCLEAN_SNTRUP857_AVX2_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]); - -#endif diff --git a/crypto_kem/sntrup857/avx2/crypto_verify_1184.c b/crypto_kem/sntrup857/avx2/crypto_verify_1184.c deleted file mode 100644 index d854ffb6..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_verify_1184.c +++ /dev/null @@ -1,36 +0,0 @@ -#include "crypto_verify_1184.h" -#include - -int PQCLEAN_SNTRUP857_AVX2_crypto_verify_1184(const unsigned char *x, const unsigned char *y) { - __m256i diff = _mm256_set1_epi8(0); - unsigned int differentbits = 0; - int i = PQCLEAN_SNTRUP857_AVX2_crypto_verify_1184_BYTES; - - i -= 32; - for (;;) { - do { - __m256i x0 = _mm256_loadu_si256((__m256i *) x); - __m256i y0 = _mm256_loadu_si256((__m256i *) y); - diff |= x0 ^ y0; - i -= 32; - x += 32; - y += 32; - } while (i >= 0); - if (i <= -32) { - break; - } - x += i; - y += i; - } - - diff |= _mm256_srli_epi16(diff, 8); - diff |= _mm256_srli_epi32(diff, 16); - diff |= _mm256_srli_epi64(diff, 32); - - differentbits = (unsigned int) _mm256_extract_epi8(diff, 0); - differentbits |= (unsigned int) _mm256_extract_epi8(diff, 8); - differentbits |= (unsigned int) _mm256_extract_epi8(diff, 16); - differentbits |= (unsigned int) _mm256_extract_epi8(diff, 24); - - return (int) (1 & ((differentbits - 1) >> 8)) - 1; -} diff --git a/crypto_kem/sntrup857/avx2/crypto_verify_1184.h b/crypto_kem/sntrup857/avx2/crypto_verify_1184.h deleted file mode 100644 index 606fe2d0..00000000 --- a/crypto_kem/sntrup857/avx2/crypto_verify_1184.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_AVX2_CRYPTO_VERIFY_1184_H -#define PQCLEAN_SNTRUP857_AVX2_CRYPTO_VERIFY_1184_H - -#include -#define PQCLEAN_SNTRUP857_AVX2_crypto_verify_1184_BYTES 1184 - -int PQCLEAN_SNTRUP857_AVX2_crypto_verify_1184(const unsigned char *x, const unsigned char *y); -#endif diff --git a/crypto_kem/sntrup857/avx2/kem.c b/crypto_kem/sntrup857/avx2/kem.c deleted file mode 100644 index 7a1b2d52..00000000 --- a/crypto_kem/sntrup857/avx2/kem.c +++ /dev/null @@ -1,247 +0,0 @@ -#include "api.h" -#include "crypto_sort_uint32.h" -#include "params.h" -#include "randombytes.h" -#include "sha2.h" - - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - -/* ----- arithmetic mod 3 */ - -typedef int8 small; -/* F3 is always represented as -1,0,1 */ - -/* ----- arithmetic mod q */ - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* ----- small polynomials */ - -/* R3_fromR(R_fromRq(r)) */ -static void R3_fromRq(small *out, const Fq *r) { - crypto_encode_pxfreeze3((unsigned char *) out, (unsigned char *) r); -} - -/* h = f*g in the ring R3 */ -static void R3_mult(small *h, const small *f, const small *g) { - crypto_core_mult3((unsigned char *) h, (const unsigned char *) f, (const unsigned char *) g); -} - -/* ----- polynomials mod q */ - -/* h = h*g in the ring Rq */ -static void Rq_mult_small(Fq *h, const small *g) { - crypto_encode_pxint16((unsigned char *) h, h); - crypto_core_mult((unsigned char *) h, (const unsigned char *) h, (const unsigned char *) g); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* h = 3f in Rq */ -static void Rq_mult3(Fq *h, const Fq *f) { - crypto_encode_pxint16((unsigned char *) h, f); - crypto_core_scale3((unsigned char *) h, (const unsigned char *) h); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* out = 1/(3*in) in Rq */ -/* caller must have 2p+1 bytes free in out, not just 2p */ -static void Rq_recip3(Fq *out, const small *in) { - crypto_core_inv((unsigned char *) out, (const unsigned char *) in); - /* could check byte 2*p for failure; but, in context, inv always works */ - crypto_decode_pxint16(out, (unsigned char *) out); -} - -/* ----- underlying hash function */ - -#define Hash_bytes 32 - -static void Hash(unsigned char *out, const unsigned char *in, int inlen) { - unsigned char h[64]; - int i; - sha512(h, in, (size_t) inlen); - for (i = 0; i < 32; ++i) { - out[i] = h[i]; - } -} - -/* ----- higher-level randomness */ - -static void Short_random(small *out) { - uint32 L[ppadsort]; - int i; - - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < w; ++i) { - L[i] = L[i] & (uint32) - 2; - } - for (i = w; i < p; ++i) { - L[i] = (L[i] & (uint32) - 3) | 1; - } - for (i = p; i < ppadsort; ++i) { - L[i] = 0xffffffff; - } - PQCLEAN_SNTRUP857_AVX2_crypto_sort_uint32(L, ppadsort); - for (i = 0; i < p; ++i) { - out[i] = (small) ((L[i] & 3) - 1); - } -} - -static void Small_random(small *out) { - uint32 L[p]; - int i; - - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < p; ++i) { - out[i] = (small) ((((L[i] & 0x3fffffff) * 3) >> 30) - 1); - } -} - -/* ----- Streamlined NTRU Prime */ - -typedef small Inputs[p]; /* passed by reference */ -#define Ciphertexts_bytes Rounded_bytes -#define SecretKeys_bytes (2*Small_bytes) -#define PublicKeys_bytes Rq_bytes -#define Confirm_bytes 32 - -/* c,r_enc[1:] = Hide(r,pk,cache); cache is Hash4(pk) */ -/* also set r_enc[0]=3 */ -/* also set x[0]=2, and x[1:1+Hash_bytes] = Hash3(r_enc) */ -/* also overwrite x[1+Hash_bytes:1+2*Hash_bytes] */ -static void Hide(unsigned char *x, unsigned char *c, unsigned char *r_enc, const Inputs r, const unsigned char *pk, const unsigned char *cache) { - Fq h[p]; - int i; - - Small_encode(r_enc + 1, r); - Rq_decode(h, pk); - Rq_mult_small(h, r); - Round_and_encode(c, h); - r_enc[0] = 3; - Hash(x + 1, r_enc, 1 + Small_bytes); - for (i = 0; i < Hash_bytes; ++i) { - x[1 + Hash_bytes + i] = cache[i]; - } - x[0] = 2; - Hash(c + Ciphertexts_bytes, x, 1 + Hash_bytes * 2); -} - - -int PQCLEAN_SNTRUP857_AVX2_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - small g[p]; - for (;;) { - Small_random(g); - { - small v[p + 1]; - crypto_core_inv3((unsigned char *) v, (const unsigned char *) g); - if (v[p] == 0) { - Small_encode(sk + Small_bytes, v); - break; - } - } - } - { - small f[p]; - Short_random(f); - Small_encode(sk, f); - { - Fq h[p + 1]; - Rq_recip3(h, f); /* always works */ - Rq_mult_small(h, g); - Rq_encode(pk, h); - } - } - { - int i; - unsigned char sksave = sk[SecretKeys_bytes - 1]; - for (i = 0; i < PublicKeys_bytes; ++i) { - sk[SecretKeys_bytes + i] = pk[i]; - } - sk[SecretKeys_bytes - 1] = 4; - Hash(sk + SecretKeys_bytes + PublicKeys_bytes + Small_bytes, sk + SecretKeys_bytes - 1, 1 + PublicKeys_bytes); - sk[SecretKeys_bytes - 1] = sksave; - randombytes(sk + SecretKeys_bytes + PublicKeys_bytes, Small_bytes); - } - return 0; -} - -int PQCLEAN_SNTRUP857_AVX2_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk) { - unsigned char cache[Hash_bytes]; - int i; - { - unsigned char y[1 + PublicKeys_bytes]; /* XXX: can eliminate with incremental hashing */ - for (i = 0; i < PublicKeys_bytes; ++i) { - y[1 + i] = pk[i]; - } - y[0] = 4; - Hash(cache, y, sizeof y); - } - { - Inputs r; - Short_random(r); - { - unsigned char r_enc[Small_bytes + 1]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - Hide(x, c, r_enc, r, pk, cache); - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = 1; - Hash(k, x, sizeof x); - } - } - return 0; -} - -int PQCLEAN_SNTRUP857_AVX2_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) { - const unsigned char *pk = sk + SecretKeys_bytes; - const unsigned char *rho = pk + PublicKeys_bytes; - const unsigned char *cache = rho + Small_bytes; - int mask, i; - Inputs r; - { - Fq d[p]; - Rounded_decode(d, c); - { - small f[p]; - Small_decode(f, sk); - Rq_mult_small(d, f); - Rq_mult3(d, d); - } - { - small e[p]; - small v[p]; - R3_fromRq(e, d); - Small_decode(v, sk + Small_bytes); - R3_mult(r, e, v); - } - crypto_core_wforce((unsigned char *) r, (unsigned char *) r); - } - { - unsigned char r_enc[1 + Small_bytes]; - unsigned char cnew[Ciphertexts_bytes + Confirm_bytes]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - /* XXX: can use incremental hashing to reduce x size */ - - Hide(x, cnew, r_enc, r, pk, cache); - mask = crypto_verify_clen(c, cnew); - for (i = 0; i < Small_bytes; ++i) { - r_enc[i + 1] ^= (unsigned char) (mask & (r_enc[i + 1] ^ rho[i])); - } - Hash(x + 1, r_enc, 1 + Small_bytes); /* XXX: can instead do cmov on cached hash of rho */ - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = (unsigned char) (1 + mask); - Hash(k, x, sizeof x); - } - return 0; -} diff --git a/crypto_kem/sntrup857/avx2/params.h b/crypto_kem/sntrup857/avx2/params.h deleted file mode 100644 index 14bd9ccc..00000000 --- a/crypto_kem/sntrup857/avx2/params.h +++ /dev/null @@ -1,73 +0,0 @@ -#ifndef params_H -#define params_H -#include "crypto_core_inv3sntrup857.h" -#include "crypto_core_invsntrup857.h" -#include "crypto_core_mult3sntrup857.h" -#include "crypto_core_multsntrup857.h" -#include "crypto_core_scale3sntrup857.h" -#include "crypto_core_weightsntrup857.h" -#include "crypto_core_wforcesntrup857.h" -#include "crypto_decode_857x1723.h" -#include "crypto_decode_857x3.h" -#include "crypto_decode_857x5167.h" -#include "crypto_decode_857xint16.h" -#include "crypto_decode_857xint32.h" -#include "crypto_encode_857x1723.h" -#include "crypto_encode_857x1723round.h" -#include "crypto_encode_857x3.h" -#include "crypto_encode_857x5167.h" -#include "crypto_encode_857xfreeze3.h" -#include "crypto_encode_857xint16.h" -#include "crypto_encode_int16.h" -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" -#include "crypto_verify_1184.h" - - -#define qinv (-19761) /* reciprocal of q mod 2^16 */ -#define q27 25976 /* closest integer to 2^27/q */ -#define q18 51 /* closest integer to 2^18/q */ -#define ppad 865 -#define crypto_core_weight PQCLEAN_SNTRUP857_AVX2_crypto_core_weightsntrup857 -#define p 857 -#define q 5167 -#define w 322 - -#define ppadsort 857 - -#define crypto_verify_clen PQCLEAN_SNTRUP857_AVX2_crypto_verify_1184 - -#define Rq_bytes PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x5167_STRBYTES -#define Rq_encode PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x5167 -#define Rq_decode PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x5167 - -#define Rounded_bytes PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x1723_STRBYTES -#define Rounded_decode PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x1723 - -#define Round_and_encode PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x1723round - -#define Small_bytes PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x3_STRBYTES -#define Small_encode PQCLEAN_SNTRUP857_AVX2_crypto_encode_857x3 -#define Small_decode PQCLEAN_SNTRUP857_AVX2_crypto_decode_857x3 - -#define crypto_encode_pxfreeze3 PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xfreeze3 - -#define crypto_decode_pxint32 PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint32 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP857_AVX2_crypto_decode_857xint16 - -#define crypto_encode_pxint16 PQCLEAN_SNTRUP857_AVX2_crypto_encode_857xint16 - -#define crypto_core_wforce PQCLEAN_SNTRUP857_AVX2_crypto_core_wforcesntrup857 - -#define crypto_core_scale3 PQCLEAN_SNTRUP857_AVX2_crypto_core_scale3sntrup857 - -#define crypto_core_inv PQCLEAN_SNTRUP857_AVX2_crypto_core_invsntrup857 - -#define crypto_core_inv3 PQCLEAN_SNTRUP857_AVX2_crypto_core_inv3sntrup857 - -#define crypto_core_mult PQCLEAN_SNTRUP857_AVX2_crypto_core_multsntrup857 - -#define crypto_core_mult3 PQCLEAN_SNTRUP857_AVX2_crypto_core_mult3sntrup857 - -#endif diff --git a/crypto_kem/sntrup857/clean/LICENSE b/crypto_kem/sntrup857/clean/LICENSE deleted file mode 100644 index d5d21fff..00000000 --- a/crypto_kem/sntrup857/clean/LICENSE +++ /dev/null @@ -1 +0,0 @@ -Public Domain diff --git a/crypto_kem/sntrup857/clean/Makefile.Microsoft_nmake b/crypto_kem/sntrup857/clean/Makefile.Microsoft_nmake deleted file mode 100644 index a2f0c64d..00000000 --- a/crypto_kem/sntrup857/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsntrup857_clean.lib -OBJECTS=crypto_core_inv3sntrup857.obj crypto_core_invsntrup857.obj crypto_core_mult3sntrup857.obj crypto_core_multsntrup857.obj crypto_core_scale3sntrup857.obj crypto_core_weightsntrup857.obj crypto_core_wforcesntrup857.obj crypto_decode_857x1723.obj crypto_decode_857x3.obj crypto_decode_857x5167.obj crypto_decode_857xint16.obj crypto_decode_857xint32.obj crypto_encode_857x1723.obj crypto_encode_857x1723round.obj crypto_encode_857x3.obj crypto_encode_857x5167.obj crypto_encode_857xfreeze3.obj crypto_encode_857xint16.obj crypto_encode_int16.obj crypto_sort_int32.obj crypto_sort_uint32.obj crypto_stream_aes256ctr.obj crypto_verify_1184.obj kem.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_kem/sntrup857/clean/api.h b/crypto_kem/sntrup857/clean/api.h deleted file mode 100644 index cb9e4c58..00000000 --- a/crypto_kem/sntrup857/clean/api.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_API_H -#define PQCLEAN_SNTRUP857_CLEAN_API_H - - - -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ALGNAME "sntrup857" - -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_SECRETKEYBYTES 1999 -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_PUBLICKEYBYTES 1322 -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CIPHERTEXTBYTES 1184 -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_BYTES 32 - -int PQCLEAN_SNTRUP857_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk); -int PQCLEAN_SNTRUP857_CLEAN_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk); -int PQCLEAN_SNTRUP857_CLEAN_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_core_inv3sntrup857.c b/crypto_kem/sntrup857/clean/crypto_core_inv3sntrup857.c deleted file mode 100644 index c053c761..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_inv3sntrup857.c +++ /dev/null @@ -1,110 +0,0 @@ -#include "crypto_core_inv3sntrup857.h" -#include "params.h" - - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - -/* ----- masks */ - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* return -1 if x<0; otherwise return 0 */ -static int int16_negative_mask(int16 x) { - uint16 u = (uint16) x; - u >>= 15; - return -(int) u; - /* alternative with gcc -fwrapv: */ - /* x>>15 compiles to CPU's arithmetic right shift */ -} - -/* ----- arithmetic mod 3 */ - -typedef int8 small; -/* F3 is always represented as -1,0,1 */ - -/* works for -16384 <= x < 16384 */ -static small F3_freeze(int16 x) { - return (small) (x - 3 * ((10923 * x + 16384) >> 15)); -} - -/* byte p of output is 0 if recip succeeded; else -1 */ -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_inv3sntrup857(unsigned char *outbytes, const unsigned char *inbytes) { - small *out = (void *) outbytes; - small *in = (void *) inbytes; - small f[p + 1], g[p + 1], v[p + 1], r[p + 1]; - int i, loop, delta; - int sign, swap, t; - - for (i = 0; i < p + 1; ++i) { - v[i] = 0; - } - for (i = 0; i < p + 1; ++i) { - r[i] = 0; - } - r[0] = 1; - for (i = 0; i < p; ++i) { - f[i] = 0; - } - f[0] = 1; - f[p - 1] = f[p] = -1; - for (i = 0; i < p; ++i) { - small i1 = in[i] & 1; - g[p - 1 - i] = (small) (i1 - (in[i] & (i1 << 1))); - } - g[p] = 0; - - delta = 1; - - for (loop = 0; loop < 2 * p - 1; ++loop) { - for (i = p; i > 0; --i) { - v[i] = v[i - 1]; - } - v[0] = 0; - - sign = -g[0] * f[0]; - swap = int16_negative_mask((int16) - delta) & int16_nonzero_mask(g[0]); - delta ^= swap & (delta ^ -delta); - delta += 1; - - for (i = 0; i < p + 1; ++i) { - t = swap & (f[i] ^ g[i]); - f[i] ^= (small) t; - g[i] ^= (small) t; - t = swap & (v[i] ^ r[i]); - v[i] ^= (small) t; - r[i] ^= (small) t; - } - - for (i = 0; i < p + 1; ++i) { - g[i] = F3_freeze((int16) (g[i] + sign * f[i])); - } - for (i = 0; i < p + 1; ++i) { - r[i] = F3_freeze((int16) (r[i] + sign * v[i])); - } - - for (i = 0; i < p; ++i) { - g[i] = g[i + 1]; - } - g[p] = 0; - } - - sign = f[0]; - for (i = 0; i < p; ++i) { - out[i] = (small) (sign * v[p - 1 - i]); - } - - out[p] = (small) int16_nonzero_mask((int16) delta); - return 0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_core_inv3sntrup857.h b/crypto_kem/sntrup857/clean/crypto_core_inv3sntrup857.h deleted file mode 100644 index f56ceac1..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_inv3sntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_INV3SNTRUP857_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_INV3SNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_inv3sntrup857_OUTPUTBYTES 858 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_inv3sntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_inv3sntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_inv3sntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_inv3sntrup857(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_core_invsntrup857.c b/crypto_kem/sntrup857/clean/crypto_core_invsntrup857.c deleted file mode 100644 index a8737a97..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_invsntrup857.c +++ /dev/null @@ -1,131 +0,0 @@ -#include "crypto_core_invsntrup857.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - - -/* ----- masks */ - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* return -1 if x<0; otherwise return 0 */ -static int int16_negative_mask(int16 x) { - uint16 u = (uint16) x; - u >>= 15; - return -(int) u; - /* alternative with gcc -fwrapv: */ - /* x>>15 compiles to CPU's arithmetic right shift */ -} - -/* ----- arithmetic mod q */ - -typedef int8 small; - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* works for -14000000 < x < 14000000 if q in 4591, 4621, 5167 */ -static Fq Fq_freeze(int32 x) { - x -= q * ((q18 * x) >> 18); - x -= q * ((q27 * x + 67108864) >> 27); - return (Fq) x; -} - -static Fq Fq_recip(Fq a1) { - int i = 1; - Fq ai = a1; - - while (i < q - 2) { - ai = Fq_freeze(a1 * (int32)ai); - i += 1; - } - return ai; -} - -/* ----- polynomials mod q */ - -/* out = 1/(3*in) in Rq */ -/* outbytes[2*p] is 0 if recip succeeded; else -1 */ -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_invsntrup857(unsigned char *outbytes, const unsigned char *inbytes) { - small *in = (void *) inbytes; - Fq out[p], f[p + 1], g[p + 1], v[p + 1], r[p + 1]; - int i, loop, delta; - int swap, t; - int32 f0, g0; - Fq scale; - - for (i = 0; i < p + 1; ++i) { - v[i] = 0; - } - for (i = 0; i < p + 1; ++i) { - r[i] = 0; - } - r[0] = Fq_recip(3); - for (i = 0; i < p; ++i) { - f[i] = 0; - } - f[0] = 1; - f[p - 1] = f[p] = -1; - for (i = 0; i < p; ++i) { - g[p - 1 - i] = in[i]; - } - g[p] = 0; - - delta = 1; - - for (loop = 0; loop < 2 * p - 1; ++loop) { - for (i = p; i > 0; --i) { - v[i] = v[i - 1]; - } - v[0] = 0; - - swap = int16_negative_mask((int16) - delta) & int16_nonzero_mask(g[0]); - delta ^= swap & (delta ^ -delta); - delta += 1; - - for (i = 0; i < p + 1; ++i) { - t = swap & (f[i] ^ g[i]); - f[i] ^= (Fq) t; - g[i] ^= (Fq) t; - t = swap & (v[i] ^ r[i]); - v[i] ^= (Fq) t; - r[i] ^= (Fq) t; - } - - f0 = f[0]; - g0 = g[0]; - for (i = 0; i < p + 1; ++i) { - g[i] = Fq_freeze(f0 * g[i] - g0 * f[i]); - } - for (i = 0; i < p + 1; ++i) { - r[i] = Fq_freeze(f0 * r[i] - g0 * v[i]); - } - - for (i = 0; i < p; ++i) { - g[i] = g[i + 1]; - } - g[p] = 0; - } - - scale = Fq_recip(f[0]); - for (i = 0; i < p; ++i) { - out[i] = Fq_freeze(scale * (int32)v[p - 1 - i]); - } - - crypto_encode_pxint16(outbytes, out); - - outbytes[2 * p] = (unsigned char) int16_nonzero_mask((int16) delta); - return 0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_core_invsntrup857.h b/crypto_kem/sntrup857/clean/crypto_core_invsntrup857.h deleted file mode 100644 index a69a68fd..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_invsntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_INVSNTRUP857_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_INVSNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_invsntrup857_OUTPUTBYTES 1715 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_invsntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_invsntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_invsntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_invsntrup857(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_core_mult3sntrup857.c b/crypto_kem/sntrup857/clean/crypto_core_mult3sntrup857.c deleted file mode 100644 index d5391808..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_mult3sntrup857.c +++ /dev/null @@ -1,57 +0,0 @@ -#include "crypto_core_mult3sntrup857.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -typedef int8 small; - -/* works for -16384 <= x < 16384 */ -static small F3_freeze(int16 x) { - return (small) (x - 3 * ((10923 * x + 16384) >> 15)); -} - -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_mult3sntrup857(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - small *h = (void *) outbytes; - small f[p]; - small g[p]; - small fg[p + p - 1]; - int16 result; - int i, j; - - for (i = 0; i < p; ++i) { - small fi = (small) inbytes[i]; - small fi0 = fi & 1; - f[i] = (small) (fi0 - (fi & (fi0 << 1))); - } - for (i = 0; i < p; ++i) { - small gi = (small) kbytes[i]; - small gi0 = gi & 1; - g[i] = (small) (gi0 - (gi & (gi0 << 1))); - } - - for (i = 0; i < p; ++i) { - result = 0; - for (j = 0; j <= i; ++j) { - result += (int16) (f[j] * g[i - j]); - } - fg[i] = F3_freeze(result); - } - for (i = p; i < p + p - 1; ++i) { - result = 0; - for (j = i - p + 1; j < p; ++j) { - result += (int16) (f[j] * g[i - j]); - } - fg[i] = F3_freeze(result); - } - - for (i = p + p - 2; i >= p; --i) { - fg[i - p] = F3_freeze(fg[i - p] + fg[i]); - fg[i - p + 1] = F3_freeze(fg[i - p + 1] + fg[i]); - } - - for (i = 0; i < p; ++i) { - h[i] = fg[i]; - } - return 0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_core_mult3sntrup857.h b/crypto_kem/sntrup857/clean/crypto_core_mult3sntrup857.h deleted file mode 100644 index fc5a5492..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_mult3sntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_MULT3SNTRUP857_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_MULT3SNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_mult3sntrup857_OUTPUTBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_mult3sntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_mult3sntrup857_KEYBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_mult3sntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_mult3sntrup857(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_core_multsntrup857.c b/crypto_kem/sntrup857/clean/crypto_core_multsntrup857.c deleted file mode 100644 index 2066e528..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_multsntrup857.c +++ /dev/null @@ -1,60 +0,0 @@ -#include "crypto_core_multsntrup857.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -typedef int8 small; - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* works for -14000000 < x < 14000000 if q in 4591, 4621, 5167 */ -static Fq Fq_freeze(int32 x) { - x -= q * ((q18 * x) >> 18); - x -= q * ((q27 * x + 67108864) >> 27); - return (Fq) x; -} - -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_multsntrup857(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes) { - Fq f[p]; - small g[p]; - Fq fg[p + p - 1]; - int32 result; - int i, j; - - crypto_decode_pxint16(f, inbytes); - for (i = 0; i < p; ++i) { - f[i] = Fq_freeze(f[i]); - } - - for (i = 0; i < p; ++i) { - small gi = (small) kbytes[i]; - small gi0 = gi & 1; - g[i] = (small) (gi0 - (gi & (gi0 << 1))); - } - - for (i = 0; i < p; ++i) { - result = 0; - for (j = 0; j <= i; ++j) { - result += f[j] * (int32)g[i - j]; - } - fg[i] = Fq_freeze(result); - } - for (i = p; i < p + p - 1; ++i) { - result = 0; - for (j = i - p + 1; j < p; ++j) { - result += f[j] * (int32)g[i - j]; - } - fg[i] = Fq_freeze(result); - } - - for (i = p + p - 2; i >= p; --i) { - fg[i - p] = Fq_freeze(fg[i - p] + fg[i]); - fg[i - p + 1] = Fq_freeze(fg[i - p + 1] + fg[i]); - } - - crypto_encode_pxint16(outbytes, fg); - return 0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_core_multsntrup857.h b/crypto_kem/sntrup857/clean/crypto_core_multsntrup857.h deleted file mode 100644 index 3eb38c74..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_multsntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_MULTSNTRUP857_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_MULTSNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_multsntrup857_OUTPUTBYTES 1714 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_multsntrup857_INPUTBYTES 1714 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_multsntrup857_KEYBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_multsntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_multsntrup857(unsigned char *outbytes, const unsigned char *inbytes, const unsigned char *kbytes); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_core_scale3sntrup857.c b/crypto_kem/sntrup857/clean/crypto_core_scale3sntrup857.c deleted file mode 100644 index 7ae6f613..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_scale3sntrup857.c +++ /dev/null @@ -1,32 +0,0 @@ -#include "crypto_core_scale3sntrup857.h" -#include "crypto_decode_857xint16.h" -#include "crypto_encode_857xint16.h" - - -#define p 857 -#define q 5167 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint16 -#define crypto_encode_pxint16 PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xint16 - -typedef int16_t Fq; - -/* out = 3*in in Rq */ -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_scale3sntrup857(unsigned char *outbytes, const unsigned char *inbytes) { - Fq f[p]; - int i; - - crypto_decode_pxint16(f, inbytes); - for (i = 0; i < p; ++i) { - Fq x = f[i]; - x *= 3; /* (-3q+3)/2 ... (3q-3)/2 */ - x -= (q + 1) / 2; /* -2q+1 ... q-2 */ - x += q & (x >> 15); /* -q+1 ... q-1 */ - x += q & (x >> 15); /* 0 ... q-1 */ - x -= (q - 1) / 2; /* -(q-1)/2 ... (q-1)/2 */ - f[i] = x; - } - crypto_encode_pxint16(outbytes, f); - - return 0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_core_scale3sntrup857.h b/crypto_kem/sntrup857/clean/crypto_core_scale3sntrup857.h deleted file mode 100644 index 15fb76a5..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_scale3sntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_SCALE3SNTRUP857_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_SCALE3SNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_scale3sntrup857_OUTPUTBYTES 1714 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_scale3sntrup857_INPUTBYTES 1714 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_scale3sntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_scale3sntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_scale3sntrup857(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_core_weightsntrup857.c b/crypto_kem/sntrup857/clean/crypto_core_weightsntrup857.c deleted file mode 100644 index e8274227..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_weightsntrup857.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "crypto_core_weightsntrup857.h" -#include "crypto_encode_int16.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t - - -/* out = little-endian weight of bottom bits of in */ -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_weightsntrup857(unsigned char *outbytes, const unsigned char *inbytes) { - int8 *in = (void *) inbytes; - int16 weight = 0; - int i; - - for (i = 0; i < p; ++i) { - weight += in[i] & 1; - } - PQCLEAN_SNTRUP857_CLEAN_crypto_encode_int16(outbytes, &weight); - return 0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_core_weightsntrup857.h b/crypto_kem/sntrup857/clean/crypto_core_weightsntrup857.h deleted file mode 100644 index e32e28cd..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_weightsntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_WEIGHTSNTRUP857_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_WEIGHTSNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_weightsntrup857_OUTPUTBYTES 2 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_weightsntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_weightsntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_weightsntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_weightsntrup857(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_core_wforcesntrup857.c b/crypto_kem/sntrup857/clean/crypto_core_wforcesntrup857.c deleted file mode 100644 index 174ab471..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_wforcesntrup857.c +++ /dev/null @@ -1,48 +0,0 @@ -#include "crypto_core_wforcesntrup857.h" -#include "params.h" - - -#define int8 int8_t -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -typedef int8 small; - - -/* return -1 if x!=0; else return 0 */ -static int int16_nonzero_mask(int16 x) { - uint16 u = (uint16) x; /* 0, else 1...65535 */ - uint32 v = u; /* 0, else 1...65535 */ - v = ~v + 1; /* 0, else 2^32-65535...2^32-1 */ - v >>= 31; /* 0, else 1 */ - return -(int) v; /* 0, else -1 */ -} - -/* 0 if Weightw_is(r), else -1 */ -static int Weightw_mask(const small *r) { - int weight = 0; - int i; - - for (i = 0; i < p; ++i) { - weight += r[i] & 1; - } - return int16_nonzero_mask((int16) (weight - w)); -} - -/* out = in if bottom bits of in have weight w */ -/* otherwise out = (1,1,...,1,0,0,...,0) */ -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_wforcesntrup857(unsigned char *outbytes, const unsigned char *inbytes) { - small *out = (void *) outbytes; - const small *in = (const void *) inbytes; - int i, mask; - - mask = Weightw_mask(in); /* 0 if weight w, else -1 */ - for (i = 0; i < w; ++i) { - out[i] = (small) (((in[i] ^ 1) & ~mask) ^ 1); - } - for (i = w; i < p; ++i) { - out[i] = (small) (in[i] & ~mask); - } - return 0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_core_wforcesntrup857.h b/crypto_kem/sntrup857/clean/crypto_core_wforcesntrup857.h deleted file mode 100644 index f36d8281..00000000 --- a/crypto_kem/sntrup857/clean/crypto_core_wforcesntrup857.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_WFORCESNTRUP857_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_CORE_WFORCESNTRUP857_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_wforcesntrup857_OUTPUTBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_wforcesntrup857_INPUTBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_wforcesntrup857_KEYBYTES 0 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_core_wforcesntrup857_CONSTBYTES 0 - -int PQCLEAN_SNTRUP857_CLEAN_crypto_core_wforcesntrup857(unsigned char *outbytes, const unsigned char *inbytes); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857x1723.c b/crypto_kem/sntrup857/clean/crypto_decode_857x1723.c deleted file mode 100644 index ad76a8d5..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857x1723.c +++ /dev/null @@ -1,202 +0,0 @@ -#include "crypto_decode_857x1723.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t -#define uint64 uint64_t - -/* -CPU division instruction typically takes time depending on x. -This software is designed to take time independent of x. -Time still varies depending on m; user must ensure that m is constant. -Time also varies on CPUs where multiplication is variable-time. -There could be more CPU issues. -There could also be compiler issues. -*/ - -static void uint32_divmod_uint14(uint32 *q, uint16 *r, uint32 x, uint16 m) { - uint32 v = 0x80000000; - uint32 qpart; - uint32 mask; - - v /= m; - - /* caller guarantees m > 0 */ - /* caller guarantees m < 16384 */ - /* vm <= 2^31 <= vm+m-1 */ - /* xvm <= 2^31 x <= xvm+x(m-1) */ - - *q = 0; - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 2^31 qpart <= xv <= 2^31 qpart + 2^31-1 */ - /* 2^31 qpart m <= xvm <= 2^31 qpart m + (2^31-1)m */ - /* 2^31 qpart m <= 2^31 x <= 2^31 qpart m + (2^31-1)m + x(m-1) */ - /* 0 <= 2^31 newx <= (2^31-1)m + x(m-1) */ - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= (1-1/2^31)(2^14-1) + (2^32-1)((2^14-1)-1)/2^31 */ - - x -= qpart * m; - *q += qpart; - /* x <= 49146 */ - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= m + 49146(2^14-1)/2^31 */ - /* 0 <= newx <= m + 0.4 */ - /* 0 <= newx <= m */ - - x -= qpart * m; - *q += qpart; - /* x <= m */ - - x -= m; - *q += 1; - mask = (~(x >> 31) + 1); - x += mask & (uint32)m; - *q += mask; - /* x < m */ - - *r = (uint16) x; -} - -static uint16 uint32_mod_uint14(uint32 x, uint16 m) { - uint32 q; - uint16 r; - uint32_divmod_uint14(&q, &r, x, m); - return r; -} - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x1723(void *v, const unsigned char *s) { - int16 *R0 = v; - uint16 R1[429], R2[215], R3[108], R4[54], R5[27], R6[14], R7[7], R8[4], R9[2], R10[1]; - long long i; - uint16 r0; - uint32 r1, r2; - - s += PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x1723_STRBYTES; - r1 = 0; - r1 = (r1 << 8) | *--s; - r1 = uint32_mod_uint14(r1, 160); /* needed only for invalid inputs */ - R10[0] = (uint16) r1; - - r2 = R10[0]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 743); - R9[0] = r0; - r1 = uint32_mod_uint14(r1, 14044); /* needed only for invalid inputs */ - R9[1] = (uint16) r1; - - r2 = R9[1]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 436); - R8[2] = r0; - r1 = uint32_mod_uint14(r1, 8246); /* needed only for invalid inputs */ - R8[3] = (uint16) r1; - r2 = R9[0]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 436); - R8[0] = r0; - r1 = uint32_mod_uint14(r1, 436); /* needed only for invalid inputs */ - R8[1] = (uint16) r1; - - R7[6] = R8[3]; - for (i = 2; i >= 0; --i) { - r2 = R8[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 334); - R7[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 334); /* needed only for invalid inputs */ - R7[2 * i + 1] = (uint16) r1; - } - - r2 = R7[6]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 292); - R6[12] = r0; - r1 = uint32_mod_uint14(r1, 7229); /* needed only for invalid inputs */ - R6[13] = (uint16) r1; - for (i = 5; i >= 0; --i) { - r2 = R7[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 292); - R6[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 292); /* needed only for invalid inputs */ - R6[2 * i + 1] = (uint16) r1; - } - - R5[26] = R6[13]; - for (i = 12; i >= 0; --i) { - r2 = R6[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 273); - R5[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 273); /* needed only for invalid inputs */ - R5[2 * i + 1] = (uint16) r1; - } - - r2 = R5[26]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 4225); - R4[52] = r0; - r1 = uint32_mod_uint14(r1, 438); /* needed only for invalid inputs */ - R4[53] = (uint16) r1; - for (i = 25; i >= 0; --i) { - r2 = R5[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 4225); - R4[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 4225); /* needed only for invalid inputs */ - R4[2 * i + 1] = (uint16) r1; - } - - r2 = R4[53]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 65); - R3[106] = r0; - r1 = uint32_mod_uint14(r1, 1723); /* needed only for invalid inputs */ - R3[107] = (uint16) r1; - for (i = 52; i >= 0; --i) { - r2 = R4[i]; - uint32_divmod_uint14(&r1, &r0, r2, 65); - R3[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 65); /* needed only for invalid inputs */ - R3[2 * i + 1] = (uint16) r1; - } - - R2[214] = R3[107]; - for (i = 106; i >= 0; --i) { - r2 = R3[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 2053); - R2[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 2053); /* needed only for invalid inputs */ - R2[2 * i + 1] = (uint16) r1; - } - - R1[428] = R2[214]; - for (i = 213; i >= 0; --i) { - r2 = R2[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 11597); - R1[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 11597); /* needed only for invalid inputs */ - R1[2 * i + 1] = (uint16) r1; - } - - R0[856] = (int16) (3 * R1[428] - 2583); - for (i = 427; i >= 0; --i) { - r2 = R1[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1723); - R0[2 * i] = (int16) (3 * r0 - 2583); - r1 = uint32_mod_uint14(r1, 1723); /* needed only for invalid inputs */ - R0[2 * i + 1] = (int16) (3 * r1 - 2583); - } -} diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857x1723.h b/crypto_kem/sntrup857/clean/crypto_decode_857x1723.h deleted file mode 100644 index e344d0f1..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857x1723.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857X1723_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857X1723_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x1723_STRBYTES 1152 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x1723_ITEMS 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x1723_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x1723(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857x3.c b/crypto_kem/sntrup857/clean/crypto_decode_857x3.c deleted file mode 100644 index 4fd43cd5..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857x3.c +++ /dev/null @@ -1,24 +0,0 @@ -#include "crypto_decode_857x3.h" - -#define uint8 uint8_t - -#define p 857 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x3(void *v, const unsigned char *s) { - uint8 *f = v; - uint8 x; - int i; - - for (i = 0; i < p / 4; ++i) { - x = *s++; - *f++ = (uint8) ((x & 3) - 1); - x >>= 2; - *f++ = (uint8) ((x & 3) - 1); - x >>= 2; - *f++ = (uint8) ((x & 3) - 1); - x >>= 2; - *f++ = (uint8) ((x & 3) - 1); - } - x = *s++; - *f++ = (uint8) ((x & 3) - 1); -} diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857x3.h b/crypto_kem/sntrup857/clean/crypto_decode_857x3.h deleted file mode 100644 index f264068f..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857X3_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857X3_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x3_STRBYTES 215 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x3_ITEMS 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x3(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857x5167.c b/crypto_kem/sntrup857/clean/crypto_decode_857x5167.c deleted file mode 100644 index 0bb0c283..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857x5167.c +++ /dev/null @@ -1,205 +0,0 @@ -#include "crypto_decode_857x5167.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t -#define uint64 uint64_t - -/* -CPU division instruction typically takes time depending on x. -This software is designed to take time independent of x. -Time still varies depending on m; user must ensure that m is constant. -Time also varies on CPUs where multiplication is variable-time. -There could be more CPU issues. -There could also be compiler issues. -*/ - -static void uint32_divmod_uint14(uint32 *q, uint16 *r, uint32 x, uint16 m) { - uint32 v = 0x80000000; - uint32 qpart; - uint32 mask; - - v /= m; - - /* caller guarantees m > 0 */ - /* caller guarantees m < 16384 */ - /* vm <= 2^31 <= vm+m-1 */ - /* xvm <= 2^31 x <= xvm+x(m-1) */ - - *q = 0; - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 2^31 qpart <= xv <= 2^31 qpart + 2^31-1 */ - /* 2^31 qpart m <= xvm <= 2^31 qpart m + (2^31-1)m */ - /* 2^31 qpart m <= 2^31 x <= 2^31 qpart m + (2^31-1)m + x(m-1) */ - /* 0 <= 2^31 newx <= (2^31-1)m + x(m-1) */ - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= (1-1/2^31)(2^14-1) + (2^32-1)((2^14-1)-1)/2^31 */ - - x -= qpart * m; - *q += qpart; - /* x <= 49146 */ - - qpart = (uint32) ((x * (uint64)v) >> 31); - /* 0 <= newx <= (1-1/2^31)m + x(m-1)/2^31 */ - /* 0 <= newx <= m + 49146(2^14-1)/2^31 */ - /* 0 <= newx <= m + 0.4 */ - /* 0 <= newx <= m */ - - x -= qpart * m; - *q += qpart; - /* x <= m */ - - x -= m; - *q += 1; - mask = (~(x >> 31) + 1); - x += mask & (uint32)m; - *q += mask; - /* x < m */ - - *r = (uint16) x; -} - -static uint16 uint32_mod_uint14(uint32 x, uint16 m) { - uint32 q; - uint16 r; - uint32_divmod_uint14(&q, &r, x, m); - return r; -} - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x5167(void *v, const unsigned char *s) { - int16 *R0 = v; - uint16 R1[429], R2[215], R3[108], R4[54], R5[27], R6[14], R7[7], R8[4], R9[2], R10[1]; - long long i; - uint16 r0; - uint32 r1, r2; - - s += PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x5167_STRBYTES; - r1 = 0; - r1 = (r1 << 8) | *--s; - r1 = (r1 << 8) | *--s; - r1 = uint32_mod_uint14(r1, 6225); /* needed only for invalid inputs */ - R10[0] = (uint16) r1; - - r2 = R10[0]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 5476); - R9[0] = r0; - r1 = uint32_mod_uint14(r1, 291); /* needed only for invalid inputs */ - R9[1] = (uint16) r1; - - r2 = R9[1]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 74); - R8[2] = r0; - r1 = uint32_mod_uint14(r1, 1004); /* needed only for invalid inputs */ - R8[3] = (uint16) r1; - r2 = R9[0]; - uint32_divmod_uint14(&r1, &r0, r2, 74); - R8[0] = r0; - r1 = uint32_mod_uint14(r1, 74); /* needed only for invalid inputs */ - R8[1] = (uint16) r1; - - R7[6] = R8[3]; - for (i = 2; i >= 0; --i) { - r2 = R8[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 2194); - R7[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 2194); /* needed only for invalid inputs */ - R7[2 * i + 1] = (uint16) r1; - } - - r2 = R7[6]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 11991); - R6[12] = r0; - r1 = uint32_mod_uint14(r1, 5483); /* needed only for invalid inputs */ - R6[13] = (uint16) r1; - for (i = 5; i >= 0; --i) { - r2 = R7[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 11991); - R6[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 11991); /* needed only for invalid inputs */ - R6[2 * i + 1] = (uint16) r1; - } - - R5[26] = R6[13]; - for (i = 12; i >= 0; --i) { - r2 = R6[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1752); - R5[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1752); /* needed only for invalid inputs */ - R5[2 * i + 1] = (uint16) r1; - } - - r2 = R5[26]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 10713); - R4[52] = r0; - r1 = uint32_mod_uint14(r1, 131); /* needed only for invalid inputs */ - R4[53] = (uint16) r1; - for (i = 25; i >= 0; --i) { - r2 = R5[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 10713); - R4[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 10713); /* needed only for invalid inputs */ - R4[2 * i + 1] = (uint16) r1; - } - - r2 = R4[53]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1656); - R3[106] = r0; - r1 = uint32_mod_uint14(r1, 5167); /* needed only for invalid inputs */ - R3[107] = (uint16) r1; - for (i = 52; i >= 0; --i) { - r2 = R4[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 1656); - R3[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 1656); /* needed only for invalid inputs */ - R3[2 * i + 1] = (uint16) r1; - } - - R2[214] = R3[107]; - for (i = 106; i >= 0; --i) { - r2 = R3[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 651); - R2[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 651); /* needed only for invalid inputs */ - R2[2 * i + 1] = (uint16) r1; - } - - R1[428] = R2[214]; - for (i = 213; i >= 0; --i) { - r2 = R2[i]; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 408); - R1[2 * i] = r0; - r1 = uint32_mod_uint14(r1, 408); /* needed only for invalid inputs */ - R1[2 * i + 1] = (uint16) r1; - } - - R0[856] = (int16) (R1[428] - 2583); - for (i = 427; i >= 0; --i) { - r2 = R1[i]; - r2 = (r2 << 8) | *--s; - r2 = (r2 << 8) | *--s; - uint32_divmod_uint14(&r1, &r0, r2, 5167); - R0[2 * i] = (int16) (r0 - 2583); - r1 = uint32_mod_uint14(r1, 5167); /* needed only for invalid inputs */ - R0[2 * i + 1] = (int16) (r1 - 2583); - } -} diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857x5167.h b/crypto_kem/sntrup857/clean/crypto_decode_857x5167.h deleted file mode 100644 index 34880ea6..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857x5167.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857X5167_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857X5167_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x5167_STRBYTES 1322 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x5167_ITEMS 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x5167_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x5167(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857xint16.c b/crypto_kem/sntrup857/clean/crypto_decode_857xint16.c deleted file mode 100644 index ceb224bc..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857xint16.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_decode_857xint16.h" - - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint16(void *v, const unsigned char *s) { - uint16_t *x = v; - int i; - - for (i = 0; i < 857; ++i) { - uint16_t u0 = s[0]; - uint16_t u1 = s[1]; - *x = (uint16_t) (u0 | (u1 << 8)); - x += 1; - s += 2; - } -} diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857xint16.h b/crypto_kem/sntrup857/clean/crypto_decode_857xint16.h deleted file mode 100644 index c13478c8..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857XINT16_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857XINT16_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint16_STRBYTES 1714 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint16_ITEMS 857 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint16(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857xint32.c b/crypto_kem/sntrup857/clean/crypto_decode_857xint32.c deleted file mode 100644 index 8da1a180..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857xint32.c +++ /dev/null @@ -1,20 +0,0 @@ -#include "crypto_decode_857xint32.h" - - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint32(void *v, const unsigned char *s) { - uint32_t *x = v; - int i; - - for (i = 0; i < 857; ++i) { - uint32_t u0 = s[0]; - uint32_t u1 = s[1]; - uint32_t u2 = s[2]; - uint32_t u3 = s[3]; - u1 <<= 8; - u2 <<= 16; - u3 <<= 24; - *x = u0 | u1 | u2 | u3; - x += 1; - s += 4; - } -} diff --git a/crypto_kem/sntrup857/clean/crypto_decode_857xint32.h b/crypto_kem/sntrup857/clean/crypto_decode_857xint32.h deleted file mode 100644 index 6d0233a4..00000000 --- a/crypto_kem/sntrup857/clean/crypto_decode_857xint32.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857XINT32_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_DECODE_857XINT32_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint32_STRBYTES 3428 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint32_ITEMBYTES 4 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint32_ITEMS 857 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint32(void *v, const unsigned char *s); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857x1723.c b/crypto_kem/sntrup857/clean/crypto_encode_857x1723.c deleted file mode 100644 index 12e20987..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857x1723.c +++ /dev/null @@ -1,130 +0,0 @@ -#include "crypto_encode_857x1723.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[429]; - long i; - uint16 r0, r1; - uint32 r2; - - for (i = 0; i < 428; ++i) { - r0 = (uint16) ((((R0[2 * i] + 2583) & 16383) * 10923) >> 15); - r1 = (uint16) ((((R0[2 * i + 1] + 2583) & 16383) * 10923) >> 15); - r2 = r0 + r1 * (uint32)1723; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[428] = (uint16) ((((R0[856] + 2583) & 16383) * 10923) >> 15); - - for (i = 0; i < 214; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)11597; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[214] = R[428]; - - for (i = 0; i < 107; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)2053; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[107] = R[214]; - - for (i = 0; i < 53; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)65; - R[i] = (uint16) r2; - } - r0 = R[106]; - r1 = R[107]; - r2 = r0 + r1 * (uint32)65; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[53] = (uint16) r2; - - for (i = 0; i < 26; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)4225; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[52]; - r1 = R[53]; - r2 = r0 + r1 * (uint32)4225; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[26] = (uint16) r2; - - for (i = 0; i < 13; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)273; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[13] = R[26]; - - for (i = 0; i < 7; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)292; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)334; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[3] = R[6]; - - for (i = 0; i < 2; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)436; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)743; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857x1723.h b/crypto_kem/sntrup857/clean/crypto_encode_857x1723.h deleted file mode 100644 index c13d5d6b..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857x1723.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857X1723_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857X1723_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723_STRBYTES 1152 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723_ITEMS 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857x1723round.c b/crypto_kem/sntrup857/clean/crypto_encode_857x1723round.c deleted file mode 100644 index 2b73e9c8..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857x1723round.c +++ /dev/null @@ -1,17 +0,0 @@ -#include "crypto_encode_857x1723.h" -#include "crypto_encode_857x1723round.h" - -#define int16 int16_t - -#define p 857 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723round(unsigned char *out, const void *v) { - const int16 *a = v; - int16 x[p]; - int i; - - for (i = 0; i < p; ++i) { - x[i] = (int16) (3 * ((10923 * a[i] + 16384) >> 15)); - } - PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723(out, x); -} diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857x1723round.h b/crypto_kem/sntrup857/clean/crypto_encode_857x1723round.h deleted file mode 100644 index a6e3fa92..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857x1723round.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857X1723ROUND_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857X1723ROUND_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723round_STRBYTES 1152 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723round_ITEMS 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723round_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723round(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857x3.c b/crypto_kem/sntrup857/clean/crypto_encode_857x3.c deleted file mode 100644 index de61c551..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857x3.c +++ /dev/null @@ -1,21 +0,0 @@ -#include "crypto_encode_857x3.h" - -#define uint8 uint8_t - -#define p 857 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x3(unsigned char *s, const void *v) { - const uint8 *f = v; - uint8 x; - int i; - - for (i = 0; i < p / 4; ++i) { - x = *f++ + 1; - x += (*f++ + 1) << 2; - x += (*f++ + 1) << 4; - x += (*f++ + 1) << 6; - *s++ = x; - } - x = *f++ + 1; - *s++ = x; -} diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857x3.h b/crypto_kem/sntrup857/clean/crypto_encode_857x3.h deleted file mode 100644 index 0bd9a6a5..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857x3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857X3_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857X3_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x3_STRBYTES 215 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x3_ITEMS 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x3_ITEMBYTES 1 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857x5167.c b/crypto_kem/sntrup857/clean/crypto_encode_857x5167.c deleted file mode 100644 index a5af7e6b..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857x5167.c +++ /dev/null @@ -1,138 +0,0 @@ -#include "crypto_encode_857x5167.h" - -/* auto-generated; do not edit */ - -#define int16 int16_t -#define uint16 uint16_t -#define uint32 uint32_t - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x5167(unsigned char *out, const void *v) { - const int16 *R0 = v; - /* XXX: caller could overlap R with input */ - uint16 R[429]; - long i; - uint16 r0, r1; - uint32 r2; - - for (i = 0; i < 428; ++i) { - r0 = (uint16) ((R0[2 * i] + 2583) & 16383); - r1 = (uint16) ((R0[2 * i + 1] + 2583) & 16383); - r2 = r0 + r1 * (uint32)5167; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[428] = (uint16) ((R0[856] + 2583) & 16383); - - for (i = 0; i < 214; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)408; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[214] = R[428]; - - for (i = 0; i < 107; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)651; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[107] = R[214]; - - for (i = 0; i < 53; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1656; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[106]; - r1 = R[107]; - r2 = r0 + r1 * (uint32)1656; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[53] = (uint16) r2; - - for (i = 0; i < 26; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)10713; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - r0 = R[52]; - r1 = R[53]; - r2 = r0 + r1 * (uint32)10713; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[26] = (uint16) r2; - - for (i = 0; i < 13; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)1752; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[13] = R[26]; - - for (i = 0; i < 7; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)11991; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - - for (i = 0; i < 3; ++i) { - r0 = R[2 * i]; - r1 = R[2 * i + 1]; - r2 = r0 + r1 * (uint32)2194; - *out++ = (unsigned char) r2; - r2 >>= 8; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[i] = (uint16) r2; - } - R[3] = R[6]; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)74; - R[0] = (uint16) r2; - r0 = R[2]; - r1 = R[3]; - r2 = r0 + r1 * (uint32)74; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[1] = (uint16) r2; - - r0 = R[0]; - r1 = R[1]; - r2 = r0 + r1 * (uint32)5476; - *out++ = (unsigned char) r2; - r2 >>= 8; - R[0] = (uint16) r2; - - r0 = R[0]; - *out++ = (unsigned char) r0; - r0 >>= 8; - *out++ = (unsigned char) r0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857x5167.h b/crypto_kem/sntrup857/clean/crypto_encode_857x5167.h deleted file mode 100644 index 03965ec9..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857x5167.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857X5167_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857X5167_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x5167_STRBYTES 1322 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x5167_ITEMS 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x5167_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x5167(unsigned char *out, const void *v); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857xfreeze3.c b/crypto_kem/sntrup857/clean/crypto_encode_857xfreeze3.c deleted file mode 100644 index 901b9c94..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857xfreeze3.c +++ /dev/null @@ -1,25 +0,0 @@ -#include "crypto_encode_857xfreeze3.h" - -#define int16 int16_t - -#define p 857 - -/* valid inputs: -16384 <= x < 16384 */ -/* then 3 divides x-F3_freeze(x) */ -/* and F3_freeze(x) is in {-1,0,1} */ - -/* all inputs: 3 divides x-F3_freeze(x) */ -/* and F3_freeze(x) is in {-2,-1,0,1,2} */ - -static inline unsigned char F3_freeze(int16 x) { - return (unsigned char) (x - 3 * ((10923 * x + 16384) >> 15)); -} - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xfreeze3(unsigned char *s, const void *v) { - const int16 *r = v; - - int i; - for (i = 0; i < p; ++i) { - s[i] = F3_freeze(r[i]); - } -} diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857xfreeze3.h b/crypto_kem/sntrup857/clean/crypto_encode_857xfreeze3.h deleted file mode 100644 index 3db63e85..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857xfreeze3.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857XFREEZE3_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857XFREEZE3_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xfreeze3_STRBYTES 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xfreeze3_ITEMS 857 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xfreeze3_ITEMBYTES 2 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xfreeze3(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857xint16.c b/crypto_kem/sntrup857/clean/crypto_encode_857xint16.c deleted file mode 100644 index a89e9f16..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857xint16.c +++ /dev/null @@ -1,13 +0,0 @@ -#include "crypto_encode_857xint16.h" - - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xint16(unsigned char *s, const void *v) { - const uint16_t *x = v; - int i; - - for (i = 0; i < 857; ++i) { - uint16_t u = *x++; - *s++ = (unsigned char) u; - *s++ = (unsigned char) (u >> 8); - } -} diff --git a/crypto_kem/sntrup857/clean/crypto_encode_857xint16.h b/crypto_kem/sntrup857/clean/crypto_encode_857xint16.h deleted file mode 100644 index bd42a80d..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_857xint16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857XINT16_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_857XINT16_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xint16_STRBYTES 1714 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xint16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xint16_ITEMS 857 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xint16(unsigned char *s, const void *v); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_encode_int16.c b/crypto_kem/sntrup857/clean/crypto_encode_int16.c deleted file mode 100644 index 7746afc5..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_int16.c +++ /dev/null @@ -1,9 +0,0 @@ -#include "crypto_encode_int16.h" - -#define uint16 uint16_t - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_int16(unsigned char *s, const void *x) { - uint16 u = *(const uint16 *) x; - s[0] = (unsigned char) u; - s[1] = (unsigned char) (u >> 8); -} diff --git a/crypto_kem/sntrup857/clean/crypto_encode_int16.h b/crypto_kem/sntrup857/clean/crypto_encode_int16.h deleted file mode 100644 index 5ee7e3c3..00000000 --- a/crypto_kem/sntrup857/clean/crypto_encode_int16.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_INT16_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_ENCODE_INT16_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_int16_STRBYTES 2 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_int16_ITEMBYTES 2 -#define PQCLEAN_SNTRUP857_CLEAN_crypto_encode_int16_ITEMS 1 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_encode_int16(unsigned char *s, const void *x); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_sort_int32.c b/crypto_kem/sntrup857/clean/crypto_sort_int32.c deleted file mode 100644 index 4d70426b..00000000 --- a/crypto_kem/sntrup857/clean/crypto_sort_int32.c +++ /dev/null @@ -1,84 +0,0 @@ -#include "crypto_sort_int32.h" -#include - -#define int32 int32_t - -#define int32_MINMAX(a,b) \ - do { \ - int32_t ab = (b) ^ (a); \ - int32_t c = (int32_t)((int64_t)(b) - (int64_t)(a)); \ - c ^= ab & (c ^ (b)); \ - c >>= 31; \ - c &= ab; \ - (a) ^= c; \ - (b) ^= c; \ - } while(0) - -/* assume 2 <= n <= 0x40000000 */ -void PQCLEAN_SNTRUP857_CLEAN_crypto_sort_int32(int32_t *x, long long n) { - int32 top, p, q, r, i; - long long j; - - top = 1; - while (top < n - top) { - top += top; - } - - for (p = top; p >= 1; p >>= 1) { - i = 0; - while (i + 2 * p <= n) { - for (j = i; j < i + p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - i += 2 * p; - } - for (j = i; j < n - p; ++j) { - int32_MINMAX(x[j], x[j + p]); - } - - i = 0; - j = 0; - for (q = top; q > p; q >>= 1) { - if (j != i) { - for (;;) { - if (j == n - q) { - goto done; - } - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - if (j == i + p) { - i += 2 * p; - break; - } - } - } - while (i + p <= n - q) { - for (j = i; j < i + p; ++j) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - } - i += 2 * p; - } - /* now i + p > n - q */ - j = i; - while (j < n - q) { - int32 a = x[j + p]; - for (r = q; r > p; r >>= 1) { - int32_MINMAX(a, x[j + r]); - } - x[j + p] = a; - ++j; - } - -done: - ; - } - } -} diff --git a/crypto_kem/sntrup857/clean/crypto_sort_int32.h b/crypto_kem/sntrup857/clean/crypto_sort_int32.h deleted file mode 100644 index 09271259..00000000 --- a/crypto_kem/sntrup857/clean/crypto_sort_int32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_SORT_INT32_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_SORT_INT32_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_sort_int32_BYTES 4 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_sort_int32(int32_t *x, long long n); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_sort_uint32.c b/crypto_kem/sntrup857/clean/crypto_sort_uint32.c deleted file mode 100644 index 9356ee9b..00000000 --- a/crypto_kem/sntrup857/clean/crypto_sort_uint32.c +++ /dev/null @@ -1,18 +0,0 @@ -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" - - -/* can save time by vectorizing xor loops */ -/* can save time by integrating xor loops with int32_sort */ - -void PQCLEAN_SNTRUP857_CLEAN_crypto_sort_uint32(void *array, long long n) { - uint32_t *x = array; - long long j; - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } - PQCLEAN_SNTRUP857_CLEAN_crypto_sort_int32((int32_t *)array, n); - for (j = 0; j < n; ++j) { - x[j] ^= 0x80000000; - } -} diff --git a/crypto_kem/sntrup857/clean/crypto_sort_uint32.h b/crypto_kem/sntrup857/clean/crypto_sort_uint32.h deleted file mode 100644 index a22ba882..00000000 --- a/crypto_kem/sntrup857/clean/crypto_sort_uint32.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_SORT_UINT32_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_SORT_UINT32_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_sort_uint32_BYTES 4 - -void PQCLEAN_SNTRUP857_CLEAN_crypto_sort_uint32(void *array, long long n); -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_stream_aes256ctr.c b/crypto_kem/sntrup857/clean/crypto_stream_aes256ctr.c deleted file mode 100644 index e202f8aa..00000000 --- a/crypto_kem/sntrup857/clean/crypto_stream_aes256ctr.c +++ /dev/null @@ -1,15 +0,0 @@ -#include "crypto_stream_aes256ctr.h" - - -int PQCLEAN_SNTRUP857_CLEAN_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]) { - - aes256ctx state; - aes256_ctr_keyexp(&state, key); - aes256_ctr(out, outlen, nonce, &state); - aes256_ctx_release(&state); - return 0; -} diff --git a/crypto_kem/sntrup857/clean/crypto_stream_aes256ctr.h b/crypto_kem/sntrup857/clean/crypto_stream_aes256ctr.h deleted file mode 100644 index fae907dc..00000000 --- a/crypto_kem/sntrup857/clean/crypto_stream_aes256ctr.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_STREAM_AES256CTR_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_STREAM_AES256CTR_H -#include "aes.h" -#include -#include - - - -int PQCLEAN_SNTRUP857_CLEAN_crypto_stream_aes256ctr( - uint8_t *out, - size_t outlen, - const uint8_t nonce[AESCTR_NONCEBYTES], - const uint8_t key[AES256_KEYBYTES]); - -#endif diff --git a/crypto_kem/sntrup857/clean/crypto_verify_1184.c b/crypto_kem/sntrup857/clean/crypto_verify_1184.c deleted file mode 100644 index e2b6856a..00000000 --- a/crypto_kem/sntrup857/clean/crypto_verify_1184.c +++ /dev/null @@ -1,13 +0,0 @@ -#include "crypto_verify_1184.h" - - -int PQCLEAN_SNTRUP857_CLEAN_crypto_verify_1184(const unsigned char *x, const unsigned char *y) { - unsigned int differentbits = 0; - int i; - - for (i = 0; i < PQCLEAN_SNTRUP857_CLEAN_crypto_verify_1184_BYTES; ++i) { - differentbits |= x[i] ^ y[i]; - } - - return (int) (1 & ((differentbits - 1) >> 8)) - 1; -} diff --git a/crypto_kem/sntrup857/clean/crypto_verify_1184.h b/crypto_kem/sntrup857/clean/crypto_verify_1184.h deleted file mode 100644 index 9bcbf3f4..00000000 --- a/crypto_kem/sntrup857/clean/crypto_verify_1184.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef PQCLEAN_SNTRUP857_CLEAN_CRYPTO_VERIFY_1184_H -#define PQCLEAN_SNTRUP857_CLEAN_CRYPTO_VERIFY_1184_H - -#include -#define PQCLEAN_SNTRUP857_CLEAN_crypto_verify_1184_BYTES 1184 - -int PQCLEAN_SNTRUP857_CLEAN_crypto_verify_1184(const unsigned char *x, const unsigned char *y); -#endif diff --git a/crypto_kem/sntrup857/clean/kem.c b/crypto_kem/sntrup857/clean/kem.c deleted file mode 100644 index 48b14651..00000000 --- a/crypto_kem/sntrup857/clean/kem.c +++ /dev/null @@ -1,247 +0,0 @@ -#include "api.h" -#include "crypto_sort_uint32.h" -#include "params.h" -#include "randombytes.h" -#include "sha2.h" - - - -#define int8 int8_t -#define int16 int16_t -#define int32 int32_t -#define uint16 uint16_t -#define uint32 uint32_t - -/* ----- arithmetic mod 3 */ - -typedef int8 small; -/* F3 is always represented as -1,0,1 */ - -/* ----- arithmetic mod q */ - -typedef int16 Fq; -/* always represented as -(q-1)/2...(q-1)/2 */ - -/* ----- small polynomials */ - -/* R3_fromR(R_fromRq(r)) */ -static void R3_fromRq(small *out, const Fq *r) { - crypto_encode_pxfreeze3((unsigned char *) out, (unsigned char *) r); -} - -/* h = f*g in the ring R3 */ -static void R3_mult(small *h, const small *f, const small *g) { - crypto_core_mult3((unsigned char *) h, (const unsigned char *) f, (const unsigned char *) g); -} - -/* ----- polynomials mod q */ - -/* h = h*g in the ring Rq */ -static void Rq_mult_small(Fq *h, const small *g) { - crypto_encode_pxint16((unsigned char *) h, h); - crypto_core_mult((unsigned char *) h, (const unsigned char *) h, (const unsigned char *) g); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* h = 3f in Rq */ -static void Rq_mult3(Fq *h, const Fq *f) { - crypto_encode_pxint16((unsigned char *) h, f); - crypto_core_scale3((unsigned char *) h, (const unsigned char *) h); - crypto_decode_pxint16(h, (const unsigned char *) h); -} - -/* out = 1/(3*in) in Rq */ -/* caller must have 2p+1 bytes free in out, not just 2p */ -static void Rq_recip3(Fq *out, const small *in) { - crypto_core_inv((unsigned char *) out, (const unsigned char *) in); - /* could check byte 2*p for failure; but, in context, inv always works */ - crypto_decode_pxint16(out, (unsigned char *) out); -} - -/* ----- underlying hash function */ - -#define Hash_bytes 32 - -static void Hash(unsigned char *out, const unsigned char *in, int inlen) { - unsigned char h[64]; - int i; - sha512(h, in, (size_t) inlen); - for (i = 0; i < 32; ++i) { - out[i] = h[i]; - } -} - -/* ----- higher-level randomness */ - -static void Short_random(small *out) { - uint32 L[ppadsort]; - int i; - - randombytes((unsigned char *) L, 4 * p); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < w; ++i) { - L[i] = L[i] & (uint32) - 2; - } - for (i = w; i < p; ++i) { - L[i] = (L[i] & (uint32) - 3) | 1; - } - for (i = p; i < ppadsort; ++i) { - L[i] = 0xffffffff; - } - PQCLEAN_SNTRUP857_CLEAN_crypto_sort_uint32(L, ppadsort); - for (i = 0; i < p; ++i) { - out[i] = (small) ((L[i] & 3) - 1); - } -} - -static void Small_random(small *out) { - uint32 L[p]; - int i; - - randombytes((unsigned char *) L, sizeof L); - crypto_decode_pxint32(L, (unsigned char *) L); - for (i = 0; i < p; ++i) { - out[i] = (small) ((((L[i] & 0x3fffffff) * 3) >> 30) - 1); - } -} - -/* ----- Streamlined NTRU Prime */ - -typedef small Inputs[p]; /* passed by reference */ -#define Ciphertexts_bytes Rounded_bytes -#define SecretKeys_bytes (2*Small_bytes) -#define PublicKeys_bytes Rq_bytes -#define Confirm_bytes 32 - -/* c,r_enc[1:] = Hide(r,pk,cache); cache is Hash4(pk) */ -/* also set r_enc[0]=3 */ -/* also set x[0]=2, and x[1:1+Hash_bytes] = Hash3(r_enc) */ -/* also overwrite x[1+Hash_bytes:1+2*Hash_bytes] */ -static void Hide(unsigned char *x, unsigned char *c, unsigned char *r_enc, const Inputs r, const unsigned char *pk, const unsigned char *cache) { - Fq h[p]; - int i; - - Small_encode(r_enc + 1, r); - Rq_decode(h, pk); - Rq_mult_small(h, r); - Round_and_encode(c, h); - r_enc[0] = 3; - Hash(x + 1, r_enc, 1 + Small_bytes); - for (i = 0; i < Hash_bytes; ++i) { - x[1 + Hash_bytes + i] = cache[i]; - } - x[0] = 2; - Hash(c + Ciphertexts_bytes, x, 1 + Hash_bytes * 2); -} - - -int PQCLEAN_SNTRUP857_CLEAN_crypto_kem_keypair(unsigned char *pk, unsigned char *sk) { - small g[p]; - for (;;) { - Small_random(g); - { - small v[p + 1]; - crypto_core_inv3((unsigned char *) v, (const unsigned char *) g); - if (v[p] == 0) { - Small_encode(sk + Small_bytes, v); - break; - } - } - } - { - small f[p]; - Short_random(f); - Small_encode(sk, f); - { - Fq h[p + 1]; - Rq_recip3(h, f); /* always works */ - Rq_mult_small(h, g); - Rq_encode(pk, h); - } - } - { - int i; - unsigned char sksave = sk[SecretKeys_bytes - 1]; - for (i = 0; i < PublicKeys_bytes; ++i) { - sk[SecretKeys_bytes + i] = pk[i]; - } - sk[SecretKeys_bytes - 1] = 4; - Hash(sk + SecretKeys_bytes + PublicKeys_bytes + Small_bytes, sk + SecretKeys_bytes - 1, 1 + PublicKeys_bytes); - sk[SecretKeys_bytes - 1] = sksave; - randombytes(sk + SecretKeys_bytes + PublicKeys_bytes, Small_bytes); - } - return 0; -} - -int PQCLEAN_SNTRUP857_CLEAN_crypto_kem_enc(unsigned char *c, unsigned char *k, const unsigned char *pk) { - unsigned char cache[Hash_bytes]; - int i; - { - unsigned char y[1 + PublicKeys_bytes]; /* XXX: can eliminate with incremental hashing */ - for (i = 0; i < PublicKeys_bytes; ++i) { - y[1 + i] = pk[i]; - } - y[0] = 4; - Hash(cache, y, sizeof y); - } - { - Inputs r; - Short_random(r); - { - unsigned char r_enc[Small_bytes + 1]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - Hide(x, c, r_enc, r, pk, cache); - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = 1; - Hash(k, x, sizeof x); - } - } - return 0; -} - -int PQCLEAN_SNTRUP857_CLEAN_crypto_kem_dec(unsigned char *k, const unsigned char *c, const unsigned char *sk) { - const unsigned char *pk = sk + SecretKeys_bytes; - const unsigned char *rho = pk + PublicKeys_bytes; - const unsigned char *cache = rho + Small_bytes; - int mask, i; - Inputs r; - { - Fq d[p]; - Rounded_decode(d, c); - { - small f[p]; - Small_decode(f, sk); - Rq_mult_small(d, f); - Rq_mult3(d, d); - } - { - small e[p]; - small v[p]; - R3_fromRq(e, d); - Small_decode(v, sk + Small_bytes); - R3_mult(r, e, v); - } - crypto_core_wforce((unsigned char *) r, (unsigned char *) r); - } - { - unsigned char r_enc[1 + Small_bytes]; - unsigned char cnew[Ciphertexts_bytes + Confirm_bytes]; - unsigned char x[1 + Hash_bytes + Ciphertexts_bytes + Confirm_bytes]; - /* XXX: can use incremental hashing to reduce x size */ - - Hide(x, cnew, r_enc, r, pk, cache); - mask = crypto_verify_clen(c, cnew); - for (i = 0; i < Small_bytes; ++i) { - r_enc[i + 1] ^= (unsigned char) (mask & (r_enc[i + 1] ^ rho[i])); - } - Hash(x + 1, r_enc, 1 + Small_bytes); /* XXX: can instead do cmov on cached hash of rho */ - for (i = 0; i < Ciphertexts_bytes + Confirm_bytes; ++i) { - x[1 + Hash_bytes + i] = c[i]; - } - x[0] = (unsigned char) (1 + mask); - Hash(k, x, sizeof x); - } - return 0; -} diff --git a/crypto_kem/sntrup857/clean/params.h b/crypto_kem/sntrup857/clean/params.h deleted file mode 100644 index bd8b542f..00000000 --- a/crypto_kem/sntrup857/clean/params.h +++ /dev/null @@ -1,70 +0,0 @@ -#ifndef params_H -#define params_H -#include "crypto_core_inv3sntrup857.h" -#include "crypto_core_invsntrup857.h" -#include "crypto_core_mult3sntrup857.h" -#include "crypto_core_multsntrup857.h" -#include "crypto_core_scale3sntrup857.h" -#include "crypto_core_weightsntrup857.h" -#include "crypto_core_wforcesntrup857.h" -#include "crypto_decode_857x1723.h" -#include "crypto_decode_857x3.h" -#include "crypto_decode_857x5167.h" -#include "crypto_decode_857xint16.h" -#include "crypto_decode_857xint32.h" -#include "crypto_encode_857x1723.h" -#include "crypto_encode_857x1723round.h" -#include "crypto_encode_857x3.h" -#include "crypto_encode_857x5167.h" -#include "crypto_encode_857xfreeze3.h" -#include "crypto_encode_857xint16.h" -#include "crypto_encode_int16.h" -#include "crypto_sort_int32.h" -#include "crypto_sort_uint32.h" -#include "crypto_verify_1184.h" - - -#define q27 25976 /* closest integer to 2^27/q */ -#define q18 51 /* closest integer to 2^18/q */ -#define p 857 -#define q 5167 -#define w 322 - -#define ppadsort 857 - -#define crypto_verify_clen PQCLEAN_SNTRUP857_CLEAN_crypto_verify_1184 - -#define Rq_bytes PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x5167_STRBYTES -#define Rq_encode PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x5167 -#define Rq_decode PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x5167 - -#define Rounded_bytes PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x1723_STRBYTES -#define Rounded_decode PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x1723 - -#define Round_and_encode PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x1723round - -#define Small_bytes PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x3_STRBYTES -#define Small_encode PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857x3 -#define Small_decode PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857x3 - -#define crypto_encode_pxfreeze3 PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xfreeze3 - -#define crypto_decode_pxint32 PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint32 - -#define crypto_decode_pxint16 PQCLEAN_SNTRUP857_CLEAN_crypto_decode_857xint16 - -#define crypto_encode_pxint16 PQCLEAN_SNTRUP857_CLEAN_crypto_encode_857xint16 - -#define crypto_core_wforce PQCLEAN_SNTRUP857_CLEAN_crypto_core_wforcesntrup857 - -#define crypto_core_scale3 PQCLEAN_SNTRUP857_CLEAN_crypto_core_scale3sntrup857 - -#define crypto_core_inv PQCLEAN_SNTRUP857_CLEAN_crypto_core_invsntrup857 - -#define crypto_core_inv3 PQCLEAN_SNTRUP857_CLEAN_crypto_core_inv3sntrup857 - -#define crypto_core_mult PQCLEAN_SNTRUP857_CLEAN_crypto_core_multsntrup857 - -#define crypto_core_mult3 PQCLEAN_SNTRUP857_CLEAN_crypto_core_mult3sntrup857 - -#endif diff --git a/crypto_sign/dilithium2aes/META.yml b/crypto_sign/dilithium2aes/META.yml deleted file mode 100644 index 6a4fe381..00000000 --- a/crypto_sign/dilithium2aes/META.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Dilithium2-AES -type: signature -claimed-nist-level: 2 -length-public-key: 1312 -length-secret-key: 2544 -length-signature: 2420 -nistkat-sha256: 23972a0a5f1f32781aa11fa57d9994ddd53c1bbcc732967f61d9d9aaef01c492 -testvectors-sha256: 22e68fe8bf781dee949a4297f9ba44d1c350a1d88bae03117cfb2ca494c6e604 -principal-submitters: - - Vadim Lyubashevsky -auxiliary-submitters: - - Léo Ducas - - Eike Kiltz - - Tancrède Lepoint - - Peter Schwabe - - Gregor Seiler - - Damien Stehlé -implementations: - - name: clean - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium - - name: avx2 - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - aes - - avx2 - - popcnt diff --git a/crypto_sign/dilithium2aes/avx2/LICENSE b/crypto_sign/dilithium2aes/avx2/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_sign/dilithium2aes/avx2/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_sign/dilithium2aes/avx2/aes256ctr.c b/crypto_sign/dilithium2aes/avx2/aes256ctr.c deleted file mode 100644 index 82463cb5..00000000 --- a/crypto_sign/dilithium2aes/avx2/aes256ctr.c +++ /dev/null @@ -1,142 +0,0 @@ -#include "aes256ctr.h" -#include -#include -#include -/* Based heavily on public-domain code by Romain Dolbeau - * Different handling of nonce+counter than original version using - * separated 64-bit nonce and internal 64-bit counter, starting from zero - * Public Domain */ - - -static inline void aesni_encrypt4(uint8_t out[64], __m128i *n, const __m128i rkeys[16]) { - __m128i f, f0, f1, f2, f3; - const __m128i idx = _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 7, 6, 5, 4, 3, 2, 1, 0); - - /* Load current counter value */ - f = _mm_load_si128(n); - - /* Increase counter in 4 consecutive blocks */ - f0 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(0, 0)), idx); - f1 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(1, 0)), idx); - f2 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(2, 0)), idx); - f3 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(3, 0)), idx); - - /* Write counter for next iteration, increased by 4 */ - _mm_store_si128(n, _mm_add_epi64(f, _mm_set_epi64x(4, 0))); - - /* Actual AES encryption, 4x interleaved */ - f = _mm_load_si128(&rkeys[0]); - f0 = _mm_xor_si128(f0, f); - f1 = _mm_xor_si128(f1, f); - f2 = _mm_xor_si128(f2, f); - f3 = _mm_xor_si128(f3, f); - - for (int i = 1; i < 14; i++) { - f = _mm_load_si128(&rkeys[i]); - f0 = _mm_aesenc_si128(f0, f); - f1 = _mm_aesenc_si128(f1, f); - f2 = _mm_aesenc_si128(f2, f); - f3 = _mm_aesenc_si128(f3, f); - } - - f = _mm_load_si128(&rkeys[14]); - f0 = _mm_aesenclast_si128(f0, f); - f1 = _mm_aesenclast_si128(f1, f); - f2 = _mm_aesenclast_si128(f2, f); - f3 = _mm_aesenclast_si128(f3, f); - - /* Write results */ - _mm_storeu_si128((__m128i *)(out + 0), f0); - _mm_storeu_si128((__m128i *)(out + 16), f1); - _mm_storeu_si128((__m128i *)(out + 32), f2); - _mm_storeu_si128((__m128i *)(out + 48), f3); -} - -void PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t key[32], uint64_t nonce) { - __m128i key0, key1, temp0, temp1, temp2, temp4; - int idx = 0; - - key0 = _mm_loadu_si128((__m128i *)(key + 0)); - key1 = _mm_loadu_si128((__m128i *)(key + 16)); - state->n = _mm_loadl_epi64((__m128i *)&nonce); - - state->rkeys[idx++] = key0; - temp0 = key0; - temp2 = key1; - temp4 = _mm_setzero_si128(); - -#define BLOCK1(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp2, IMM); \ - state->rkeys[idx++] = temp2; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x10); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x8c); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xff); \ - temp0 = _mm_xor_si128(temp0, temp1) - -#define BLOCK2(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp0, IMM); \ - state->rkeys[idx++] = temp0; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x10); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x8c); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xaa); \ - temp2 = _mm_xor_si128(temp2, temp1) - - BLOCK1(0x01); - BLOCK2(0x01); - - BLOCK1(0x02); - BLOCK2(0x02); - - BLOCK1(0x04); - BLOCK2(0x04); - - BLOCK1(0x08); - BLOCK2(0x08); - - BLOCK1(0x10); - BLOCK2(0x10); - - BLOCK1(0x20); - BLOCK2(0x20); - - BLOCK1(0x40); - state->rkeys[idx++] = temp0; -} - -void PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state) { - size_t i; - for (i = 0; i < nblocks; i++) { - aesni_encrypt4(out, &state->n, state->rkeys); - out += 64; - } -} - -void PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t seed[32], - uint64_t nonce) { - unsigned int i; - uint8_t buf[64]; - aes256ctr_ctx state; - - PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(&state, seed, nonce); - - while (outlen >= 64) { - aesni_encrypt4(out, &state.n, state.rkeys); - outlen -= 64; - out += 64; - } - - if (outlen) { - aesni_encrypt4(buf, &state.n, state.rkeys); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} diff --git a/crypto_sign/dilithium2aes/avx2/aes256ctr.h b/crypto_sign/dilithium2aes/avx2/aes256ctr.h deleted file mode 100644 index cdc936ba..00000000 --- a/crypto_sign/dilithium2aes/avx2/aes256ctr.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_AES256CTR_H -#define PQCLEAN_DILITHIUM2AES_AVX2_AES256CTR_H - -#include -#include -#include - - -#define AES256CTR_BLOCKBYTES 64 - -typedef struct { - __m128i rkeys[16]; - __m128i n; -} aes256ctr_ctx; - -void PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint64_t nonce); - -void PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state); - -void PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t seed[32], - uint64_t nonce); - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/align.h b/crypto_sign/dilithium2aes/avx2/align.h deleted file mode 100644 index c2c4e057..00000000 --- a/crypto_sign/dilithium2aes/avx2/align.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_ALIGN_H -#define PQCLEAN_DILITHIUM2AES_AVX2_ALIGN_H - -#include -#include - -#define ALIGNED_UINT8(N) \ - union { \ - uint8_t coeffs[N]; \ - __m256i vec[((N)+31)/32]; \ - } - -#define ALIGNED_INT32(N) \ - union { \ - int32_t coeffs[N]; \ - __m256i vec[((N)+7)/8]; \ - } - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/api.h b/crypto_sign/dilithium2aes/avx2/api.h deleted file mode 100644 index 84f0634b..00000000 --- a/crypto_sign/dilithium2aes/avx2/api.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_API_H -#define PQCLEAN_DILITHIUM2AES_AVX2_API_H - -#include -#include - -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES 1312 -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES 2544 -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES 2420 -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_ALGNAME "Dilithium2-AES" - - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/cdecl.h b/crypto_sign/dilithium2aes/avx2/cdecl.h deleted file mode 100644 index 20d4580c..00000000 --- a/crypto_sign/dilithium2aes/avx2/cdecl.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_CDECL_H -#define PQCLEAN_DILITHIUM2AES_AVX2_CDECL_H - - - -#define _8XQ 0 -#define _8XQINV 8 -#define _8XDIV_QINV 16 -#define _8XDIV 24 -#define _ZETAS_QINV 32 -#define _ZETAS 328 - -/* The C ABI on MacOS exports all symbols with a leading - * underscore. This means that any symbols we refer to from - * C files (functions) can't be found, and all symbols we - * refer to from ASM also can't be found (nttconsts.c). - * - * This define helps us get around this - */ - -#define _cdecl(s) _##s -#define cdecl(s) s - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/consts.c b/crypto_sign/dilithium2aes/avx2/consts.c deleted file mode 100644 index 82736730..00000000 --- a/crypto_sign/dilithium2aes/avx2/consts.c +++ /dev/null @@ -1,101 +0,0 @@ -#include "consts.h" -#include "params.h" -#include - -#define QINV 58728449 // q^(-1) mod 2^32 -#define MONT (-4186625) // 2^32 mod q -#define DIV 41978 // mont^2/256 -#define DIV_QINV (-8395782) - -const qdata_t PQCLEAN_DILITHIUM2AES_AVX2_qdata = {{ -//#define _8XQ 0 - Q, Q, Q, Q, Q, Q, Q, Q, - -//#define _8XQINV 8 - QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV, - -//#define _8XDIV_QINV 16 - DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, - -//#define _8XDIV 24 - DIV, DIV, DIV, DIV, DIV, DIV, DIV, DIV, - -//#define _ZETAS_QINV 32 - -151046689, 1830765815, -1929875198, -1927777021, 1640767044, 1477910808, 1612161320, 1640734244, - 308362795, 308362795, 308362795, 308362795, -1815525077, -1815525077, -1815525077, -1815525077, - -1374673747, -1374673747, -1374673747, -1374673747, -1091570561, -1091570561, -1091570561, -1091570561, - -1929495947, -1929495947, -1929495947, -1929495947, 515185417, 515185417, 515185417, 515185417, - -285697463, -285697463, -285697463, -285697463, 625853735, 625853735, 625853735, 625853735, - 1727305304, 1727305304, 2082316400, 2082316400, -1364982364, -1364982364, 858240904, 858240904, - 1806278032, 1806278032, 222489248, 222489248, -346752664, -346752664, 684667771, 684667771, - 1654287830, 1654287830, -878576921, -878576921, -1257667337, -1257667337, -748618600, -748618600, - 329347125, 329347125, 1837364258, 1837364258, -1443016191, -1443016191, -1170414139, -1170414139, - -1846138265, -1631226336, -1404529459, 1838055109, 1594295555, -1076973524, -1898723372, -594436433, - -202001019, -475984260, -561427818, 1797021249, -1061813248, 2059733581, -1661512036, -1104976547, - -1750224323, -901666090, 418987550, 1831915353, -1925356481, 992097815, 879957084, 2024403852, - 1484874664, -1636082790, -285388938, -1983539117, -1495136972, -950076368, -1714807468, -952438995, - -1574918427, 1350681039, -2143979939, 1599739335, -1285853323, -993005454, -1440787840, 568627424, - -783134478, -588790216, 289871779, -1262003603, 2135294594, -1018755525, -889861155, 1665705315, - 1321868265, 1225434135, -1784632064, 666258756, 675310538, -1555941048, -1999506068, -1499481951, - -695180180, -1375177022, 1777179795, 334803717, -178766299, -518252220, 1957047970, 1146323031, - -654783359, -1974159335, 1651689966, 140455867, -1039411342, 1955560694, 1529189038, -2131021878, - -247357819, 1518161567, -86965173, 1708872713, 1787797779, 1638590967, -120646188, -1669960606, - -916321552, 1155548552, 2143745726, 1210558298, -1261461890, -318346816, 628664287, -1729304568, - 1422575624, 1424130038, -1185330464, 235321234, 168022240, 1206536194, 985155484, -894060583, - -898413, -1363460238, -605900043, 2027833504, 14253662, 1014493059, 863641633, 1819892093, - 2124962073, -1223601433, -1920467227, -1637785316, -1536588520, 694382729, 235104446, -1045062172, - 831969619, -300448763, 756955444, -260312805, 1554794072, 1339088280, -2040058690, -853476187, - -2047270596, -1723816713, -1591599803, -440824168, 1119856484, 1544891539, 155290192, -973777462, - 991903578, 912367099, -44694137, 1176904444, -421552614, -818371958, 1747917558, -325927722, - 908452108, 1851023419, -1176751719, -1354528380, -72690498, -314284737, 985022747, 963438279, - -1078959975, 604552167, -1021949428, 608791570, 173440395, -2126092136, -1316619236, -1039370342, - 6087993, -110126092, 565464272, -1758099917, -1600929361, 879867909, -1809756372, 400711272, - 1363007700, 30313375, -326425360, 1683520342, -517299994, 2027935492, -1372618620, 128353682, - -1123881663, 137583815, -635454918, -642772911, 45766801, 671509323, -2070602178, 419615363, - 1216882040, -270590488, -1276805128, 371462360, -1357098057, -384158533, 827959816, -596344473, - 702390549, -279505433, -260424530, -71875110, -1208667171, -1499603926, 2036925262, -540420426, - 746144248, -1420958686, 2032221021, 1904936414, 1257750362, 1926727420, 1931587462, 1258381762, - 885133339, 1629985060, 1967222129, 6363718, -1287922800, 1136965286, 1779436847, 1116720494, - 1042326957, 1405999311, 713994583, 940195359, -1542497137, 2061661095, -883155599, 1726753853, - -1547952704, 394851342, 283780712, 776003547, 1123958025, 201262505, 1934038751, 374860238, - -//#define _ZETAS 328 - -3975713, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, - 1826347, 1826347, 1826347, 1826347, 2353451, 2353451, 2353451, 2353451, - -359251, -359251, -359251, -359251, -2091905, -2091905, -2091905, -2091905, - 3119733, 3119733, 3119733, 3119733, -2884855, -2884855, -2884855, -2884855, - 3111497, 3111497, 3111497, 3111497, 2680103, 2680103, 2680103, 2680103, - 2725464, 2725464, 1024112, 1024112, -1079900, -1079900, 3585928, 3585928, - -549488, -549488, -1119584, -1119584, 2619752, 2619752, -2108549, -2108549, - -2118186, -2118186, -3859737, -3859737, -1399561, -1399561, -3277672, -3277672, - 1757237, 1757237, -19422, -19422, 4010497, 4010497, 280005, 280005, - 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, - -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, - -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596, - 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779, - -3930395, -3677745, -1452451, 2176455, -1257611, -4083598, -3190144, -3632928, - 3412210, 2147896, -2967645, -411027, -671102, -22981, -381987, 1852771, - -3343383, 508951, 44288, 904516, -3724342, 1653064, 2389356, 759969, - 189548, 3159746, -2409325, 1315589, 1285669, -812732, -3019102, -3628969, - -1528703, -3041255, 3475950, -1585221, 1939314, -1000202, -3157330, 126922, - -983419, 2715295, -3693493, -2477047, -1228525, -1308169, 1349076, -1430430, - 264944, 3097992, -1100098, 3958618, -8578, -3249728, -210977, -1316856, - -3553272, -1851402, -177440, 1341330, -1584928, -1439742, -3881060, 3839961, - 2091667, -3342478, 266997, -3520352, 900702, 495491, -655327, -3556995, - 342297, 3437287, 2842341, 4055324, -3767016, -2994039, -1333058, -451100, - -1279661, 1500165, -542412, -2584293, -2013608, 1957272, -3183426, 810149, - -3038916, 2213111, -426683, -1667432, -2939036, 183443, -554416, 3937738, - 3407706, 2244091, 2434439, -3759364, 1859098, -1613174, -3122442, -525098, - 286988, -3342277, 2691481, 1247620, 1250494, 1869119, 1237275, 1312455, - 1917081, 777191, -2831860, -3724270, 2432395, 3369112, 162844, 1652634, - 3523897, -975884, 1723600, -1104333, -2235985, -976891, 3919660, 1400424, - 2316500, -2446433, -1235728, -1197226, 909542, -43260, 2031748, -768622, - -2437823, 1735879, -2590150, 2486353, 2635921, 1903435, -3318210, 3306115, - -2546312, 2235880, -1671176, 594136, 2454455, 185531, 1616392, -3694233, - 3866901, 1717735, -1803090, -260646, -420899, 1612842, -48306, -846154, - 3817976, -3562462, 3513181, -3193378, 819034, -522500, 3207046, -3595838, - 4108315, 203044, 1265009, 1595974, -3548272, -1050970, -1430225, -1962642, - -1374803, 3406031, -1846953, -3776993, -164721, -1207385, 3014001, -1799107, - 269760, 472078, 1910376, -3833893, -2286327, -3545687, -1362209, 1976782, - } -}; diff --git a/crypto_sign/dilithium2aes/avx2/consts.h b/crypto_sign/dilithium2aes/avx2/consts.h deleted file mode 100644 index d02cf328..00000000 --- a/crypto_sign/dilithium2aes/avx2/consts.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_CONSTS_H -#define PQCLEAN_DILITHIUM2AES_AVX2_CONSTS_H -#include "align.h" -#include "cdecl.h" - - -typedef ALIGNED_INT32(624) qdata_t; -extern const qdata_t PQCLEAN_DILITHIUM2AES_AVX2_qdata; - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/invntt.S b/crypto_sign/dilithium2aes/avx2/invntt.S deleted file mode 100644 index 95c8127d..00000000 --- a/crypto_sign/dilithium2aes/avx2/invntt.S +++ /dev/null @@ -1,240 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2 -vpsubd %ymm\l,%ymm\h,%ymm12 -vpaddd %ymm\h,%ymm\l,%ymm\l - -vpmuldq %ymm\zl0,%ymm12,%ymm13 -vmovshdup %ymm12,%ymm\h -vpmuldq %ymm\zl1,%ymm\h,%ymm14 - -vpmuldq %ymm\zh0,%ymm12,%ymm12 -vpmuldq %ymm\zh1,%ymm\h,%ymm\h - -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 - -vpsubd %ymm13,%ymm12,%ymm12 -vpsubd %ymm14,%ymm\h,%ymm\h - -vmovshdup %ymm12,%ymm12 -vpblendd $0xAA,%ymm\h,%ymm12,%ymm\h -.endm - -.macro levels0t5 off -vmovdqa 256*\off+ 0(%rdi),%ymm4 -vmovdqa 256*\off+ 32(%rdi),%ymm5 -vmovdqa 256*\off+ 64(%rdi),%ymm6 -vmovdqa 256*\off+ 96(%rdi),%ymm7 -vmovdqa 256*\off+128(%rdi),%ymm8 -vmovdqa 256*\off+160(%rdi),%ymm9 -vmovdqa 256*\off+192(%rdi),%ymm10 -vmovdqa 256*\off+224(%rdi),%ymm11 - -/* level 0 */ -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-8)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-8)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 4,5,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-40)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-40)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 6,7,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-72)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-72)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 8,9,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-104)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-104)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 10,11,1,3,2,15 - -/* level 1 */ -vpermq $0x1B,(_ZETAS_QINV+168-8*\off-8)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+168-8*\off-8)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 4,6,1,3,2,15 -butterfly 5,7,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+168-8*\off-40)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+168-8*\off-40)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 8,10,1,3,2,15 -butterfly 9,11,1,3,2,15 - -/* level 2 */ -vpermq $0x1B,(_ZETAS_QINV+104-8*\off-8)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+104-8*\off-8)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 4,8,1,3,2,15 -butterfly 5,9,1,3,2,15 -butterfly 6,10,1,3,2,15 -butterfly 7,11,1,3,2,15 - -/* level 3 */ -shuffle2 4,5,3,5 -shuffle2 6,7,4,7 -shuffle2 8,9,6,9 -shuffle2 10,11,8,11 - -vpermq $0x1B,(_ZETAS_QINV+72-8*\off-8)*4(%rsi),%ymm1 -vpermq $0x1B,(_ZETAS+72-8*\off-8)*4(%rsi),%ymm2 -butterfly 3,5 -butterfly 4,7 -butterfly 6,9 -butterfly 8,11 - -/* level 4 */ -shuffle4 3,4,10,4 -shuffle4 6,8,3,8 -shuffle4 5,7,6,7 -shuffle4 9,11,5,11 - -vpermq $0x1B,(_ZETAS_QINV+40-8*\off-8)*4(%rsi),%ymm1 -vpermq $0x1B,(_ZETAS+40-8*\off-8)*4(%rsi),%ymm2 -butterfly 10,4 -butterfly 3,8 -butterfly 6,7 -butterfly 5,11 - -/* level 5 */ -shuffle8 10,3,9,3 -shuffle8 6,5,10,5 -shuffle8 4,8,6,8 -shuffle8 7,11,4,11 - -vpbroadcastd (_ZETAS_QINV+7-\off)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+7-\off)*4(%rsi),%ymm2 -butterfly 9,3 -butterfly 10,5 -butterfly 6,8 -butterfly 4,11 - -vmovdqa %ymm9,256*\off+ 0(%rdi) -vmovdqa %ymm10,256*\off+ 32(%rdi) -vmovdqa %ymm6,256*\off+ 64(%rdi) -vmovdqa %ymm4,256*\off+ 96(%rdi) -vmovdqa %ymm3,256*\off+128(%rdi) -vmovdqa %ymm5,256*\off+160(%rdi) -vmovdqa %ymm8,256*\off+192(%rdi) -vmovdqa %ymm11,256*\off+224(%rdi) -.endm - -.macro levels6t7 off -vmovdqa 0+32*\off(%rdi),%ymm4 -vmovdqa 128+32*\off(%rdi),%ymm5 -vmovdqa 256+32*\off(%rdi),%ymm6 -vmovdqa 384+32*\off(%rdi),%ymm7 -vmovdqa 512+32*\off(%rdi),%ymm8 -vmovdqa 640+32*\off(%rdi),%ymm9 -vmovdqa 768+32*\off(%rdi),%ymm10 -vmovdqa 896+32*\off(%rdi),%ymm11 - -/* level 6 */ -vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2 -butterfly 4,6 -butterfly 5,7 - -vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2 -butterfly 8,10 -butterfly 9,11 - -/* level 7 */ -vpbroadcastd (_ZETAS_QINV+0)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+0)*4(%rsi),%ymm2 - -butterfly 4,8 -butterfly 5,9 -butterfly 6,10 -butterfly 7,11 - -vmovdqa %ymm8,512+32*\off(%rdi) -vmovdqa %ymm9,640+32*\off(%rdi) -vmovdqa %ymm10,768+32*\off(%rdi) -vmovdqa %ymm11,896+32*\off(%rdi) - -vmovdqa (_8XDIV_QINV)*4(%rsi),%ymm1 -vmovdqa (_8XDIV)*4(%rsi),%ymm2 -vpmuldq %ymm1,%ymm4,%ymm12 -vpmuldq %ymm1,%ymm5,%ymm13 -vmovshdup %ymm4,%ymm8 -vmovshdup %ymm5,%ymm9 -vpmuldq %ymm1,%ymm8,%ymm14 -vpmuldq %ymm1,%ymm9,%ymm15 -vpmuldq %ymm2,%ymm4,%ymm4 -vpmuldq %ymm2,%ymm5,%ymm5 -vpmuldq %ymm2,%ymm8,%ymm8 -vpmuldq %ymm2,%ymm9,%ymm9 -vpmuldq %ymm0,%ymm12,%ymm12 -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 -vpmuldq %ymm0,%ymm15,%ymm15 -vpsubd %ymm12,%ymm4,%ymm4 -vpsubd %ymm13,%ymm5,%ymm5 -vpsubd %ymm14,%ymm8,%ymm8 -vpsubd %ymm15,%ymm9,%ymm9 -vmovshdup %ymm4,%ymm4 -vmovshdup %ymm5,%ymm5 -vpblendd $0xAA,%ymm8,%ymm4,%ymm4 -vpblendd $0xAA,%ymm9,%ymm5,%ymm5 - -vpmuldq %ymm1,%ymm6,%ymm12 -vpmuldq %ymm1,%ymm7,%ymm13 -vmovshdup %ymm6,%ymm8 -vmovshdup %ymm7,%ymm9 -vpmuldq %ymm1,%ymm8,%ymm14 -vpmuldq %ymm1,%ymm9,%ymm15 -vpmuldq %ymm2,%ymm6,%ymm6 -vpmuldq %ymm2,%ymm7,%ymm7 -vpmuldq %ymm2,%ymm8,%ymm8 -vpmuldq %ymm2,%ymm9,%ymm9 -vpmuldq %ymm0,%ymm12,%ymm12 -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 -vpmuldq %ymm0,%ymm15,%ymm15 -vpsubd %ymm12,%ymm6,%ymm6 -vpsubd %ymm13,%ymm7,%ymm7 -vpsubd %ymm14,%ymm8,%ymm8 -vpsubd %ymm15,%ymm9,%ymm9 -vmovshdup %ymm6,%ymm6 -vmovshdup %ymm7,%ymm7 -vpblendd $0xAA,%ymm8,%ymm6,%ymm6 -vpblendd $0xAA,%ymm9,%ymm7,%ymm7 - -vmovdqa %ymm4, 0+32*\off(%rdi) -vmovdqa %ymm5,128+32*\off(%rdi) -vmovdqa %ymm6,256+32*\off(%rdi) -vmovdqa %ymm7,384+32*\off(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_DILITHIUM2AES_AVX2_invntt_avx) -.global _cdecl(PQCLEAN_DILITHIUM2AES_AVX2_invntt_avx) -cdecl(PQCLEAN_DILITHIUM2AES_AVX2_invntt_avx): -_cdecl(PQCLEAN_DILITHIUM2AES_AVX2_invntt_avx): -vmovdqa _8XQ*4(%rsi),%ymm0 - -levels0t5 0 -levels0t5 1 -levels0t5 2 -levels0t5 3 - -levels6t7 0 -levels6t7 1 -levels6t7 2 -levels6t7 3 - -ret diff --git a/crypto_sign/dilithium2aes/avx2/ntt.S b/crypto_sign/dilithium2aes/avx2/ntt.S deleted file mode 100644 index d04e2b62..00000000 --- a/crypto_sign/dilithium2aes/avx2/ntt.S +++ /dev/null @@ -1,199 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2 -vpmuldq %ymm\zl0,%ymm\h,%ymm13 -vmovshdup %ymm\h,%ymm12 -vpmuldq %ymm\zl1,%ymm12,%ymm14 - -vpmuldq %ymm\zh0,%ymm\h,%ymm\h -vpmuldq %ymm\zh1,%ymm12,%ymm12 - -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 - -vmovshdup %ymm\h,%ymm\h -vpblendd $0xAA,%ymm12,%ymm\h,%ymm\h - -vpsubd %ymm\h,%ymm\l,%ymm12 -vpaddd %ymm\h,%ymm\l,%ymm\l - -vmovshdup %ymm13,%ymm13 -vpblendd $0xAA,%ymm14,%ymm13,%ymm13 - -vpaddd %ymm13,%ymm12,%ymm\h -vpsubd %ymm13,%ymm\l,%ymm\l -.endm - -.macro levels0t1 off -/* level 0 */ -vpbroadcastd (_ZETAS_QINV+1)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+1)*4(%rsi),%ymm2 - -vmovdqa 0+32*\off(%rdi),%ymm4 -vmovdqa 128+32*\off(%rdi),%ymm5 -vmovdqa 256+32*\off(%rdi),%ymm6 -vmovdqa 384+32*\off(%rdi),%ymm7 -vmovdqa 512+32*\off(%rdi),%ymm8 -vmovdqa 640+32*\off(%rdi),%ymm9 -vmovdqa 768+32*\off(%rdi),%ymm10 -vmovdqa 896+32*\off(%rdi),%ymm11 - -butterfly 4,8 -butterfly 5,9 -butterfly 6,10 -butterfly 7,11 - -/* level 1 */ -vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2 -butterfly 4,6 -butterfly 5,7 - -vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2 -butterfly 8,10 -butterfly 9,11 - -vmovdqa %ymm4, 0+32*\off(%rdi) -vmovdqa %ymm5,128+32*\off(%rdi) -vmovdqa %ymm6,256+32*\off(%rdi) -vmovdqa %ymm7,384+32*\off(%rdi) -vmovdqa %ymm8,512+32*\off(%rdi) -vmovdqa %ymm9,640+32*\off(%rdi) -vmovdqa %ymm10,768+32*\off(%rdi) -vmovdqa %ymm11,896+32*\off(%rdi) -.endm - -.macro levels2t7 off -/* level 2 */ -vmovdqa 256*\off+ 0(%rdi),%ymm4 -vmovdqa 256*\off+ 32(%rdi),%ymm5 -vmovdqa 256*\off+ 64(%rdi),%ymm6 -vmovdqa 256*\off+ 96(%rdi),%ymm7 -vmovdqa 256*\off+128(%rdi),%ymm8 -vmovdqa 256*\off+160(%rdi),%ymm9 -vmovdqa 256*\off+192(%rdi),%ymm10 -vmovdqa 256*\off+224(%rdi),%ymm11 - -vpbroadcastd (_ZETAS_QINV+4+\off)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+4+\off)*4(%rsi),%ymm2 - -butterfly 4,8 -butterfly 5,9 -butterfly 6,10 -butterfly 7,11 - -shuffle8 4,8,3,8 -shuffle8 5,9,4,9 -shuffle8 6,10,5,10 -shuffle8 7,11,6,11 - -/* level 3 */ -vmovdqa (_ZETAS_QINV+8+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+8+8*\off)*4(%rsi),%ymm2 - -butterfly 3,5 -butterfly 8,10 -butterfly 4,6 -butterfly 9,11 - -shuffle4 3,5,7,5 -shuffle4 8,10,3,10 -shuffle4 4,6,8,6 -shuffle4 9,11,4,11 - -/* level 4 */ -vmovdqa (_ZETAS_QINV+40+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+40+8*\off)*4(%rsi),%ymm2 - -butterfly 7,8 -butterfly 5,6 -butterfly 3,4 -butterfly 10,11 - -shuffle2 7,8,9,8 -shuffle2 5,6,7,6 -shuffle2 3,4,5,4 -shuffle2 10,11,3,11 - -/* level 5 */ -vmovdqa (_ZETAS_QINV+72+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+72+8*\off)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 - -butterfly 9,5,1,10,2,15 -butterfly 8,4,1,10,2,15 -butterfly 7,3,1,10,2,15 -butterfly 6,11,1,10,2,15 - -/* level 6 */ -vmovdqa (_ZETAS_QINV+104+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+104+8*\off)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 9,7,1,10,2,15 -butterfly 8,6,1,10,2,15 - -vmovdqa (_ZETAS_QINV+104+8*\off+32)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+104+8*\off+32)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 5,3,1,10,2,15 -butterfly 4,11,1,10,2,15 - -/* level 7 */ -vmovdqa (_ZETAS_QINV+168+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 9,8,1,10,2,15 - -vmovdqa (_ZETAS_QINV+168+8*\off+32)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off+32)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 7,6,1,10,2,15 - -vmovdqa (_ZETAS_QINV+168+8*\off+64)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off+64)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 5,4,1,10,2,15 - -vmovdqa (_ZETAS_QINV+168+8*\off+96)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off+96)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 3,11,1,10,2,15 - -vmovdqa %ymm9,256*\off+ 0(%rdi) -vmovdqa %ymm8,256*\off+ 32(%rdi) -vmovdqa %ymm7,256*\off+ 64(%rdi) -vmovdqa %ymm6,256*\off+ 96(%rdi) -vmovdqa %ymm5,256*\off+128(%rdi) -vmovdqa %ymm4,256*\off+160(%rdi) -vmovdqa %ymm3,256*\off+192(%rdi) -vmovdqa %ymm11,256*\off+224(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_DILITHIUM2AES_AVX2_ntt_avx) -.global _cdecl(PQCLEAN_DILITHIUM2AES_AVX2_ntt_avx) -cdecl(PQCLEAN_DILITHIUM2AES_AVX2_ntt_avx): -_cdecl(PQCLEAN_DILITHIUM2AES_AVX2_ntt_avx): -vmovdqa _8XQ*4(%rsi),%ymm0 - -levels0t1 0 -levels0t1 1 -levels0t1 2 -levels0t1 3 - -levels2t7 0 -levels2t7 1 -levels2t7 2 -levels2t7 3 - -ret - diff --git a/crypto_sign/dilithium2aes/avx2/ntt.h b/crypto_sign/dilithium2aes/avx2/ntt.h deleted file mode 100644 index 24c2ad18..00000000 --- a/crypto_sign/dilithium2aes/avx2/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_NTT_H -#define PQCLEAN_DILITHIUM2AES_AVX2_NTT_H - -#include - -void PQCLEAN_DILITHIUM2AES_AVX2_ntt_avx(__m256i *a, const __m256i *PQCLEAN_DILITHIUM2AES_AVX2_qdata); -void PQCLEAN_DILITHIUM2AES_AVX2_invntt_avx(__m256i *a, const __m256i *PQCLEAN_DILITHIUM2AES_AVX2_qdata); - -void PQCLEAN_DILITHIUM2AES_AVX2_nttunpack_avx(__m256i *a); - -void PQCLEAN_DILITHIUM2AES_AVX2_pointwise_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *PQCLEAN_DILITHIUM2AES_AVX2_qdata); -void PQCLEAN_DILITHIUM2AES_AVX2_pointwise_acc_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *PQCLEAN_DILITHIUM2AES_AVX2_qdata); - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/packing.c b/crypto_sign/dilithium2aes/avx2/packing.c deleted file mode 100644 index 5ef0a359..00000000 --- a/crypto_sign/dilithium2aes/avx2/packing.c +++ /dev/null @@ -1,261 +0,0 @@ -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" - - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_pack_pk -* -* Description: Bit-pack public key pk = (rho, t1). -* -* Arguments: - uint8_t pk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const polyveck *t1: pointer to vector t1 -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES], - const uint8_t rho[SEEDBYTES], - const polyveck *t1) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - pk[i] = rho[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_unpack_pk -* -* Description: Unpack public key pk = (rho, t1). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const polyveck *t1: pointer to output vector t1 -* - uint8_t pk[]: byte array containing bit-packed pk -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t pk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = pk[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_pack_sk -* -* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - uint8_t sk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const uint8_t tr[]: byte array containing tr -* - const uint8_t key[]: byte array containing key -* - const polyveck *t0: pointer to vector t0 -* - const polyvecl *s1: pointer to vector s1 -* - const polyveck *s2: pointer to vector s2 -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = rho[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = key[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - sk[i] = tr[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk -* -* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const uint8_t tr[]: output byte array for tr -* - const uint8_t key[]: output byte array for key -* - const polyveck *t0: pointer to output vector t0 -* - const polyvecl *s1: pointer to output vector s1 -* - const polyveck *s2: pointer to output vector s2 -* - uint8_t sk[]: byte array containing bit-packed sk -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - key[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - tr[i] = sk[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_pack_sig -* -* Description: Bit-pack signature sig = (c, z, h). -* -* Arguments: - uint8_t sig[]: output byte array -* - const uint8_t *c: pointer to PQCLEAN_DILITHIUM2AES_AVX2_challenge hash length SEEDBYTES -* - const polyvecl *z: pointer to vector z -* - const polyveck *h: pointer to hint vector h -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES], - const uint8_t c[SEEDBYTES], - const polyvecl *z, - const polyveck *h) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - sig[i] = c[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Encode h */ - for (i = 0; i < OMEGA + K; ++i) { - sig[i] = 0; - } - - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - if (h->vec[i].coeffs[j] != 0) { - sig[k++] = (uint8_t) j; - } - } - - sig[OMEGA + i] = (uint8_t) k; - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_unpack_sig -* -* Description: Unpack signature sig = (c, z, h). -* -* Arguments: - uint8_t *c: pointer to output PQCLEAN_DILITHIUM2AES_AVX2_challenge hash -* - polyvecl *z: pointer to output vector z -* - polyveck *h: pointer to output hint vector h -* - const uint8_t sig[]: byte array containing -* bit-packed signature -* -* Returns 1 in case of malformed signature; otherwise 0. -**************************************************/ -int PQCLEAN_DILITHIUM2AES_AVX2_unpack_sig(uint8_t c[SEEDBYTES], - polyvecl *z, - polyveck *h, - const uint8_t sig[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES]) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - c[i] = sig[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Decode h */ - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - h->vec[i].coeffs[j] = 0; - } - - if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) { - return 1; - } - - for (j = k; j < sig[OMEGA + i]; ++j) { - /* Coefficients are ordered for strong unforgeability */ - if (j > k && sig[j] <= sig[j - 1]) { - return 1; - } - h->vec[i].coeffs[sig[j]] = 1; - } - - k = sig[OMEGA + i]; - } - - /* Extra indices are zero for strong unforgeability */ - for (j = k; j < OMEGA; ++j) { - if (sig[j]) { - return 1; - } - } - - return 0; -} diff --git a/crypto_sign/dilithium2aes/avx2/packing.h b/crypto_sign/dilithium2aes/avx2/packing.h deleted file mode 100644 index d5c0a4c3..00000000 --- a/crypto_sign/dilithium2aes/avx2/packing.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_PACKING_H -#define PQCLEAN_DILITHIUM2AES_AVX2_PACKING_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_DILITHIUM2AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1); - -void PQCLEAN_DILITHIUM2AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2); - -void PQCLEAN_DILITHIUM2AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h); - -void PQCLEAN_DILITHIUM2AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES]); - -void PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES]); - -int PQCLEAN_DILITHIUM2AES_AVX2_unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES]); - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/params.h b/crypto_sign/dilithium2aes/avx2/params.h deleted file mode 100644 index b6b4a6c2..00000000 --- a/crypto_sign/dilithium2aes/avx2/params.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_PARAMS_H -#define PQCLEAN_DILITHIUM2AES_AVX2_PARAMS_H - - - -#define SEEDBYTES 32 -#define CRHBYTES 48 -#define N 256 -#define Q 8380417 -#define D 13 -#define ROOT_OF_UNITY 1753 - -#define K 4 -#define L 4 -#define ETA 2 -#define TAU 39 -#define BETA 78 -#define GAMMA1 (1 << 17) -#define GAMMA2 ((Q-1)/88) -#define OMEGA 80 -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_ALGNAME "Dilithium2-AES" - - -#define POLYT1_PACKEDBYTES 320 -#define POLYT0_PACKEDBYTES 416 -#define POLYVECH_PACKEDBYTES (OMEGA + K) - -#define POLYZ_PACKEDBYTES 576 - -#define POLYW1_PACKEDBYTES 192 - -#define POLYETA_PACKEDBYTES 96 - -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ - + L*POLYETA_PACKEDBYTES \ - + K*POLYETA_PACKEDBYTES \ - + K*POLYT0_PACKEDBYTES) -#define PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES) - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/pointwise.S b/crypto_sign/dilithium2aes/avx2/pointwise.S deleted file mode 100644 index 2f1b8386..00000000 --- a/crypto_sign/dilithium2aes/avx2/pointwise.S +++ /dev/null @@ -1,199 +0,0 @@ -#include "params.h" -#include "cdecl.h" - -.text -.global cdecl(PQCLEAN_DILITHIUM2AES_AVX2_pointwise_avx) -.global _cdecl(PQCLEAN_DILITHIUM2AES_AVX2_pointwise_avx) -cdecl(PQCLEAN_DILITHIUM2AES_AVX2_pointwise_avx): -_cdecl(PQCLEAN_DILITHIUM2AES_AVX2_pointwise_avx): -#consts -vmovdqa _8XQINV*4(%rcx),%ymm0 -vmovdqa _8XQ*4(%rcx),%ymm1 - -xor %eax,%eax -_looptop1: -#load -vmovdqa (%rsi),%ymm2 -vmovdqa 32(%rsi),%ymm4 -vmovdqa 64(%rsi),%ymm6 -vmovdqa (%rdx),%ymm10 -vmovdqa 32(%rdx),%ymm12 -vmovdqa 64(%rdx),%ymm14 -vpsrlq $32,%ymm2,%ymm3 -vpsrlq $32,%ymm4,%ymm5 -vmovshdup %ymm6,%ymm7 -vpsrlq $32,%ymm10,%ymm11 -vpsrlq $32,%ymm12,%ymm13 -vmovshdup %ymm14,%ymm15 - -#mul -vpmuldq %ymm2,%ymm10,%ymm2 -vpmuldq %ymm3,%ymm11,%ymm3 -vpmuldq %ymm4,%ymm12,%ymm4 -vpmuldq %ymm5,%ymm13,%ymm5 -vpmuldq %ymm6,%ymm14,%ymm6 -vpmuldq %ymm7,%ymm15,%ymm7 - -#reduce -vpmuldq %ymm0,%ymm2,%ymm10 -vpmuldq %ymm0,%ymm3,%ymm11 -vpmuldq %ymm0,%ymm4,%ymm12 -vpmuldq %ymm0,%ymm5,%ymm13 -vpmuldq %ymm0,%ymm6,%ymm14 -vpmuldq %ymm0,%ymm7,%ymm15 -vpmuldq %ymm1,%ymm10,%ymm10 -vpmuldq %ymm1,%ymm11,%ymm11 -vpmuldq %ymm1,%ymm12,%ymm12 -vpmuldq %ymm1,%ymm13,%ymm13 -vpmuldq %ymm1,%ymm14,%ymm14 -vpmuldq %ymm1,%ymm15,%ymm15 -vpsubq %ymm10,%ymm2,%ymm2 -vpsubq %ymm11,%ymm3,%ymm3 -vpsubq %ymm12,%ymm4,%ymm4 -vpsubq %ymm13,%ymm5,%ymm5 -vpsubq %ymm14,%ymm6,%ymm6 -vpsubq %ymm15,%ymm7,%ymm7 -vpsrlq $32,%ymm2,%ymm2 -vpsrlq $32,%ymm4,%ymm4 -vmovshdup %ymm6,%ymm6 - -#store -vpblendd $0xAA,%ymm3,%ymm2,%ymm2 -vpblendd $0xAA,%ymm5,%ymm4,%ymm4 -vpblendd $0xAA,%ymm7,%ymm6,%ymm6 -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm4,32(%rdi) -vmovdqa %ymm6,64(%rdi) - -add $96,%rdi -add $96,%rsi -add $96,%rdx -add $1,%eax -cmp $10,%eax -jb _looptop1 - -vmovdqa (%rsi),%ymm2 -vmovdqa 32(%rsi),%ymm4 -vmovdqa (%rdx),%ymm10 -vmovdqa 32(%rdx),%ymm12 -vpsrlq $32,%ymm2,%ymm3 -vpsrlq $32,%ymm4,%ymm5 -vmovshdup %ymm10,%ymm11 -vmovshdup %ymm12,%ymm13 - -#mul -vpmuldq %ymm2,%ymm10,%ymm2 -vpmuldq %ymm3,%ymm11,%ymm3 -vpmuldq %ymm4,%ymm12,%ymm4 -vpmuldq %ymm5,%ymm13,%ymm5 - -#reduce -vpmuldq %ymm0,%ymm2,%ymm10 -vpmuldq %ymm0,%ymm3,%ymm11 -vpmuldq %ymm0,%ymm4,%ymm12 -vpmuldq %ymm0,%ymm5,%ymm13 -vpmuldq %ymm1,%ymm10,%ymm10 -vpmuldq %ymm1,%ymm11,%ymm11 -vpmuldq %ymm1,%ymm12,%ymm12 -vpmuldq %ymm1,%ymm13,%ymm13 -vpsubq %ymm10,%ymm2,%ymm2 -vpsubq %ymm11,%ymm3,%ymm3 -vpsubq %ymm12,%ymm4,%ymm4 -vpsubq %ymm13,%ymm5,%ymm5 -vpsrlq $32,%ymm2,%ymm2 -vmovshdup %ymm4,%ymm4 - -#store -vpblendd $0x55,%ymm2,%ymm3,%ymm2 -vpblendd $0x55,%ymm4,%ymm5,%ymm4 -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm4,32(%rdi) - -ret - -.macro pointwise off -#load -vmovdqa \off(%rsi),%ymm6 -vmovdqa \off+32(%rsi),%ymm8 -vmovdqa \off(%rdx),%ymm10 -vmovdqa \off+32(%rdx),%ymm12 -vpsrlq $32,%ymm6,%ymm7 -vpsrlq $32,%ymm8,%ymm9 -vmovshdup %ymm10,%ymm11 -vmovshdup %ymm12,%ymm13 - -#mul -vpmuldq %ymm6,%ymm10,%ymm6 -vpmuldq %ymm7,%ymm11,%ymm7 -vpmuldq %ymm8,%ymm12,%ymm8 -vpmuldq %ymm9,%ymm13,%ymm9 -.endm - -.macro acc -vpaddq %ymm6,%ymm2,%ymm2 -vpaddq %ymm7,%ymm3,%ymm3 -vpaddq %ymm8,%ymm4,%ymm4 -vpaddq %ymm9,%ymm5,%ymm5 -.endm - -.global cdecl(PQCLEAN_DILITHIUM2AES_AVX2_pointwise_acc_avx) -.global _cdecl(PQCLEAN_DILITHIUM2AES_AVX2_pointwise_acc_avx) -cdecl(PQCLEAN_DILITHIUM2AES_AVX2_pointwise_acc_avx): -_cdecl(PQCLEAN_DILITHIUM2AES_AVX2_pointwise_acc_avx): -#consts -vmovdqa _8XQINV*4(%rcx),%ymm0 -vmovdqa _8XQ*4(%rcx),%ymm1 - -xor %eax,%eax -_looptop2: -pointwise 0 - -#mov -vmovdqa %ymm6,%ymm2 -vmovdqa %ymm7,%ymm3 -vmovdqa %ymm8,%ymm4 -vmovdqa %ymm9,%ymm5 - -pointwise 1024 -acc - -pointwise 2048 -acc - -pointwise 3072 -acc - - - - -#reduce -vpmuldq %ymm0,%ymm2,%ymm6 -vpmuldq %ymm0,%ymm3,%ymm7 -vpmuldq %ymm0,%ymm4,%ymm8 -vpmuldq %ymm0,%ymm5,%ymm9 -vpmuldq %ymm1,%ymm6,%ymm6 -vpmuldq %ymm1,%ymm7,%ymm7 -vpmuldq %ymm1,%ymm8,%ymm8 -vpmuldq %ymm1,%ymm9,%ymm9 -vpsubq %ymm6,%ymm2,%ymm2 -vpsubq %ymm7,%ymm3,%ymm3 -vpsubq %ymm8,%ymm4,%ymm4 -vpsubq %ymm9,%ymm5,%ymm5 -vpsrlq $32,%ymm2,%ymm2 -vmovshdup %ymm4,%ymm4 - -#store -vpblendd $0xAA,%ymm3,%ymm2,%ymm2 -vpblendd $0xAA,%ymm5,%ymm4,%ymm4 - -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm4,32(%rdi) - -add $64,%rsi -add $64,%rdx -add $64,%rdi -add $1,%eax -cmp $16,%eax -jb _looptop2 - -ret diff --git a/crypto_sign/dilithium2aes/avx2/poly.c b/crypto_sign/dilithium2aes/avx2/poly.c deleted file mode 100644 index 896252de..00000000 --- a/crypto_sign/dilithium2aes/avx2/poly.c +++ /dev/null @@ -1,891 +0,0 @@ -#include "align.h" -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "rejsample.h" -#include "rounding.h" -#include "symmetric.h" -#include -#include -#include - -#define DBENCH_START() -#define DBENCH_STOP(t) - -#define _mm256_blendv_epi32(a,b,mask) \ - _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \ - _mm256_castsi256_ps(b), \ - _mm256_castsi256_ps(mask))) - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce -* -* Description: Inplace reduction of all coefficients of polynomial to -* representative in [-6283009,6283007]. Assumes input -* coefficients to be at most 2^31 - 2^22 - 1 in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(poly *a) { - unsigned int i; - __m256i f, g; - const __m256i q = _mm256_load_si256(&PQCLEAN_DILITHIUM2AES_AVX2_qdata.vec[_8XQ / 8]); - const __m256i off = _mm256_set1_epi32(1 << 22); - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_add_epi32(f, off); - g = _mm256_srai_epi32(g, 23); - g = _mm256_mullo_epi32(g, q); - f = _mm256_sub_epi32(f, g); - _mm256_store_si256(&a->vec[i], f); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: poly_addq -* -* Description: For all coefficients of in/out polynomial add Q if -* coefficient is negative. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_caddq(poly *a) { - unsigned int i; - __m256i f, g; - const __m256i q = _mm256_load_si256(&PQCLEAN_DILITHIUM2AES_AVX2_qdata.vec[_8XQ / 8]); - const __m256i zero = _mm256_setzero_si256(); - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_blendv_epi32(zero, q, f); - f = _mm256_add_epi32(f, g); - _mm256_store_si256(&a->vec[i], f); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_freeze -* -* Description: Inplace reduction of all coefficients of polynomial to -* positive standard representatives. Assumes input -* coefficients to be at most 2^31 - 2^22 + 1 in -* absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_freeze(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(a); - PQCLEAN_DILITHIUM2AES_AVX2_poly_caddq(a); - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_add -* -* Description: Add polynomials. No modular reduction is performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first summand -* - const poly *b: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_add(poly *c, const poly *a, const poly *b) { - unsigned int i; - __m256i f, g; - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_load_si256(&b->vec[i]); - f = _mm256_add_epi32(f, g); - _mm256_store_si256(&c->vec[i], f); - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_sub -* -* Description: Subtract polynomials. No modular reduction is -* performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial to be -* subtraced from first input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_sub(poly *c, const poly *a, const poly *b) { - unsigned int i; - __m256i f, g; - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_load_si256(&b->vec[i]); - f = _mm256_sub_epi32(f, g); - _mm256_store_si256(&c->vec[i], f); - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_shiftl -* -* Description: Multiply polynomial by 2^D without modular reduction. Assumes -* input coefficients to be less than 2^{31-D} in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_shiftl(poly *a) { - unsigned int i; - __m256i f; - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - f = _mm256_slli_epi32(f, D); - _mm256_store_si256(&a->vec[i], f); - } - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_ntt -* -* Description: Inplace forward NTT. Coefficients can grow by up to -* 8*Q in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_ntt(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_AVX2_ntt_avx(a->vec, PQCLEAN_DILITHIUM2AES_AVX2_qdata.vec); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont -* -* Description: Inplace inverse NTT and multiplication by 2^{32}. -* Input coefficients need to be less than Q in absolute -* value and output coefficients are again bounded by Q. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_AVX2_invntt_avx(a->vec, PQCLEAN_DILITHIUM2AES_AVX2_qdata.vec); - - DBENCH_STOP(*tmul); -} - -void PQCLEAN_DILITHIUM2AES_AVX2_poly_nttunpack(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_AVX2_nttunpack_avx(a->vec); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_pointwise_montgomery -* -* Description: Pointwise multiplication of polynomials in NTT domain -* representation and multiplication of resulting polynomial -* by 2^{-32}. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_AVX2_pointwise_avx(c->vec, a->vec, b->vec, PQCLEAN_DILITHIUM2AES_AVX2_qdata.vec); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_power2round -* -* Description: For all coefficients c of the input polynomial, -* compute c0, c1 such that c mod^+ Q = c1*2^D + c0 -* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be -* positive standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_power2round(poly *a1, poly *a0, const poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_AVX2_power2round_avx(a1->vec, a0->vec, a->vec); - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_decompose -* -* Description: For all coefficients c of the input polynomial, -* compute high and low bits c0, c1 such c mod^+ Q = c1*ALPHA + c0 -* with -ALPHA/2 < c0 <= ALPHA/2 except if c1 = (Q-1)/ALPHA where we -* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0. -* Assumes coefficients to be positive standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_decompose(poly *a1, poly *a0, const poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_AVX2_decompose_avx(a1->vec, a0->vec, a->vec); - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_make_hint -* -* Description: Compute hint array. The coefficients of which are the -* indices of the coefficients of the input polynomial -* whose low bits overflow into the high bits. -* -* Arguments: - uint8_t *h: pointer to output hint array (preallocated of length N) -* - const poly *a0: pointer to low part of input polynomial -* - const poly *a1: pointer to high part of input polynomial -* -* Returns number of hints, i.e. length of hint array. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1) { - unsigned int r; - DBENCH_START(); - - r = PQCLEAN_DILITHIUM2AES_AVX2_make_hint_avx(hint, a0->vec, a1->vec); - - DBENCH_STOP(*tround); - return r; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_use_hint -* -* Description: Use hint polynomial to correct the high bits of a polynomial. -* -* Arguments: - poly *b: pointer to output polynomial with corrected high bits -* - const poly *a: pointer to input polynomial -* - const poly *h: pointer to input hint polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_AVX2_use_hint_avx(b->vec, a->vec, h->vec); - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm -* -* Description: Check infinity norm of polynomial against given bound. -* Assumes input polynomial to be reduced by PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(). -* -* Arguments: - const poly *a: pointer to polynomial -* - int32_t B: norm bound -* -* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm(const poly *a, int32_t B) { - unsigned int i; - int r; - __m256i f, t; - const __m256i bound = _mm256_set1_epi32(B - 1); - DBENCH_START(); - - if (B > (Q - 1) / 8) { - return 1; - } - - t = _mm256_setzero_si256(); - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - f = _mm256_abs_epi32(f); - f = _mm256_cmpgt_epi32(f, bound); - t = _mm256_or_si256(t, f); - } - - r = 1 - _mm256_testz_si256(t, t); - DBENCH_STOP(*tsample); - return r; -} - -/************************************************* -* Name: rej_uniform -* -* Description: Sample uniformly random coefficients in [0, Q-1] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_uniform(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - t = buf[pos++]; - t |= (uint32_t)buf[pos++] << 8; - t |= (uint32_t)buf[pos++] << 16; - t &= 0x7FFFFF; - - if (t < Q) { - a[ctr++] = t; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform -* -* Description: Sample polynomial with uniformly random coefficients -* in [0,Q-1] by performing rejection sampling on the -* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state) { - unsigned int ctr; - /* PQCLEAN_DILITHIUM2AES_AVX2_rej_uniform_avx reads up to 8 additional bytes */ - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN + 8) buf; - - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_NBLOCKS, state); - ctr = PQCLEAN_DILITHIUM2AES_AVX2_rej_uniform_avx(a->coeffs, buf.coeffs); - - while (ctr < N) { - /* length of buf is always divisible by 3; hence, no bytes left */ - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); - } -} - -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_preinit(a, &state); - stream128_release(&state); -} - - -/************************************************* -* Name: rej_eta -* -* Description: Sample uniformly random coefficients in [-ETA, ETA] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_eta(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t0, t1; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos < buflen) { - t0 = buf[pos] & 0x0F; - t1 = buf[pos++] >> 4; - - if (t0 < 15) { - t0 = t0 - (205 * t0 >> 10) * 5; - a[ctr++] = 2 - t0; - } - if (t1 < 15 && ctr < len) { - t1 = t1 - (205 * t1 >> 10) * 5; - a[ctr++] = 2 - t1; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta -* -* Description: Sample polynomial with uniformly random coefficients -* in [-ETA,ETA] by performing rejection sampling using the -* output stream of SHAKE256(seed|nonce) -* or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) { - unsigned int ctr; - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf; - - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); - ctr = PQCLEAN_DILITHIUM2AES_AVX2_rej_eta_avx(a->coeffs, buf.coeffs); - - while (ctr < N) { - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); - } -} - -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(a, &state); - stream128_release(&state); -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1 -* -* Description: Sample polynomial with uniformly random coefficients -* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream -* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length CRHBYTES -* - uint16_t nonce: 16-bit nonce -**************************************************/ -#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES) -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state) { - /* PQCLEAN_DILITHIUM2AES_AVX2_polyz_unpack reads 14 additional bytes */ - ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES + 14) buf; - stream256_squeezeblocks(buf.coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, state); - PQCLEAN_DILITHIUM2AES_AVX2_polyz_unpack(a, buf.coeffs); -} - -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) { - stream256_state state; - stream256_init(&state, seed, nonce); - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1_preinit(a, &state); - stream256_release(&state); -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_challenge -* -* Description: Implementation of H. Samples polynomial with TAU nonzero -* coefficients in {-1,1} using the output stream of -* SHAKE256(seed). -* -* Arguments: - poly *c: pointer to output polynomial -* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_poly_challenge(poly *restrict c, const uint8_t seed[SEEDBYTES]) { - unsigned int i, b, pos; - uint64_t signs; - ALIGNED_UINT8(SHAKE256_RATE) buf; - shake256incctx state; - - shake256_inc_init(&state); - shake256_inc_absorb(&state, seed, SEEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state); - - memcpy(&signs, buf.coeffs, 8); - pos = 8; - - memset(c->vec, 0, sizeof(poly)); - for (i = N - TAU; i < N; ++i) { - do { - if (pos >= SHAKE256_RATE) { - shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state); - pos = 0; - } - - b = buf.coeffs[pos++]; - } while (b > i); - - c->coeffs[i] = c->coeffs[b]; - c->coeffs[b] = 1 - 2 * (signs & 1); - signs >>= 1; - } - shake256_inc_ctx_release(&state); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack -* -* Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYETA_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - uint8_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = ETA - a->coeffs[8 * i + 0]; - t[1] = ETA - a->coeffs[8 * i + 1]; - t[2] = ETA - a->coeffs[8 * i + 2]; - t[3] = ETA - a->coeffs[8 * i + 3]; - t[4] = ETA - a->coeffs[8 * i + 4]; - t[5] = ETA - a->coeffs[8 * i + 5]; - t[6] = ETA - a->coeffs[8 * i + 6]; - t[7] = ETA - a->coeffs[8 * i + 7]; - - r[3 * i + 0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6); - r[3 * i + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7); - r[3 * i + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyeta_unpack -* -* Description: Unpack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyeta_unpack(poly *restrict r, const uint8_t a[POLYETA_PACKEDBYTES]) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = (a[3 * i + 0] >> 0) & 7; - r->coeffs[8 * i + 1] = (a[3 * i + 0] >> 3) & 7; - r->coeffs[8 * i + 2] = ((a[3 * i + 0] >> 6) | (a[3 * i + 1] << 2)) & 7; - r->coeffs[8 * i + 3] = (a[3 * i + 1] >> 1) & 7; - r->coeffs[8 * i + 4] = (a[3 * i + 1] >> 4) & 7; - r->coeffs[8 * i + 5] = ((a[3 * i + 1] >> 7) | (a[3 * i + 2] << 1)) & 7; - r->coeffs[8 * i + 6] = (a[3 * i + 2] >> 2) & 7; - r->coeffs[8 * i + 7] = (a[3 * i + 2] >> 5) & 7; - - r->coeffs[8 * i + 0] = ETA - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = ETA - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = ETA - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = ETA - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = ETA - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = ETA - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = ETA - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = ETA - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyt1_pack -* -* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. -* Input coefficients are assumed to be positive standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r[5 * i + 0] = (a->coeffs[4 * i + 0] >> 0); - r[5 * i + 1] = (a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2); - r[5 * i + 2] = (a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4); - r[5 * i + 3] = (a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6); - r[5 * i + 4] = (a->coeffs[4 * i + 3] >> 2); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyt1_unpack -* -* Description: Unpack polynomial t1 with 10-bit coefficients. -* Output coefficients are positive standard representatives. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyt1_unpack(poly *restrict r, const uint8_t a[POLYT1_PACKEDBYTES]) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r->coeffs[4 * i + 0] = ((a[5 * i + 0] >> 0) | ((uint32_t)a[5 * i + 1] << 8)) & 0x3FF; - r->coeffs[4 * i + 1] = ((a[5 * i + 1] >> 2) | ((uint32_t)a[5 * i + 2] << 6)) & 0x3FF; - r->coeffs[4 * i + 2] = ((a[5 * i + 2] >> 4) | ((uint32_t)a[5 * i + 3] << 4)) & 0x3FF; - r->coeffs[4 * i + 3] = ((a[5 * i + 3] >> 6) | ((uint32_t)a[5 * i + 4] << 2)) & 0x3FF; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyt0_pack -* -* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT0_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - uint32_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = (1 << (D - 1)) - a->coeffs[8 * i + 0]; - t[1] = (1 << (D - 1)) - a->coeffs[8 * i + 1]; - t[2] = (1 << (D - 1)) - a->coeffs[8 * i + 2]; - t[3] = (1 << (D - 1)) - a->coeffs[8 * i + 3]; - t[4] = (1 << (D - 1)) - a->coeffs[8 * i + 4]; - t[5] = (1 << (D - 1)) - a->coeffs[8 * i + 5]; - t[6] = (1 << (D - 1)) - a->coeffs[8 * i + 6]; - t[7] = (1 << (D - 1)) - a->coeffs[8 * i + 7]; - - r[13 * i + 0] = t[0]; - r[13 * i + 1] = t[0] >> 8; - r[13 * i + 1] |= t[1] << 5; - r[13 * i + 2] = t[1] >> 3; - r[13 * i + 3] = t[1] >> 11; - r[13 * i + 3] |= t[2] << 2; - r[13 * i + 4] = t[2] >> 6; - r[13 * i + 4] |= t[3] << 7; - r[13 * i + 5] = t[3] >> 1; - r[13 * i + 6] = t[3] >> 9; - r[13 * i + 6] |= t[4] << 4; - r[13 * i + 7] = t[4] >> 4; - r[13 * i + 8] = t[4] >> 12; - r[13 * i + 8] |= t[5] << 1; - r[13 * i + 9] = t[5] >> 7; - r[13 * i + 9] |= t[6] << 6; - r[13 * i + 10] = t[6] >> 2; - r[13 * i + 11] = t[6] >> 10; - r[13 * i + 11] |= t[7] << 3; - r[13 * i + 12] = t[7] >> 5; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyt0_unpack -* -* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyt0_unpack(poly *restrict r, const uint8_t a[POLYT0_PACKEDBYTES]) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = a[13 * i + 0]; - r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8; - r->coeffs[8 * i + 0] &= 0x1FFF; - - r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11; - r->coeffs[8 * i + 1] &= 0x1FFF; - - r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2; - r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6; - r->coeffs[8 * i + 2] &= 0x1FFF; - - r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9; - r->coeffs[8 * i + 3] &= 0x1FFF; - - r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12; - r->coeffs[8 * i + 4] &= 0x1FFF; - - r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1; - r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7; - r->coeffs[8 * i + 5] &= 0x1FFF; - - r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10; - r->coeffs[8 * i + 6] &= 0x1FFF; - - r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3; - r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5; - r->coeffs[8 * i + 7] &= 0x1FFF; - - r->coeffs[8 * i + 0] = (1 << (D - 1)) - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = (1 << (D - 1)) - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = (1 << (D - 1)) - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = (1 << (D - 1)) - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = (1 << (D - 1)) - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = (1 << (D - 1)) - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = (1 << (D - 1)) - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = (1 << (D - 1)) - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyz_pack -* -* Description: Bit-pack polynomial with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYZ_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - uint32_t t[4]; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - t[0] = GAMMA1 - a->coeffs[4 * i + 0]; - t[1] = GAMMA1 - a->coeffs[4 * i + 1]; - t[2] = GAMMA1 - a->coeffs[4 * i + 2]; - t[3] = GAMMA1 - a->coeffs[4 * i + 3]; - - r[9 * i + 0] = t[0]; - r[9 * i + 1] = t[0] >> 8; - r[9 * i + 2] = t[0] >> 16; - r[9 * i + 2] |= t[1] << 2; - r[9 * i + 3] = t[1] >> 6; - r[9 * i + 4] = t[1] >> 14; - r[9 * i + 4] |= t[2] << 4; - r[9 * i + 5] = t[2] >> 4; - r[9 * i + 6] = t[2] >> 12; - r[9 * i + 6] |= t[3] << 6; - r[9 * i + 7] = t[3] >> 2; - r[9 * i + 8] = t[3] >> 10; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyz_unpack -* -* Description: Unpack polynomial z with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyz_unpack(poly *restrict r, const uint8_t a[POLYZ_PACKEDBYTES + 14]) { - unsigned int i; - __m256i f; - const __m256i shufbidx = _mm256_set_epi8(-1, 9, 8, 7, -1, 7, 6, 5, -1, 5, 4, 3, -1, 3, 2, 1, - -1, 8, 7, 6, -1, 6, 5, 4, -1, 4, 3, 2, -1, 2, 1, 0); - const __m256i srlvdidx = _mm256_set_epi32(6, 4, 2, 0, 6, 4, 2, 0); - const __m256i mask = _mm256_set1_epi32(0x3FFFF); - const __m256i gamma1 = _mm256_set1_epi32(GAMMA1); - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_loadu_si256((__m256i *)&a[18 * i]); - f = _mm256_permute4x64_epi64(f, 0x94); - f = _mm256_shuffle_epi8(f, shufbidx); - f = _mm256_srlv_epi32(f, srlvdidx); - f = _mm256_and_si256(f, mask); - f = _mm256_sub_epi32(gamma1, f); - _mm256_store_si256(&r->vec[i], f); - } - - DBENCH_STOP(*tpack); -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyw1_pack -* -* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. -* Input coefficients are assumed to be positive standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYW1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyw1_pack(uint8_t r[POLYW1_PACKEDBYTES + 8], const poly *restrict a) { - unsigned int i; - __m256i f0, f1, f2, f3; - const __m256i shift1 = _mm256_set1_epi16((64 << 8) + 1); - const __m256i shift2 = _mm256_set1_epi32((4096 << 16) + 1); - const __m256i shufdidx1 = _mm256_set_epi32(7, 3, 6, 2, 5, 1, 4, 0); - const __m256i shufdidx2 = _mm256_set_epi32(-1, -1, 6, 5, 4, 2, 1, 0); - const __m256i shufbidx = _mm256_set_epi8(-1, -1, -1, -1, 14, 13, 12, 10, 9, 8, 6, 5, 4, 2, 1, 0, - -1, -1, -1, -1, 14, 13, 12, 10, 9, 8, 6, 5, 4, 2, 1, 0); - DBENCH_START(); - - for (i = 0; i < N / 32; i++) { - f0 = _mm256_load_si256(&a->vec[4 * i + 0]); - f1 = _mm256_load_si256(&a->vec[4 * i + 1]); - f2 = _mm256_load_si256(&a->vec[4 * i + 2]); - f3 = _mm256_load_si256(&a->vec[4 * i + 3]); - f0 = _mm256_packus_epi32(f0, f1); - f1 = _mm256_packus_epi32(f2, f3); - f0 = _mm256_packus_epi16(f0, f1); - f0 = _mm256_maddubs_epi16(f0, shift1); - f0 = _mm256_madd_epi16(f0, shift2); - f0 = _mm256_permutevar8x32_epi32(f0, shufdidx1); - f0 = _mm256_shuffle_epi8(f0, shufbidx); - f0 = _mm256_permutevar8x32_epi32(f0, shufdidx2); - _mm256_storeu_si256((__m256i *)&r[24 * i], f0); - } - - DBENCH_STOP(*tpack); -} diff --git a/crypto_sign/dilithium2aes/avx2/poly.h b/crypto_sign/dilithium2aes/avx2/poly.h deleted file mode 100644 index 7f066099..00000000 --- a/crypto_sign/dilithium2aes/avx2/poly.h +++ /dev/null @@ -1,52 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_POLY_H -#define PQCLEAN_DILITHIUM2AES_AVX2_POLY_H -#include "align.h" -#include "params.h" -#include "symmetric.h" -#include - -typedef ALIGNED_INT32(N) poly; - -void PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_caddq(poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_freeze(poly *a); - -void PQCLEAN_DILITHIUM2AES_AVX2_poly_add(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_sub(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_shiftl(poly *a); - -void PQCLEAN_DILITHIUM2AES_AVX2_poly_ntt(poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont(poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_nttunpack(poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); - -void PQCLEAN_DILITHIUM2AES_AVX2_poly_power2round(poly *a1, poly *a0, const poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_decompose(poly *a1, poly *a0, const poly *a); -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h); - -int PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm(const poly *a, int32_t B); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM2AES_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - - -void PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_polyeta_unpack(poly *r, const uint8_t a[POLYETA_PACKEDBYTES]); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_polyt1_unpack(poly *r, const uint8_t a[POLYT1_PACKEDBYTES]); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_polyt0_unpack(poly *r, const uint8_t a[POLYT0_PACKEDBYTES]); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM2AES_AVX2_polyz_unpack(poly *r, const uint8_t a[POLYZ_PACKEDBYTES + 14]); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyw1_pack(uint8_t r[POLYW1_PACKEDBYTES + 8], const poly *a); - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/polyvec.c b/crypto_sign/dilithium2aes/avx2/polyvec.c deleted file mode 100644 index 323fb1c5..00000000 --- a/crypto_sign/dilithium2aes/avx2/polyvec.c +++ /dev/null @@ -1,449 +0,0 @@ -#include "aes256ctr.h" -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include - -#define UNUSED(x) (void)x - -/************************************************* -* Name: expand_mat -* -* Description: Implementation of ExpandA. Generates matrix A with uniformly -* random coefficients a_{i,j} by performing rejection -* sampling on the output stream of SHAKE128(rho|j|i) -* or AES256CTR(rho,j|i). -* -* Arguments: - polyvecl mat[K]: output matrix -* - const uint8_t rho[]: byte array containing seed rho -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) { - unsigned int i, j; - uint64_t nonce; - aes256ctr_ctx state; - - PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(&state, rho, 0); - - for (i = 0; i < K; i++) { - for (j = 0; j < L; j++) { - nonce = (i << 8) + j; - state.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_preinit(&mat[i].vec[j], &state); - PQCLEAN_DILITHIUM2AES_AVX2_poly_nttunpack(&mat[i].vec[j]); - } - } -} - - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v); - } -} - -/**************************************************************/ -/************ Vectors of polynomials of length L **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1(&v->vec[i], seed, L * nonce + i); - } -} - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_reduce(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_freeze -* -* Description: Reduce coefficients of polynomials in vector of length L -* to standard representatives. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_freeze(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_add -* -* Description: Add vectors of polynomials of length L. -* No modular reduction is performed. -* -* Arguments: - polyvecl *w: pointer to output vector -* - const polyvecl *u: pointer to first summand -* - const polyvecl *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_ntt -* -* Description: Forward NTT of all polynomials in vector of length L. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_ntt(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_ntt(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_invntt_tomont(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_pointwise_acc_montgomery -* -* Description: Pointwise multiply vectors of polynomials of length L, multiply -* resulting vector by 2^{-32} and add (accumulate) polynomials -* in it. Input/output vectors are in NTT domain representation. -* -* Arguments: - poly *w: output polynomial -* - const polyvecl *u: pointer to first input vector -* - const polyvecl *v: pointer to second input vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_pointwise_acc_montgomery(poly *w, const polyvecl *u, const polyvecl *v) { - PQCLEAN_DILITHIUM2AES_AVX2_pointwise_acc_avx(w->vec, u->vec->vec, v->vec->vec, PQCLEAN_DILITHIUM2AES_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_chknorm -* -* Description: Check infinity norm of polynomials in vector of length L. -* Assumes input polyvecl to be reduced by PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_reduce(). -* -* Arguments: - const polyvecl *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < L; ++i) { - if (PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/**************************************************************/ -/************ Vectors of polynomials of length K **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_reduce -* -* Description: Reduce coefficients of polynomials in vector of length K -* to representatives in [-6283009,6283007]. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_reduce(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_caddq -* -* Description: For all coefficients of polynomials in vector of length K -* add Q if coefficient is negative. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_caddq(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_caddq(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_freeze -* -* Description: Reduce coefficients of polynomials in vector of length K -* to standard representatives. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_freeze(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_add -* -* Description: Add vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first summand -* - const polyveck *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_sub -* -* Description: Subtract vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first input vector -* - const polyveck *v: pointer to second input vector to be -* subtracted from first input vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_shiftl -* -* Description: Multiply vector of polynomials of Length K by 2^D without modular -* reduction. Assumes input coefficients to be less than 2^{31-D}. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_shiftl(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_shiftl(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_ntt -* -* Description: Forward NTT of all polynomials in vector of length K. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_ntt(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_ntt(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_invntt_tomont -* -* Description: Inverse NTT and multiplication by 2^{32} of polynomials -* in vector of length K. Input coefficients need to be less -* than 2*Q. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_invntt_tomont(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_chknorm -* -* Description: Check infinity norm of polynomials in vector of length K. -* Assumes input polyveck to be reduced by PQCLEAN_DILITHIUM2AES_AVX2_polyveck_reduce(). -* -* Arguments: - const polyveck *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM2AES_AVX2_polyveck_chknorm(const polyveck *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < K; ++i) { - if (PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_power2round -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute a0, a1 such that a mod^+ Q = a1*2^D + a0 -* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_decompose -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 -* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we -* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_make_hint -* -* Description: Compute hint vector. -* -* Arguments: - uint8_t *hint: pointer to output hint array -* - const polyveck *v0: pointer to low part of input vector -* - const polyveck *v1: pointer to high part of input vector -* -* Returns number of 1 bits. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1) { - unsigned int i, n = 0; - - for (i = 0; i < K; ++i) { - n += PQCLEAN_DILITHIUM2AES_AVX2_poly_make_hint(&hint[n], &v0->vec[i], &v1->vec[i]); - } - - return n; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_polyveck_use_hint -* -* Description: Use hint vector to correct the high bits of input vector. -* -* Arguments: - polyveck *w: pointer to output vector of polynomials with -* corrected high bits -* - const polyveck *u: pointer to input vector -* - const polyveck *h: pointer to input hint vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]); - } -} - -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_AVX2_polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]); - } -} diff --git a/crypto_sign/dilithium2aes/avx2/polyvec.h b/crypto_sign/dilithium2aes/avx2/polyvec.h deleted file mode 100644 index 67652026..00000000 --- a/crypto_sign/dilithium2aes/avx2/polyvec.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_POLYVEC_H -#define PQCLEAN_DILITHIUM2AES_AVX2_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -/* Vectors of polynomials of length L */ -typedef struct { - poly vec[L]; -} polyvecl; - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_reduce(polyvecl *v); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_freeze(polyvecl *v); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_ntt(polyvecl *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_invntt_tomont(polyvecl *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_pointwise_acc_montgomery(poly *w, - const polyvecl *u, - const polyvecl *v); - -int PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t B); - -/* Vectors of polynomials of length K */ -typedef struct { - poly vec[K]; -} polyveck; - -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_reduce(polyveck *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_caddq(polyveck *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_freeze(polyveck *v); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_shiftl(polyveck *v); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_ntt(polyveck *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_invntt_tomont(polyveck *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v); - -int PQCLEAN_DILITHIUM2AES_AVX2_polyveck_chknorm(const polyveck *v, int32_t B); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v); -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v); -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1); -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1); - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]); - - -void PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v); - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/rejsample.c b/crypto_sign/dilithium2aes/avx2/rejsample.c deleted file mode 100644 index 0c26e4b6..00000000 --- a/crypto_sign/dilithium2aes/avx2/rejsample.c +++ /dev/null @@ -1,394 +0,0 @@ -#include "params.h" -#include "rejsample.h" -#include "symmetric.h" -#include -#include - -const uint8_t PQCLEAN_DILITHIUM2AES_AVX2_idxlut[256][8] = { - { 0, 0, 0, 0, 0, 0, 0, 0}, - { 0, 0, 0, 0, 0, 0, 0, 0}, - { 1, 0, 0, 0, 0, 0, 0, 0}, - { 0, 1, 0, 0, 0, 0, 0, 0}, - { 2, 0, 0, 0, 0, 0, 0, 0}, - { 0, 2, 0, 0, 0, 0, 0, 0}, - { 1, 2, 0, 0, 0, 0, 0, 0}, - { 0, 1, 2, 0, 0, 0, 0, 0}, - { 3, 0, 0, 0, 0, 0, 0, 0}, - { 0, 3, 0, 0, 0, 0, 0, 0}, - { 1, 3, 0, 0, 0, 0, 0, 0}, - { 0, 1, 3, 0, 0, 0, 0, 0}, - { 2, 3, 0, 0, 0, 0, 0, 0}, - { 0, 2, 3, 0, 0, 0, 0, 0}, - { 1, 2, 3, 0, 0, 0, 0, 0}, - { 0, 1, 2, 3, 0, 0, 0, 0}, - { 4, 0, 0, 0, 0, 0, 0, 0}, - { 0, 4, 0, 0, 0, 0, 0, 0}, - { 1, 4, 0, 0, 0, 0, 0, 0}, - { 0, 1, 4, 0, 0, 0, 0, 0}, - { 2, 4, 0, 0, 0, 0, 0, 0}, - { 0, 2, 4, 0, 0, 0, 0, 0}, - { 1, 2, 4, 0, 0, 0, 0, 0}, - { 0, 1, 2, 4, 0, 0, 0, 0}, - { 3, 4, 0, 0, 0, 0, 0, 0}, - { 0, 3, 4, 0, 0, 0, 0, 0}, - { 1, 3, 4, 0, 0, 0, 0, 0}, - { 0, 1, 3, 4, 0, 0, 0, 0}, - { 2, 3, 4, 0, 0, 0, 0, 0}, - { 0, 2, 3, 4, 0, 0, 0, 0}, - { 1, 2, 3, 4, 0, 0, 0, 0}, - { 0, 1, 2, 3, 4, 0, 0, 0}, - { 5, 0, 0, 0, 0, 0, 0, 0}, - { 0, 5, 0, 0, 0, 0, 0, 0}, - { 1, 5, 0, 0, 0, 0, 0, 0}, - { 0, 1, 5, 0, 0, 0, 0, 0}, - { 2, 5, 0, 0, 0, 0, 0, 0}, - { 0, 2, 5, 0, 0, 0, 0, 0}, - { 1, 2, 5, 0, 0, 0, 0, 0}, - { 0, 1, 2, 5, 0, 0, 0, 0}, - { 3, 5, 0, 0, 0, 0, 0, 0}, - { 0, 3, 5, 0, 0, 0, 0, 0}, - { 1, 3, 5, 0, 0, 0, 0, 0}, - { 0, 1, 3, 5, 0, 0, 0, 0}, - { 2, 3, 5, 0, 0, 0, 0, 0}, - { 0, 2, 3, 5, 0, 0, 0, 0}, - { 1, 2, 3, 5, 0, 0, 0, 0}, - { 0, 1, 2, 3, 5, 0, 0, 0}, - { 4, 5, 0, 0, 0, 0, 0, 0}, - { 0, 4, 5, 0, 0, 0, 0, 0}, - { 1, 4, 5, 0, 0, 0, 0, 0}, - { 0, 1, 4, 5, 0, 0, 0, 0}, - { 2, 4, 5, 0, 0, 0, 0, 0}, - { 0, 2, 4, 5, 0, 0, 0, 0}, - { 1, 2, 4, 5, 0, 0, 0, 0}, - { 0, 1, 2, 4, 5, 0, 0, 0}, - { 3, 4, 5, 0, 0, 0, 0, 0}, - { 0, 3, 4, 5, 0, 0, 0, 0}, - { 1, 3, 4, 5, 0, 0, 0, 0}, - { 0, 1, 3, 4, 5, 0, 0, 0}, - { 2, 3, 4, 5, 0, 0, 0, 0}, - { 0, 2, 3, 4, 5, 0, 0, 0}, - { 1, 2, 3, 4, 5, 0, 0, 0}, - { 0, 1, 2, 3, 4, 5, 0, 0}, - { 6, 0, 0, 0, 0, 0, 0, 0}, - { 0, 6, 0, 0, 0, 0, 0, 0}, - { 1, 6, 0, 0, 0, 0, 0, 0}, - { 0, 1, 6, 0, 0, 0, 0, 0}, - { 2, 6, 0, 0, 0, 0, 0, 0}, - { 0, 2, 6, 0, 0, 0, 0, 0}, - { 1, 2, 6, 0, 0, 0, 0, 0}, - { 0, 1, 2, 6, 0, 0, 0, 0}, - { 3, 6, 0, 0, 0, 0, 0, 0}, - { 0, 3, 6, 0, 0, 0, 0, 0}, - { 1, 3, 6, 0, 0, 0, 0, 0}, - { 0, 1, 3, 6, 0, 0, 0, 0}, - { 2, 3, 6, 0, 0, 0, 0, 0}, - { 0, 2, 3, 6, 0, 0, 0, 0}, - { 1, 2, 3, 6, 0, 0, 0, 0}, - { 0, 1, 2, 3, 6, 0, 0, 0}, - { 4, 6, 0, 0, 0, 0, 0, 0}, - { 0, 4, 6, 0, 0, 0, 0, 0}, - { 1, 4, 6, 0, 0, 0, 0, 0}, - { 0, 1, 4, 6, 0, 0, 0, 0}, - { 2, 4, 6, 0, 0, 0, 0, 0}, - { 0, 2, 4, 6, 0, 0, 0, 0}, - { 1, 2, 4, 6, 0, 0, 0, 0}, - { 0, 1, 2, 4, 6, 0, 0, 0}, - { 3, 4, 6, 0, 0, 0, 0, 0}, - { 0, 3, 4, 6, 0, 0, 0, 0}, - { 1, 3, 4, 6, 0, 0, 0, 0}, - { 0, 1, 3, 4, 6, 0, 0, 0}, - { 2, 3, 4, 6, 0, 0, 0, 0}, - { 0, 2, 3, 4, 6, 0, 0, 0}, - { 1, 2, 3, 4, 6, 0, 0, 0}, - { 0, 1, 2, 3, 4, 6, 0, 0}, - { 5, 6, 0, 0, 0, 0, 0, 0}, - { 0, 5, 6, 0, 0, 0, 0, 0}, - { 1, 5, 6, 0, 0, 0, 0, 0}, - { 0, 1, 5, 6, 0, 0, 0, 0}, - { 2, 5, 6, 0, 0, 0, 0, 0}, - { 0, 2, 5, 6, 0, 0, 0, 0}, - { 1, 2, 5, 6, 0, 0, 0, 0}, - { 0, 1, 2, 5, 6, 0, 0, 0}, - { 3, 5, 6, 0, 0, 0, 0, 0}, - { 0, 3, 5, 6, 0, 0, 0, 0}, - { 1, 3, 5, 6, 0, 0, 0, 0}, - { 0, 1, 3, 5, 6, 0, 0, 0}, - { 2, 3, 5, 6, 0, 0, 0, 0}, - { 0, 2, 3, 5, 6, 0, 0, 0}, - { 1, 2, 3, 5, 6, 0, 0, 0}, - { 0, 1, 2, 3, 5, 6, 0, 0}, - { 4, 5, 6, 0, 0, 0, 0, 0}, - { 0, 4, 5, 6, 0, 0, 0, 0}, - { 1, 4, 5, 6, 0, 0, 0, 0}, - { 0, 1, 4, 5, 6, 0, 0, 0}, - { 2, 4, 5, 6, 0, 0, 0, 0}, - { 0, 2, 4, 5, 6, 0, 0, 0}, - { 1, 2, 4, 5, 6, 0, 0, 0}, - { 0, 1, 2, 4, 5, 6, 0, 0}, - { 3, 4, 5, 6, 0, 0, 0, 0}, - { 0, 3, 4, 5, 6, 0, 0, 0}, - { 1, 3, 4, 5, 6, 0, 0, 0}, - { 0, 1, 3, 4, 5, 6, 0, 0}, - { 2, 3, 4, 5, 6, 0, 0, 0}, - { 0, 2, 3, 4, 5, 6, 0, 0}, - { 1, 2, 3, 4, 5, 6, 0, 0}, - { 0, 1, 2, 3, 4, 5, 6, 0}, - { 7, 0, 0, 0, 0, 0, 0, 0}, - { 0, 7, 0, 0, 0, 0, 0, 0}, - { 1, 7, 0, 0, 0, 0, 0, 0}, - { 0, 1, 7, 0, 0, 0, 0, 0}, - { 2, 7, 0, 0, 0, 0, 0, 0}, - { 0, 2, 7, 0, 0, 0, 0, 0}, - { 1, 2, 7, 0, 0, 0, 0, 0}, - { 0, 1, 2, 7, 0, 0, 0, 0}, - { 3, 7, 0, 0, 0, 0, 0, 0}, - { 0, 3, 7, 0, 0, 0, 0, 0}, - { 1, 3, 7, 0, 0, 0, 0, 0}, - { 0, 1, 3, 7, 0, 0, 0, 0}, - { 2, 3, 7, 0, 0, 0, 0, 0}, - { 0, 2, 3, 7, 0, 0, 0, 0}, - { 1, 2, 3, 7, 0, 0, 0, 0}, - { 0, 1, 2, 3, 7, 0, 0, 0}, - { 4, 7, 0, 0, 0, 0, 0, 0}, - { 0, 4, 7, 0, 0, 0, 0, 0}, - { 1, 4, 7, 0, 0, 0, 0, 0}, - { 0, 1, 4, 7, 0, 0, 0, 0}, - { 2, 4, 7, 0, 0, 0, 0, 0}, - { 0, 2, 4, 7, 0, 0, 0, 0}, - { 1, 2, 4, 7, 0, 0, 0, 0}, - { 0, 1, 2, 4, 7, 0, 0, 0}, - { 3, 4, 7, 0, 0, 0, 0, 0}, - { 0, 3, 4, 7, 0, 0, 0, 0}, - { 1, 3, 4, 7, 0, 0, 0, 0}, - { 0, 1, 3, 4, 7, 0, 0, 0}, - { 2, 3, 4, 7, 0, 0, 0, 0}, - { 0, 2, 3, 4, 7, 0, 0, 0}, - { 1, 2, 3, 4, 7, 0, 0, 0}, - { 0, 1, 2, 3, 4, 7, 0, 0}, - { 5, 7, 0, 0, 0, 0, 0, 0}, - { 0, 5, 7, 0, 0, 0, 0, 0}, - { 1, 5, 7, 0, 0, 0, 0, 0}, - { 0, 1, 5, 7, 0, 0, 0, 0}, - { 2, 5, 7, 0, 0, 0, 0, 0}, - { 0, 2, 5, 7, 0, 0, 0, 0}, - { 1, 2, 5, 7, 0, 0, 0, 0}, - { 0, 1, 2, 5, 7, 0, 0, 0}, - { 3, 5, 7, 0, 0, 0, 0, 0}, - { 0, 3, 5, 7, 0, 0, 0, 0}, - { 1, 3, 5, 7, 0, 0, 0, 0}, - { 0, 1, 3, 5, 7, 0, 0, 0}, - { 2, 3, 5, 7, 0, 0, 0, 0}, - { 0, 2, 3, 5, 7, 0, 0, 0}, - { 1, 2, 3, 5, 7, 0, 0, 0}, - { 0, 1, 2, 3, 5, 7, 0, 0}, - { 4, 5, 7, 0, 0, 0, 0, 0}, - { 0, 4, 5, 7, 0, 0, 0, 0}, - { 1, 4, 5, 7, 0, 0, 0, 0}, - { 0, 1, 4, 5, 7, 0, 0, 0}, - { 2, 4, 5, 7, 0, 0, 0, 0}, - { 0, 2, 4, 5, 7, 0, 0, 0}, - { 1, 2, 4, 5, 7, 0, 0, 0}, - { 0, 1, 2, 4, 5, 7, 0, 0}, - { 3, 4, 5, 7, 0, 0, 0, 0}, - { 0, 3, 4, 5, 7, 0, 0, 0}, - { 1, 3, 4, 5, 7, 0, 0, 0}, - { 0, 1, 3, 4, 5, 7, 0, 0}, - { 2, 3, 4, 5, 7, 0, 0, 0}, - { 0, 2, 3, 4, 5, 7, 0, 0}, - { 1, 2, 3, 4, 5, 7, 0, 0}, - { 0, 1, 2, 3, 4, 5, 7, 0}, - { 6, 7, 0, 0, 0, 0, 0, 0}, - { 0, 6, 7, 0, 0, 0, 0, 0}, - { 1, 6, 7, 0, 0, 0, 0, 0}, - { 0, 1, 6, 7, 0, 0, 0, 0}, - { 2, 6, 7, 0, 0, 0, 0, 0}, - { 0, 2, 6, 7, 0, 0, 0, 0}, - { 1, 2, 6, 7, 0, 0, 0, 0}, - { 0, 1, 2, 6, 7, 0, 0, 0}, - { 3, 6, 7, 0, 0, 0, 0, 0}, - { 0, 3, 6, 7, 0, 0, 0, 0}, - { 1, 3, 6, 7, 0, 0, 0, 0}, - { 0, 1, 3, 6, 7, 0, 0, 0}, - { 2, 3, 6, 7, 0, 0, 0, 0}, - { 0, 2, 3, 6, 7, 0, 0, 0}, - { 1, 2, 3, 6, 7, 0, 0, 0}, - { 0, 1, 2, 3, 6, 7, 0, 0}, - { 4, 6, 7, 0, 0, 0, 0, 0}, - { 0, 4, 6, 7, 0, 0, 0, 0}, - { 1, 4, 6, 7, 0, 0, 0, 0}, - { 0, 1, 4, 6, 7, 0, 0, 0}, - { 2, 4, 6, 7, 0, 0, 0, 0}, - { 0, 2, 4, 6, 7, 0, 0, 0}, - { 1, 2, 4, 6, 7, 0, 0, 0}, - { 0, 1, 2, 4, 6, 7, 0, 0}, - { 3, 4, 6, 7, 0, 0, 0, 0}, - { 0, 3, 4, 6, 7, 0, 0, 0}, - { 1, 3, 4, 6, 7, 0, 0, 0}, - { 0, 1, 3, 4, 6, 7, 0, 0}, - { 2, 3, 4, 6, 7, 0, 0, 0}, - { 0, 2, 3, 4, 6, 7, 0, 0}, - { 1, 2, 3, 4, 6, 7, 0, 0}, - { 0, 1, 2, 3, 4, 6, 7, 0}, - { 5, 6, 7, 0, 0, 0, 0, 0}, - { 0, 5, 6, 7, 0, 0, 0, 0}, - { 1, 5, 6, 7, 0, 0, 0, 0}, - { 0, 1, 5, 6, 7, 0, 0, 0}, - { 2, 5, 6, 7, 0, 0, 0, 0}, - { 0, 2, 5, 6, 7, 0, 0, 0}, - { 1, 2, 5, 6, 7, 0, 0, 0}, - { 0, 1, 2, 5, 6, 7, 0, 0}, - { 3, 5, 6, 7, 0, 0, 0, 0}, - { 0, 3, 5, 6, 7, 0, 0, 0}, - { 1, 3, 5, 6, 7, 0, 0, 0}, - { 0, 1, 3, 5, 6, 7, 0, 0}, - { 2, 3, 5, 6, 7, 0, 0, 0}, - { 0, 2, 3, 5, 6, 7, 0, 0}, - { 1, 2, 3, 5, 6, 7, 0, 0}, - { 0, 1, 2, 3, 5, 6, 7, 0}, - { 4, 5, 6, 7, 0, 0, 0, 0}, - { 0, 4, 5, 6, 7, 0, 0, 0}, - { 1, 4, 5, 6, 7, 0, 0, 0}, - { 0, 1, 4, 5, 6, 7, 0, 0}, - { 2, 4, 5, 6, 7, 0, 0, 0}, - { 0, 2, 4, 5, 6, 7, 0, 0}, - { 1, 2, 4, 5, 6, 7, 0, 0}, - { 0, 1, 2, 4, 5, 6, 7, 0}, - { 3, 4, 5, 6, 7, 0, 0, 0}, - { 0, 3, 4, 5, 6, 7, 0, 0}, - { 1, 3, 4, 5, 6, 7, 0, 0}, - { 0, 1, 3, 4, 5, 6, 7, 0}, - { 2, 3, 4, 5, 6, 7, 0, 0}, - { 0, 2, 3, 4, 5, 6, 7, 0}, - { 1, 2, 3, 4, 5, 6, 7, 0}, - { 0, 1, 2, 3, 4, 5, 6, 7} -}; - -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_rej_uniform_avx(int32_t *restrict r, const uint8_t buf[REJ_UNIFORM_BUFLEN + 8]) { - unsigned int ctr, pos; - uint32_t good; - __m256i d, tmp; - const __m256i bound = _mm256_set1_epi32(Q); - const __m256i mask = _mm256_set1_epi32(0x7FFFFF); - const __m256i idx8 = _mm256_set_epi8(-1, 15, 14, 13, -1, 12, 11, 10, - -1, 9, 8, 7, -1, 6, 5, 4, - -1, 11, 10, 9, -1, 8, 7, 6, - -1, 5, 4, 3, -1, 2, 1, 0); - - ctr = pos = 0; - while (pos <= REJ_UNIFORM_BUFLEN - 24) { - d = _mm256_loadu_si256((__m256i *)&buf[pos]); - d = _mm256_permute4x64_epi64(d, 0x94); - d = _mm256_shuffle_epi8(d, idx8); - d = _mm256_and_si256(d, mask); - pos += 24; - - tmp = _mm256_sub_epi32(d, bound); - good = _mm256_movemask_ps((__m256)tmp); - tmp = _mm256_cvtepu8_epi32(_mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM2AES_AVX2_idxlut[good])); - d = _mm256_permutevar8x32_epi32(d, tmp); - - _mm256_storeu_si256((__m256i *)&r[ctr], d); - ctr += _mm_popcnt_u32(good); - - } - - - return ctr; -} - -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_rej_eta_avx(int32_t *restrict r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]) { - unsigned int ctr, pos; - uint32_t good; - __m256i f0, f1, f2; - __m128i g0, g1; - const __m256i mask = _mm256_set1_epi8(15); - const __m256i eta = _mm256_set1_epi8(ETA); - const __m256i bound = mask; - const __m256i v = _mm256_set1_epi32(-6560); - const __m256i p = _mm256_set1_epi32(5); - - ctr = pos = 0; - while (ctr <= N - 8 && pos <= REJ_UNIFORM_ETA_BUFLEN - 16) { - f0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *)&buf[pos])); - f1 = _mm256_slli_epi16(f0, 4); - f0 = _mm256_or_si256(f0, f1); - f0 = _mm256_and_si256(f0, mask); - - f1 = _mm256_sub_epi8(f0, bound); - f0 = _mm256_sub_epi8(eta, f0); - good = _mm256_movemask_epi8(f1); - - g0 = _mm256_castsi256_si128(f0); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM2AES_AVX2_idxlut[good & 0xFF]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - f2 = _mm256_mulhrs_epi16(f1, v); - f2 = _mm256_mullo_epi16(f2, p); - f1 = _mm256_add_epi32(f1, f2); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good & 0xFF); - good >>= 8; - pos += 4; - - if (ctr > N - 8) { - break; - } - g0 = _mm_bsrli_si128(g0, 8); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM2AES_AVX2_idxlut[good & 0xFF]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - f2 = _mm256_mulhrs_epi16(f1, v); - f2 = _mm256_mullo_epi16(f2, p); - f1 = _mm256_add_epi32(f1, f2); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good & 0xFF); - good >>= 8; - pos += 4; - - if (ctr > N - 8) { - break; - } - g0 = _mm256_extracti128_si256(f0, 1); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM2AES_AVX2_idxlut[good & 0xFF]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - f2 = _mm256_mulhrs_epi16(f1, v); - f2 = _mm256_mullo_epi16(f2, p); - f1 = _mm256_add_epi32(f1, f2); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good & 0xFF); - good >>= 8; - pos += 4; - - if (ctr > N - 8) { - break; - } - g0 = _mm_bsrli_si128(g0, 8); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM2AES_AVX2_idxlut[good]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - f2 = _mm256_mulhrs_epi16(f1, v); - f2 = _mm256_mullo_epi16(f2, p); - f1 = _mm256_add_epi32(f1, f2); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good); - pos += 4; - } - - uint32_t t0, t1; - while (ctr < N && pos < REJ_UNIFORM_ETA_BUFLEN) { - t0 = buf[pos] & 0x0F; - t1 = buf[pos++] >> 4; - - if (t0 < 15) { - t0 = t0 - (205 * t0 >> 10) * 5; - r[ctr++] = 2 - t0; - } - if (t1 < 15 && ctr < N) { - t1 = t1 - (205 * t1 >> 10) * 5; - r[ctr++] = 2 - t1; - } - } - - return ctr; -} diff --git a/crypto_sign/dilithium2aes/avx2/rejsample.h b/crypto_sign/dilithium2aes/avx2/rejsample.h deleted file mode 100644 index 154ae530..00000000 --- a/crypto_sign/dilithium2aes/avx2/rejsample.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_REJSAMPLE_H -#define PQCLEAN_DILITHIUM2AES_AVX2_REJSAMPLE_H -#include "params.h" -#include "symmetric.h" -#include - -#define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES) - -#define REJ_UNIFORM_ETA_NBLOCKS ((137+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES) - -extern const uint8_t PQCLEAN_DILITHIUM2AES_AVX2_idxlut[256][8]; - -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_rej_uniform_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_BUFLEN + 8]); - -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_rej_eta_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_BUFLEN]); - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/rounding.c b/crypto_sign/dilithium2aes/avx2/rounding.c deleted file mode 100644 index 054ce423..00000000 --- a/crypto_sign/dilithium2aes/avx2/rounding.c +++ /dev/null @@ -1,157 +0,0 @@ -#include "consts.h" -#include "params.h" -#include "rejsample.h" -#include "rounding.h" -#include -#include -#include - -#define _mm256_blendv_epi32(a,b,mask) \ - _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \ - _mm256_castsi256_ps(b), \ - _mm256_castsi256_ps(mask))) - -/************************************************* -* Name: power2round -* -* Description: For finite field elements a, compute a0, a1 such that -* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}. -* Assumes a to be positive standard representative. -* -* Arguments: - __m256i *a1: output array of length N/8 with high bits -* - __m256i *a0: output array of length N/8 with low bits a0 -* - const __m256i *a: input array of length N/8 -* -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a) { - unsigned int i; - __m256i f, f0, f1; - const __m256i mask = _mm256_set1_epi32(-(1 << D)); - const __m256i half = _mm256_set1_epi32((1 << (D - 1)) - 1); - - for (i = 0; i < N / 8; ++i) { - f = _mm256_load_si256(&a[i]); - f1 = _mm256_add_epi32(f, half); - f0 = _mm256_and_si256(f1, mask); - f1 = _mm256_srli_epi32(f1, D); - f0 = _mm256_sub_epi32(f, f0); - _mm256_store_si256(&a1[i], f1); - _mm256_store_si256(&a0[i], f0); - } -} - -/************************************************* -* Name: decompose -* -* Description: For finite field element a, compute high and low parts a0, a1 such -* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except -* if a1 = (Q-1)/ALPHA where we set a1 = 0 and -* -ALPHA/2 <= a0 = a mod Q - Q < 0. Assumes a to be positive standard -* representative. -* -* Arguments: - __m256i *a1: output array of length N/8 with high parts -* - __m256i *a0: output array of length N/8 with low parts a0 -* - const __m256i *a: input array of length N/8 -* -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a) { - unsigned int i; - __m256i f, f0, f1, t; - const __m256i q = _mm256_load_si256(&PQCLEAN_DILITHIUM2AES_AVX2_qdata.vec[_8XQ / 8]); - const __m256i hq = _mm256_srli_epi32(q, 1); - const __m256i v = _mm256_set1_epi32(11275); - const __m256i alpha = _mm256_set1_epi32(2 * GAMMA2); - const __m256i off = _mm256_set1_epi32(127); - const __m256i shift = _mm256_set1_epi32(128); - const __m256i max = _mm256_set1_epi32(43); - const __m256i zero = _mm256_setzero_si256(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a[i]); - f1 = _mm256_add_epi32(f, off); - f1 = _mm256_srli_epi32(f1, 7); - f1 = _mm256_mulhi_epu16(f1, v); - f1 = _mm256_mulhrs_epi16(f1, shift); - t = _mm256_sub_epi32(max, f1); - f1 = _mm256_blendv_epi32(f1, zero, t); - f0 = _mm256_mullo_epi32(f1, alpha); - f0 = _mm256_sub_epi32(f, f0); - f = _mm256_cmpgt_epi32(f0, hq); - f = _mm256_and_si256(f, q); - f0 = _mm256_sub_epi32(f0, f); - _mm256_store_si256(&a1[i], f1); - _mm256_store_si256(&a0[i], f0); - } -} - -/************************************************* -* Name: make_hint -* -* Description: Compute indices of polynomial coefficients whose low bits -* overflow into the high bits. -* -* Arguments: - uint8_t *hint: hint array -* - const __m256i *a0: low bits of input elements -* - const __m256i *a1: high bits of input elements -* -* Returns number of overflowing low bits -**************************************************/ -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_make_hint_avx(uint8_t hint[N], const __m256i *restrict a0, const __m256i *restrict a1) { - unsigned int i, n = 0; - __m256i f0, f1, g0, g1; - uint32_t bad; - uint64_t idx; - const __m256i low = _mm256_set1_epi32(-GAMMA2); - const __m256i high = _mm256_set1_epi32(GAMMA2); - - for (i = 0; i < N / 8; ++i) { - f0 = _mm256_load_si256(&a0[i]); - f1 = _mm256_load_si256(&a1[i]); - g0 = _mm256_abs_epi32(f0); - g0 = _mm256_cmpgt_epi32(g0, high); - g1 = _mm256_cmpeq_epi32(f0, low); - g1 = _mm256_sign_epi32(g1, f1); - g0 = _mm256_or_si256(g0, g1); - - bad = _mm256_movemask_ps((__m256)g0); - memcpy(&idx, PQCLEAN_DILITHIUM2AES_AVX2_idxlut[bad], 8); - idx += (uint64_t)0x0808080808080808 * i; - memcpy(&hint[n], &idx, 8); - n += _mm_popcnt_u32(bad); - } - - return n; -} - -/************************************************* -* Name: use_hint -* -* Description: Correct high parts according to hint. -* -* Arguments: - __m256i *b: output array of length N/8 with corrected high parts -* - const __m256i *a: input array of length N/8 -* - const __m256i *a: input array of length N/8 with hint bits -* -**************************************************/ -void PQCLEAN_DILITHIUM2AES_AVX2_use_hint_avx(__m256i *b, const __m256i *a, const __m256i *restrict hint) { - unsigned int i; - __m256i a0[N / 8]; - __m256i f, g, h, t; - const __m256i zero = _mm256_setzero_si256(); - const __m256i max = _mm256_set1_epi32(43); - - PQCLEAN_DILITHIUM2AES_AVX2_decompose_avx(b, a0, a); - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a0[i]); - g = _mm256_load_si256(&b[i]); - h = _mm256_load_si256(&hint[i]); - t = _mm256_blendv_epi32(zero, h, f); - t = _mm256_slli_epi32(t, 1); - h = _mm256_sub_epi32(h, t); - g = _mm256_add_epi32(g, h); - g = _mm256_blendv_epi32(g, max, g); - f = _mm256_cmpgt_epi32(g, max); - g = _mm256_blendv_epi32(g, zero, f); - _mm256_store_si256(&b[i], g); - } -} diff --git a/crypto_sign/dilithium2aes/avx2/rounding.h b/crypto_sign/dilithium2aes/avx2/rounding.h deleted file mode 100644 index f8e790fd..00000000 --- a/crypto_sign/dilithium2aes/avx2/rounding.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_ROUNDING_H -#define PQCLEAN_DILITHIUM2AES_AVX2_ROUNDING_H -#include "params.h" -#include -#include - -void PQCLEAN_DILITHIUM2AES_AVX2_power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a); -void PQCLEAN_DILITHIUM2AES_AVX2_decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a); -unsigned int PQCLEAN_DILITHIUM2AES_AVX2_make_hint_avx(uint8_t hint[N], const __m256i *a0, const __m256i *a1); -void PQCLEAN_DILITHIUM2AES_AVX2_use_hint_avx(__m256i *b, const __m256i *a, const __m256i *hint); - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/shuffle.S b/crypto_sign/dilithium2aes/avx2/shuffle.S deleted file mode 100644 index 047deaa7..00000000 --- a/crypto_sign/dilithium2aes/avx2/shuffle.S +++ /dev/null @@ -1,54 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.text -nttunpack128_avx: -#load -vmovdqa (%rdi),%ymm4 -vmovdqa 32(%rdi),%ymm5 -vmovdqa 64(%rdi),%ymm6 -vmovdqa 96(%rdi),%ymm7 -vmovdqa 128(%rdi),%ymm8 -vmovdqa 160(%rdi),%ymm9 -vmovdqa 192(%rdi),%ymm10 -vmovdqa 224(%rdi),%ymm11 - -shuffle8 4,8,3,8 -shuffle8 5,9,4,9 -shuffle8 6,10,5,10 -shuffle8 7,11,6,11 - -shuffle4 3,5,7,5 -shuffle4 8,10,3,10 -shuffle4 4,6,8,6 -shuffle4 9,11,4,11 - -shuffle2 7,8,9,8 -shuffle2 5,6,7,6 -shuffle2 3,4,5,4 -shuffle2 10,11,3,11 - -#store -vmovdqa %ymm9,(%rdi) -vmovdqa %ymm8,32(%rdi) -vmovdqa %ymm7,64(%rdi) -vmovdqa %ymm6,96(%rdi) -vmovdqa %ymm5,128(%rdi) -vmovdqa %ymm4,160(%rdi) -vmovdqa %ymm3,192(%rdi) -vmovdqa %ymm11,224(%rdi) - -ret - -.global cdecl(PQCLEAN_DILITHIUM2AES_AVX2_nttunpack_avx) -.global _cdecl(PQCLEAN_DILITHIUM2AES_AVX2_nttunpack_avx) -cdecl(PQCLEAN_DILITHIUM2AES_AVX2_nttunpack_avx): -_cdecl(PQCLEAN_DILITHIUM2AES_AVX2_nttunpack_avx): -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -ret diff --git a/crypto_sign/dilithium2aes/avx2/shuffle.inc b/crypto_sign/dilithium2aes/avx2/shuffle.inc deleted file mode 100644 index 73e9ffe0..00000000 --- a/crypto_sign/dilithium2aes/avx2/shuffle.inc +++ /dev/null @@ -1,25 +0,0 @@ -.macro shuffle8 r0,r1,r2,r3 -vperm2i128 $0x20,%ymm\r1,%ymm\r0,%ymm\r2 -vperm2i128 $0x31,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle4 r0,r1,r2,r3 -vpunpcklqdq %ymm\r1,%ymm\r0,%ymm\r2 -vpunpckhqdq %ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle2 r0,r1,r2,r3 -#vpsllq $32,%ymm\r1,%ymm\r2 -vmovsldup %ymm\r1,%ymm\r2 -vpblendd $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrlq $32,%ymm\r0,%ymm\r0 -#vmovshdup %ymm\r0,%ymm\r0 -vpblendd $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle1 r0,r1,r2,r3 -vpslld $16,%ymm\r1,%ymm\r2 -vpblendw $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrld $16,%ymm\r0,%ymm\r0 -vpblendw $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm diff --git a/crypto_sign/dilithium2aes/avx2/sign.c b/crypto_sign/dilithium2aes/avx2/sign.c deleted file mode 100644 index a6b111a6..00000000 --- a/crypto_sign/dilithium2aes/avx2/sign.c +++ /dev/null @@ -1,425 +0,0 @@ -#include "aes256ctr.h" -#include "align.h" -#include "fips202.h" -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "sign.h" -#include "symmetric.h" -#include -#include - - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair -* -* Description: Generates public and private key. -* -* Arguments: - uint8_t *pk: pointer to output public key (allocated -* array of PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (allocated -* array of PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - unsigned int i; - uint8_t seedbuf[3 * SEEDBYTES]; - const uint8_t *rho, *rhoprime, *key; - uint64_t nonce; - aes256ctr_ctx aesctx; - polyvecl rowbuf[1]; - polyvecl s1, *row = rowbuf; - polyveck s2; - poly t1, t0; - - /* Get randomness for rho, rhoprime and key */ - randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); - rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; - - /* Store rho, key */ - memcpy(pk, rho, SEEDBYTES); - memcpy(sk, rho, SEEDBYTES); - memcpy(sk + SEEDBYTES, key, SEEDBYTES); - - /* Sample short vectors s1 and s2 */ - PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(&aesctx, rhoprime, 0); - for (i = 0; i < L; ++i) { - nonce = i; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(&s1.vec[i], &aesctx); - } - for (i = 0; i < K; ++i) { - nonce = L + i; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_eta_preinit(&s2.vec[i], &aesctx); - } - - /* Pack secret vectors */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); - } - for (i = 0; i < K; i++) { - PQCLEAN_DILITHIUM2AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); - } - - /* Transform s1 */ - PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_ntt(&s1); - - PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(&aesctx, rho, 0); - - for (i = 0; i < K; i++) { - /* Expand matrix row */ - for (unsigned int j = 0; j < L; j++) { - nonce = (i << 8) + j; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_preinit(&row->vec[j], &aesctx); - PQCLEAN_DILITHIUM2AES_AVX2_poly_nttunpack(&row->vec[j]); - } - - /* Compute inner-product */ - PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_pointwise_acc_montgomery(&t1, row, &s1); - PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont(&t1); - - /* Add error polynomial */ - PQCLEAN_DILITHIUM2AES_AVX2_poly_add(&t1, &t1, &s2.vec[i]); - - /* Round t and pack t1, t0 */ - PQCLEAN_DILITHIUM2AES_AVX2_poly_caddq(&t1); - PQCLEAN_DILITHIUM2AES_AVX2_poly_power2round(&t1, &t0, &t1); - PQCLEAN_DILITHIUM2AES_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1); - PQCLEAN_DILITHIUM2AES_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); - } - - /* Compute CRH(rho, t1) and store in secret key */ - crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES); - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_signature -* -* Description: Computes signature. -* -* Arguments: - uint8_t *sig: pointer to output signature (of length PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES) -* - size_t *siglen: pointer to output length of signature -* - uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { - unsigned int i, n, pos; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; - uint8_t *rho, *tr, *key, *mu, *rhoprime; - uint8_t hintbuf[N]; - uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; - uint64_t nonce = 0; - polyvecl mat[K], s1, z; - polyveck t0, s2, w1; - poly c, tmp; - union { - polyvecl y; - polyveck w0; - } tmpv; - shake256incctx state; - - rho = seedbuf; - tr = rho + SEEDBYTES; - key = tr + CRHBYTES; - mu = key + SEEDBYTES; - rhoprime = mu + CRHBYTES; - PQCLEAN_DILITHIUM2AES_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); - - /* Compute CRH(tr, msg) */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - crh(rhoprime, key, SEEDBYTES + CRHBYTES); - - /* Expand matrix and transform vectors */ - PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_expand(mat, rho); - PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_ntt(&s1); - PQCLEAN_DILITHIUM2AES_AVX2_polyveck_ntt(&s2); - PQCLEAN_DILITHIUM2AES_AVX2_polyveck_ntt(&t0); - - aes256ctr_ctx aesctx; - PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(&aesctx, rhoprime, 0); - -rej: - /* Sample intermediate vector y */ - for (i = 0; i < L; ++i) { - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce++; - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_gamma1_preinit(&z.vec[i], &aesctx); - } - - /* Matrix-vector product */ - tmpv.y = z; - PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_ntt(&tmpv.y); - PQCLEAN_DILITHIUM2AES_AVX2_polyvec_matrix_pointwise_montgomery(&w1, mat, &tmpv.y); - PQCLEAN_DILITHIUM2AES_AVX2_polyveck_invntt_tomont(&w1); - - /* Decompose w and call the random oracle */ - PQCLEAN_DILITHIUM2AES_AVX2_polyveck_caddq(&w1); - PQCLEAN_DILITHIUM2AES_AVX2_polyveck_decompose(&w1, &tmpv.w0, &w1); - PQCLEAN_DILITHIUM2AES_AVX2_polyveck_pack_w1(sig, &w1); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, sig, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - PQCLEAN_DILITHIUM2AES_AVX2_poly_challenge(&c, sig); - PQCLEAN_DILITHIUM2AES_AVX2_poly_ntt(&c); - - /* Compute z, reject if it reveals secret */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM2AES_AVX2_poly_pointwise_montgomery(&tmp, &c, &s1.vec[i]); - PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont(&tmp); - PQCLEAN_DILITHIUM2AES_AVX2_poly_add(&z.vec[i], &z.vec[i], &tmp); - PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(&z.vec[i]); - if (PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm(&z.vec[i], GAMMA1 - BETA)) { - goto rej; - } - } - - /* Zero hint vector in signature */ - pos = 0; - memset(hint, 0, OMEGA); - - for (i = 0; i < K; i++) { - /* Check that subtracting cs2 does not change high bits of w and low bits - * do not reveal secret information */ - PQCLEAN_DILITHIUM2AES_AVX2_poly_pointwise_montgomery(&tmp, &c, &s2.vec[i]); - PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont(&tmp); - PQCLEAN_DILITHIUM2AES_AVX2_poly_sub(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp); - PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(&tmpv.w0.vec[i]); - if (PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm(&tmpv.w0.vec[i], GAMMA2 - BETA)) { - goto rej; - } - - /* Compute hints */ - PQCLEAN_DILITHIUM2AES_AVX2_poly_pointwise_montgomery(&tmp, &c, &t0.vec[i]); - PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont(&tmp); - PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(&tmp); - if (PQCLEAN_DILITHIUM2AES_AVX2_poly_chknorm(&tmp, GAMMA2)) { - goto rej; - } - - PQCLEAN_DILITHIUM2AES_AVX2_poly_add(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp); - n = PQCLEAN_DILITHIUM2AES_AVX2_poly_make_hint(hintbuf, &tmpv.w0.vec[i], &w1.vec[i]); - if (pos + n > OMEGA) { - goto rej; - } - - /* Store hints in signature */ - memcpy(&hint[pos], hintbuf, n); - hint[OMEGA + i] = pos = pos + n; - } - - /* Pack z into signature */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM2AES_AVX2_polyz_pack(sig + SEEDBYTES + i * POLYZ_PACKEDBYTES, &z.vec[i]); - } - - *siglen = PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign -* -* Description: Compute signed message. -* -* Arguments: - uint8_t *sm: pointer to output signed message (allocated -* array with PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES + mlen bytes), -* can be equal to m -* - size_t *smlen: pointer to output length of signed -* message -* - const uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - const uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t i; - - for (i = 0; i < mlen; ++i) { - sm[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i]; - } - PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_signature(sm, smlen, sm + PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES, mlen, sk); - *smlen += mlen; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_verify -* -* Description: Verifies signature. -* -* Arguments: - uint8_t *m: pointer to input signature -* - size_t siglen: length of signature -* - const uint8_t *m: pointer to message -* - size_t mlen: length of message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signature could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) { - unsigned int i, j, pos = 0; - /* PQCLEAN_DILITHIUM2AES_AVX2_polyw1_pack writes additional 14 bytes */ - ALIGNED_UINT8(K * POLYW1_PACKEDBYTES + 14) buf; - uint8_t mu[CRHBYTES]; - const uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; - uint64_t nonce; - aes256ctr_ctx aesctx; - polyvecl rowbuf[1]; - polyvecl *row = rowbuf; - polyvecl z; - poly c, w1, h; - shake256incctx state; - - if (siglen != PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES) { - return -1; - } - - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_PUBLICKEYBYTES); - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - /* Expand PQCLEAN_DILITHIUM2AES_AVX2_challenge */ - PQCLEAN_DILITHIUM2AES_AVX2_poly_challenge(&c, sig); - PQCLEAN_DILITHIUM2AES_AVX2_poly_ntt(&c); - - /* Unpack z; shortness follows from unpacking */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM2AES_AVX2_polyz_unpack(&z.vec[i], sig + SEEDBYTES + i * POLYZ_PACKEDBYTES); - PQCLEAN_DILITHIUM2AES_AVX2_poly_ntt(&z.vec[i]); - } - - PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(&aesctx, pk, 0); - - for (i = 0; i < K; i++) { - /* Expand matrix row */ - for (j = 0; j < L; j++) { - nonce = (i << 8) + j; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM2AES_AVX2_poly_uniform_preinit(&row->vec[j], &aesctx); - PQCLEAN_DILITHIUM2AES_AVX2_poly_nttunpack(&row->vec[j]); - } - - /* Compute i-th row of Az - c2^Dt1 */ - PQCLEAN_DILITHIUM2AES_AVX2_polyvecl_pointwise_acc_montgomery(&w1, row, &z); - - PQCLEAN_DILITHIUM2AES_AVX2_polyt1_unpack(&h, pk + SEEDBYTES + i * POLYT1_PACKEDBYTES); - PQCLEAN_DILITHIUM2AES_AVX2_poly_shiftl(&h); - PQCLEAN_DILITHIUM2AES_AVX2_poly_ntt(&h); - PQCLEAN_DILITHIUM2AES_AVX2_poly_pointwise_montgomery(&h, &c, &h); - - PQCLEAN_DILITHIUM2AES_AVX2_poly_sub(&w1, &w1, &h); - PQCLEAN_DILITHIUM2AES_AVX2_poly_reduce(&w1); - PQCLEAN_DILITHIUM2AES_AVX2_poly_invntt_tomont(&w1); - - /* Get hint polynomial and reconstruct w1 */ - memset(h.vec, 0, sizeof(poly)); - if (hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) { - return -1; - } - - for (j = pos; j < hint[OMEGA + i]; ++j) { - /* Coefficients are ordered for strong unforgeability */ - if (j > pos && hint[j] <= hint[j - 1]) { - return -1; - } - h.coeffs[hint[j]] = 1; - } - pos = hint[OMEGA + i]; - - PQCLEAN_DILITHIUM2AES_AVX2_poly_caddq(&w1); - PQCLEAN_DILITHIUM2AES_AVX2_poly_use_hint(&w1, &w1, &h); - PQCLEAN_DILITHIUM2AES_AVX2_polyw1_pack(buf.coeffs + i * POLYW1_PACKEDBYTES, &w1); - } - - /* Extra indices are zero for strong unforgeability */ - for (j = pos; j < OMEGA; ++j) { - if (hint[j]) { - return -1; - } - } - - /* Call random oracle and verify PQCLEAN_DILITHIUM2AES_AVX2_challenge */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, buf.coeffs, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - for (i = 0; i < SEEDBYTES; ++i) { - if (buf.coeffs[i] != sig[i]) { - return -1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_open -* -* Description: Verify signed message. -* -* Arguments: - uint8_t *m: pointer to output message (allocated -* array with smlen bytes), can be equal to sm -* - size_t *mlen: pointer to output length of message -* - const uint8_t *sm: pointer to signed message -* - size_t smlen: length of signed message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signed message could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { - size_t i; - - if (smlen < PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES) { - goto badsig; - } - - *mlen = smlen - PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES; - if (PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_verify(sm, PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES, sm + PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES, *mlen, pk)) { - goto badsig; - } else { - /* All good, copy msg, return 0 */ - for (i = 0; i < *mlen; ++i) { - m[i] = sm[PQCLEAN_DILITHIUM2AES_AVX2_CRYPTO_BYTES + i]; - } - return 0; - } - -badsig: - /* Signature verification failed */ - *mlen = -1; - for (i = 0; i < smlen; ++i) { - m[i] = 0; - } - - return -1; -} diff --git a/crypto_sign/dilithium2aes/avx2/sign.h b/crypto_sign/dilithium2aes/avx2/sign.h deleted file mode 100644 index 3c372ea2..00000000 --- a/crypto_sign/dilithium2aes/avx2/sign.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_SIGN_H -#define PQCLEAN_DILITHIUM2AES_AVX2_SIGN_H -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include -#include - -void PQCLEAN_DILITHIUM2AES_AVX2_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -int PQCLEAN_DILITHIUM2AES_AVX2_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium2aes/avx2/symmetric.h b/crypto_sign/dilithium2aes/avx2/symmetric.h deleted file mode 100644 index 681d9ad9..00000000 --- a/crypto_sign/dilithium2aes/avx2/symmetric.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_AVX2_SYMMETRIC_H -#define PQCLEAN_DILITHIUM2AES_AVX2_SYMMETRIC_H -#include "aes256ctr.h" -#include "fips202.h" -#include "params.h" -#include - - - -typedef aes256ctr_ctx stream128_state; -typedef aes256ctr_ctx stream256_state; - -#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES -#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) -#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(STATE, SEED, NONCE) -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream128_release(STATE) -#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_init(STATE, SEED, NONCE) -#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM2AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream256_release(STATE) - - -#endif diff --git a/crypto_sign/dilithium2aes/clean/LICENSE b/crypto_sign/dilithium2aes/clean/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_sign/dilithium2aes/clean/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_sign/dilithium2aes/clean/Makefile.Microsoft_nmake b/crypto_sign/dilithium2aes/clean/Makefile.Microsoft_nmake deleted file mode 100644 index b3f34a7e..00000000 --- a/crypto_sign/dilithium2aes/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libdilithium2aes_clean.lib -OBJECTS=aes256ctr.obj ntt.obj packing.obj poly.obj polyvec.obj reduce.obj rounding.obj sign.obj symmetric-aes.obj - -# Warning C4146 is raised when a unary minus operator is applied to an -# unsigned type; this has nonetheless been standard and portable for as -# long as there has been a C standard, and we need it for constant-time -# computations. Thus, we disable that spurious warning. -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/dilithium2aes/clean/aes256ctr.c b/crypto_sign/dilithium2aes/clean/aes256ctr.c deleted file mode 100644 index 8ccd25a1..00000000 --- a/crypto_sign/dilithium2aes/clean/aes256ctr.c +++ /dev/null @@ -1,564 +0,0 @@ -#include "aes256ctr.h" -#include -#include -/* - * Copyright (c) 2016 Thomas Pornin - * - * Permission is hereby granted, free of charge, to any person obtaining - * a copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - - -static inline uint32_t br_dec32le(const uint8_t *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const uint8_t *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline uint32_t br_swap32(uint32_t x) { - x = ((x & (uint32_t)0x00FF00FF) << 8) - | ((x >> 8) & (uint32_t)0x00FF00FF); - return (x << 16) | (x >> 16); -} - -static inline void br_enc32le(uint8_t *dst, uint32_t x) { - dst[0] = (uint8_t)x; - dst[1] = (uint8_t)(x >> 8); - dst[2] = (uint8_t)(x >> 16); - dst[3] = (uint8_t)(x >> 24); -} - -static void br_range_enc32le(uint8_t *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static const uint8_t Rcon[] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36 -}; - -static uint32_t sub_word(uint32_t x) { - uint64_t q[8]; - - memset(q, 0, sizeof q); - q[0] = x; - br_aes_ct64_ortho(q); - br_aes_ct64_bitslice_Sbox(q); - br_aes_ct64_ortho(q); - return (uint32_t)q[0]; -} - -static void br_aes_ct64_keysched(uint64_t *comp_skey, const uint8_t *key) { - int i, j, k, nk, nkf; - uint32_t tmp; - uint32_t skey[60]; - - int key_len = 32; - - nk = (int)(key_len >> 2); - nkf = (int)((14 + 1) << 2); - br_range_dec32le(skey, (key_len >> 2), key); - tmp = skey[(key_len >> 2) - 1]; - for (i = nk, j = 0, k = 0; i < nkf; i ++) { - if (j == 0) { - tmp = (tmp << 24) | (tmp >> 8); - tmp = sub_word(tmp) ^ Rcon[k]; - } else if (nk > 6 && j == 4) { - tmp = sub_word(tmp); - } - tmp ^= skey[i - nk]; - skey[i] = tmp; - if (++ j == nk) { - j = 0; - k ++; - } - } - - for (i = 0, j = 0; i < nkf; i += 4, j += 2) { - uint64_t q[8]; - - br_aes_ct64_interleave_in(&q[0], &q[4], skey + i); - q[1] = q[0]; - q[2] = q[0]; - q[3] = q[0]; - q[5] = q[4]; - q[6] = q[4]; - q[7] = q[4]; - br_aes_ct64_ortho(q); - comp_skey[j + 0] = - (q[0] & (uint64_t)0x1111111111111111) - | (q[1] & (uint64_t)0x2222222222222222) - | (q[2] & (uint64_t)0x4444444444444444) - | (q[3] & (uint64_t)0x8888888888888888); - comp_skey[j + 1] = - (q[4] & (uint64_t)0x1111111111111111) - | (q[5] & (uint64_t)0x2222222222222222) - | (q[6] & (uint64_t)0x4444444444444444) - | (q[7] & (uint64_t)0x8888888888888888); - } -} - -static void br_aes_ct64_skey_expand(uint64_t *skey, const uint64_t *comp_skey) { - unsigned u, v, n; - - n = (14 + 1) << 1; - for (u = 0, v = 0; u < n; u ++, v += 4) { - uint64_t x0, x1, x2, x3; - - x0 = x1 = x2 = x3 = comp_skey[u]; - x0 &= (uint64_t)0x1111111111111111; - x1 &= (uint64_t)0x2222222222222222; - x2 &= (uint64_t)0x4444444444444444; - x3 &= (uint64_t)0x8888888888888888; - x1 >>= 1; - x2 >>= 2; - x3 >>= 3; - skey[v + 0] = (x0 << 4) - x0; - skey[v + 1] = (x1 << 4) - x1; - skey[v + 2] = (x2 << 4) - x2; - skey[v + 3] = (x3 << 4) - x3; - } -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i ++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void inc4_be(uint32_t *x) { - *x = br_swap32(*x) + 4; - *x = br_swap32(*x); -} - -static void aes_ctr4x(uint8_t out[64], uint32_t ivw[16], uint64_t sk_exp[64]) { - uint32_t w[16]; - uint64_t q[8]; - int i; - - memcpy(w, ivw, sizeof(w)); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - add_round_key(q, sk_exp); - for (i = 1; i < 14; i++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, sk_exp + (i << 3)); - } - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - add_round_key(q, sk_exp + 112); - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); - - /* Increase counter for next 4 blocks */ - inc4_be(ivw + 3); - inc4_be(ivw + 7); - inc4_be(ivw + 11); - inc4_be(ivw + 15); -} - -static void br_aes_ct64_ctr_init(uint64_t sk_exp[120], const uint8_t *key) { - uint64_t skey[30]; - - br_aes_ct64_keysched(skey, key); - br_aes_ct64_skey_expand(sk_exp, skey); -} - -static void br_aes_ct64_ctr_run(uint64_t sk_exp[120], const uint8_t *iv, uint32_t cc, uint8_t *data, size_t len) { - uint32_t ivw[16]; - size_t i; - - br_range_dec32le(ivw, 3, iv); - memcpy(ivw + 4, ivw, 3 * sizeof(uint32_t)); - memcpy(ivw + 8, ivw, 3 * sizeof(uint32_t)); - memcpy(ivw + 12, ivw, 3 * sizeof(uint32_t)); - ivw[ 3] = br_swap32(cc); - ivw[ 7] = br_swap32(cc + 1); - ivw[11] = br_swap32(cc + 2); - ivw[15] = br_swap32(cc + 3); - - while (len > 64) { - aes_ctr4x(data, ivw, sk_exp); - data += 64; - len -= 64; - } - if (len > 0) { - uint8_t tmp[64]; - aes_ctr4x(tmp, ivw, sk_exp); - for (i = 0; i < len; i++) { - data[i] = tmp[i]; - } - } -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t *key, const uint8_t *nonce) { - uint64_t sk_exp[120]; - - br_aes_ct64_ctr_init(sk_exp, key); - br_aes_ct64_ctr_run(sk_exp, nonce, 0, out, outlen); -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_aes256ctr_init(aes256ctr_ctx *s, const uint8_t *key, const uint8_t *nonce) { - br_aes_ct64_ctr_init(s->sk_exp, key); - - br_range_dec32le(s->ivw, 3, nonce); - memcpy(s->ivw + 4, s->ivw, 3 * sizeof(uint32_t)); - memcpy(s->ivw + 8, s->ivw, 3 * sizeof(uint32_t)); - memcpy(s->ivw + 12, s->ivw, 3 * sizeof(uint32_t)); - s->ivw[ 3] = br_swap32(0); - s->ivw[ 7] = br_swap32(1); - s->ivw[11] = br_swap32(2); - s->ivw[15] = br_swap32(3); -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_aes256ctr_squeezeblocks(uint8_t *out, size_t nblocks, aes256ctr_ctx *s) { - while (nblocks > 0) { - aes_ctr4x(out, s->ivw, s->sk_exp); - out += 64; - nblocks--; - } -} diff --git a/crypto_sign/dilithium2aes/clean/aes256ctr.h b/crypto_sign/dilithium2aes/clean/aes256ctr.h deleted file mode 100644 index 094a18e1..00000000 --- a/crypto_sign/dilithium2aes/clean/aes256ctr.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_AES256CTR_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_AES256CTR_H - -#include -#include - -#define AES256CTR_BLOCKBYTES 64 - - -typedef struct { - uint64_t sk_exp[120]; - uint32_t ivw[16]; -} aes256ctr_ctx; - -void PQCLEAN_DILITHIUM2AES_CLEAN_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t key[32], - const uint8_t nonce[12]); - -void PQCLEAN_DILITHIUM2AES_CLEAN_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - const uint8_t nonce[12]); - -void PQCLEAN_DILITHIUM2AES_CLEAN_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state); - -#endif diff --git a/crypto_sign/dilithium2aes/clean/api.h b/crypto_sign/dilithium2aes/clean/api.h deleted file mode 100644 index 6f19a259..00000000 --- a/crypto_sign/dilithium2aes/clean/api.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_API_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_API_H - -#include -#include - -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES 1312 -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES 2544 -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES 2420 -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_ALGNAME "Dilithium2-AES" - - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium2aes/clean/ntt.c b/crypto_sign/dilithium2aes/clean/ntt.c deleted file mode 100644 index 9dfe2088..00000000 --- a/crypto_sign/dilithium2aes/clean/ntt.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "reduce.h" -#include - -static const int32_t zetas[N] = { - 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, - 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 3111497, 2680103, - 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549, - -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, 280005, - 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, - -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, - -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596, - 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779, - -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, 2176455, -1585221, - -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922, - 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, - -671102, -1228525, -22981, -1308169, -381987, 1349076, 1852771, -1430430, - -3343383, 264944, 508951, 3097992, 44288, -1100098, 904516, 3958618, - -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856, - 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, - 1285669, -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, - 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462, - 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378, - 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500, - -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, - 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, - 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974, - -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970, - -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642, - -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, - -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, - -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385, - -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, - -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078, - -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, - -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, - -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782 -}; - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_ntt -* -* Description: Forward NTT, in-place. No modular reduction is performed after -* additions or subtractions. Output vector is in bitreversed order. -* -* Arguments: - uint32_t p[N]: input/output coefficient array -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_ntt(int32_t a[N]) { - unsigned int len, start, j, k; - int32_t zeta, t; - - k = 0; - for (len = 128; len > 0; len >>= 1) { - for (start = 0; start < N; start = j + len) { - zeta = zetas[++k]; - for (j = start; j < start + len; ++j) { - t = PQCLEAN_DILITHIUM2AES_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]); - a[j + len] = a[j] - t; - a[j] = a[j] + t; - } - } - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_invntt_tomont -* -* Description: Inverse NTT and multiplication by Montgomery factor 2^32. -* In-place. No modular reductions after additions or -* subtractions; input coefficients need to be smaller than -* Q in absolute value. Output coefficient are smaller than Q in -* absolute value. -* -* Arguments: - uint32_t p[N]: input/output coefficient array -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_invntt_tomont(int32_t a[N]) { - unsigned int start, len, j, k; - int32_t t, zeta; - const int32_t f = 41978; // mont^2/256 - - k = 256; - for (len = 1; len < N; len <<= 1) { - for (start = 0; start < N; start = j + len) { - zeta = -zetas[--k]; - for (j = start; j < start + len; ++j) { - t = a[j]; - a[j] = t + a[j + len]; - a[j + len] = t - a[j + len]; - a[j + len] = PQCLEAN_DILITHIUM2AES_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]); - } - } - } - - for (j = 0; j < N; ++j) { - a[j] = PQCLEAN_DILITHIUM2AES_CLEAN_montgomery_reduce((int64_t)f * a[j]); - } -} diff --git a/crypto_sign/dilithium2aes/clean/ntt.h b/crypto_sign/dilithium2aes/clean/ntt.h deleted file mode 100644 index 3de56c05..00000000 --- a/crypto_sign/dilithium2aes/clean/ntt.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_NTT_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_NTT_H -#include "params.h" -#include - -void PQCLEAN_DILITHIUM2AES_CLEAN_ntt(int32_t a[N]); - -void PQCLEAN_DILITHIUM2AES_CLEAN_invntt_tomont(int32_t a[N]); - -#endif diff --git a/crypto_sign/dilithium2aes/clean/packing.c b/crypto_sign/dilithium2aes/clean/packing.c deleted file mode 100644 index bbaaf21f..00000000 --- a/crypto_sign/dilithium2aes/clean/packing.c +++ /dev/null @@ -1,261 +0,0 @@ -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" - - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_pack_pk -* -* Description: Bit-pack public key pk = (rho, t1). -* -* Arguments: - uint8_t pk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const polyveck *t1: pointer to vector t1 -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES], - const uint8_t rho[SEEDBYTES], - const polyveck *t1) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - pk[i] = rho[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_unpack_pk -* -* Description: Unpack public key pk = (rho, t1). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const polyveck *t1: pointer to output vector t1 -* - uint8_t pk[]: byte array containing bit-packed pk -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t pk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = pk[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk -* -* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - uint8_t sk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const uint8_t tr[]: byte array containing tr -* - const uint8_t key[]: byte array containing key -* - const polyveck *t0: pointer to vector t0 -* - const polyvecl *s1: pointer to vector s1 -* - const polyveck *s2: pointer to vector s2 -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = rho[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = key[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - sk[i] = tr[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk -* -* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const uint8_t tr[]: output byte array for tr -* - const uint8_t key[]: output byte array for key -* - const polyveck *t0: pointer to output vector t0 -* - const polyvecl *s1: pointer to output vector s1 -* - const polyveck *s2: pointer to output vector s2 -* - uint8_t sk[]: byte array containing bit-packed sk -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - key[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - tr[i] = sk[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_pack_sig -* -* Description: Bit-pack signature sig = (c, z, h). -* -* Arguments: - uint8_t sig[]: output byte array -* - const uint8_t *c: pointer to PQCLEAN_DILITHIUM2AES_CLEAN_challenge hash length SEEDBYTES -* - const polyvecl *z: pointer to vector z -* - const polyveck *h: pointer to hint vector h -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES], - const uint8_t c[SEEDBYTES], - const polyvecl *z, - const polyveck *h) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - sig[i] = c[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Encode h */ - for (i = 0; i < OMEGA + K; ++i) { - sig[i] = 0; - } - - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - if (h->vec[i].coeffs[j] != 0) { - sig[k++] = (uint8_t) j; - } - } - - sig[OMEGA + i] = (uint8_t) k; - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sig -* -* Description: Unpack signature sig = (c, z, h). -* -* Arguments: - uint8_t *c: pointer to output PQCLEAN_DILITHIUM2AES_CLEAN_challenge hash -* - polyvecl *z: pointer to output vector z -* - polyveck *h: pointer to output hint vector h -* - const uint8_t sig[]: byte array containing -* bit-packed signature -* -* Returns 1 in case of malformed signature; otherwise 0. -**************************************************/ -int PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sig(uint8_t c[SEEDBYTES], - polyvecl *z, - polyveck *h, - const uint8_t sig[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES]) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - c[i] = sig[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Decode h */ - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - h->vec[i].coeffs[j] = 0; - } - - if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) { - return 1; - } - - for (j = k; j < sig[OMEGA + i]; ++j) { - /* Coefficients are ordered for strong unforgeability */ - if (j > k && sig[j] <= sig[j - 1]) { - return 1; - } - h->vec[i].coeffs[sig[j]] = 1; - } - - k = sig[OMEGA + i]; - } - - /* Extra indices are zero for strong unforgeability */ - for (j = k; j < OMEGA; ++j) { - if (sig[j]) { - return 1; - } - } - - return 0; -} diff --git a/crypto_sign/dilithium2aes/clean/packing.h b/crypto_sign/dilithium2aes/clean/packing.h deleted file mode 100644 index a6dbd114..00000000 --- a/crypto_sign/dilithium2aes/clean/packing.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_PACKING_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_PACKING_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_DILITHIUM2AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1); - -void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2); - -void PQCLEAN_DILITHIUM2AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h); - -void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES]); - -void PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES]); - -int PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES]); - -#endif diff --git a/crypto_sign/dilithium2aes/clean/params.h b/crypto_sign/dilithium2aes/clean/params.h deleted file mode 100644 index b8625aa3..00000000 --- a/crypto_sign/dilithium2aes/clean/params.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_PARAMS_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_PARAMS_H - - - -#define SEEDBYTES 32 -#define CRHBYTES 48 -#define N 256 -#define Q 8380417 -#define D 13 -#define ROOT_OF_UNITY 1753 - -#define K 4 -#define L 4 -#define ETA 2 -#define TAU 39 -#define BETA 78 -#define GAMMA1 (1 << 17) -#define GAMMA2 ((Q-1)/88) -#define OMEGA 80 -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_ALGNAME "Dilithium2-AES" - - -#define POLYT1_PACKEDBYTES 320 -#define POLYT0_PACKEDBYTES 416 -#define POLYVECH_PACKEDBYTES (OMEGA + K) - -#define POLYZ_PACKEDBYTES 576 - -#define POLYW1_PACKEDBYTES 192 - -#define POLYETA_PACKEDBYTES 96 - -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ - + L*POLYETA_PACKEDBYTES \ - + K*POLYETA_PACKEDBYTES \ - + K*POLYT0_PACKEDBYTES) -#define PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES) - -#endif diff --git a/crypto_sign/dilithium2aes/clean/poly.c b/crypto_sign/dilithium2aes/clean/poly.c deleted file mode 100644 index 7edd1629..00000000 --- a/crypto_sign/dilithium2aes/clean/poly.c +++ /dev/null @@ -1,867 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "rounding.h" -#include "symmetric.h" -#include - -#define DBENCH_START() -#define DBENCH_STOP(t) - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_reduce -* -* Description: Inplace reduction of all coefficients of polynomial to -* representative in [-6283009,6283007]. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_reduce(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] = PQCLEAN_DILITHIUM2AES_CLEAN_reduce32(a->coeffs[i]); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_caddq -* -* Description: For all coefficients of in/out polynomial add Q if -* coefficient is negative. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_caddq(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] = PQCLEAN_DILITHIUM2AES_CLEAN_caddq(a->coeffs[i]); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_freeze -* -* Description: Inplace reduction of all coefficients of polynomial to -* standard representatives. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_freeze(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] = PQCLEAN_DILITHIUM2AES_CLEAN_freeze(a->coeffs[i]); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_add -* -* Description: Add polynomials. No modular reduction is performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first summand -* - const poly *b: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_add(poly *c, const poly *a, const poly *b) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - c->coeffs[i] = a->coeffs[i] + b->coeffs[i]; - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_sub -* -* Description: Subtract polynomials. No modular reduction is -* performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial to be -* subtraced from first input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_sub(poly *c, const poly *a, const poly *b) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - c->coeffs[i] = a->coeffs[i] - b->coeffs[i]; - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_shiftl -* -* Description: Multiply polynomial by 2^D without modular reduction. Assumes -* input coefficients to be less than 2^{31-D} in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_shiftl(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] <<= D; - } - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_ntt -* -* Description: Inplace forward NTT. Coefficients can grow by -* 8*Q in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_ntt(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_CLEAN_ntt(a->coeffs); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_invntt_tomont -* -* Description: Inplace inverse NTT and multiplication by 2^{32}. -* Input coefficients need to be less than Q in absolute -* value and output coefficients are again bounded by Q. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_invntt_tomont(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM2AES_CLEAN_invntt_tomont(a->coeffs); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_pointwise_montgomery -* -* Description: Pointwise multiplication of polynomials in NTT domain -* representation and multiplication of resulting polynomial -* by 2^{-32}. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - c->coeffs[i] = PQCLEAN_DILITHIUM2AES_CLEAN_montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]); - } - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_power2round -* -* Description: For all coefficients c of the input polynomial, -* compute c0, c1 such that c mod Q = c1*2^D + c0 -* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_power2round(poly *a1, poly *a0, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a1->coeffs[i] = PQCLEAN_DILITHIUM2AES_CLEAN_power2round(&a0->coeffs[i], a->coeffs[i]); - } - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_decompose -* -* Description: For all coefficients c of the input polynomial, -* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0 -* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we -* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_decompose(poly *a1, poly *a0, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a1->coeffs[i] = PQCLEAN_DILITHIUM2AES_CLEAN_decompose(&a0->coeffs[i], a->coeffs[i]); - } - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_make_hint -* -* Description: Compute hint polynomial. The coefficients of which indicate -* whether the low bits of the corresponding coefficient of -* the input polynomial overflow into the high bits. -* -* Arguments: - poly *h: pointer to output hint polynomial -* - const poly *a0: pointer to low part of input polynomial -* - const poly *a1: pointer to high part of input polynomial -* -* Returns number of 1 bits. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM2AES_CLEAN_poly_make_hint(poly *h, const poly *a0, const poly *a1) { - unsigned int i, s = 0; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - h->coeffs[i] = PQCLEAN_DILITHIUM2AES_CLEAN_make_hint(a0->coeffs[i], a1->coeffs[i]); - s += h->coeffs[i]; - } - - DBENCH_STOP(*tround); - return s; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_use_hint -* -* Description: Use hint polynomial to correct the high bits of a polynomial. -* -* Arguments: - poly *b: pointer to output polynomial with corrected high bits -* - const poly *a: pointer to input polynomial -* - const poly *h: pointer to input hint polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_use_hint(poly *b, const poly *a, const poly *h) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - b->coeffs[i] = PQCLEAN_DILITHIUM2AES_CLEAN_use_hint(a->coeffs[i], h->coeffs[i]); - } - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_chknorm -* -* Description: Check infinity norm of polynomial against given bound. -* Assumes input coefficients were reduced by PQCLEAN_DILITHIUM2AES_CLEAN_reduce32(). -* -* Arguments: - const poly *a: pointer to polynomial -* - int32_t B: norm bound -* -* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM2AES_CLEAN_poly_chknorm(const poly *a, int32_t B) { - unsigned int i; - int32_t t; - DBENCH_START(); - - if (B > (Q - 1) / 8) { - return 1; - } - - /* It is ok to leak which coefficient violates the bound since - the probability for each coefficient is independent of secret - data but we must not leak the sign of the centralized representative. */ - for (i = 0; i < N; ++i) { - /* Absolute value */ - t = a->coeffs[i] >> 31; - t = a->coeffs[i] - (t & 2 * a->coeffs[i]); - - if (t >= B) { - DBENCH_STOP(*tsample); - return 1; - } - } - - DBENCH_STOP(*tsample); - return 0; -} - -/************************************************* -* Name: rej_uniform -* -* Description: Sample uniformly random coefficients in [0, Q-1] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_uniform(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - t = buf[pos++]; - t |= (uint32_t)buf[pos++] << 8; - t |= (uint32_t)buf[pos++] << 16; - t &= 0x7FFFFF; - - if (t < Q) { - a[ctr++] = t; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform -* -* Description: Sample polynomial with uniformly random coefficients -* in [0,Q-1] by performing rejection sampling on the -* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -#define POLY_UNIFORM_NBLOCKS ((768 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce) { - unsigned int i, ctr, off; - unsigned int buflen = POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2]; - stream128_state state; - - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state); - - ctr = rej_uniform(a->coeffs, N, buf, buflen); - - while (ctr < N) { - off = buflen % 3; - for (i = 0; i < off; ++i) { - buf[i] = buf[buflen - off + i]; - } - - stream128_squeezeblocks(buf + off, 1, &state); - buflen = STREAM128_BLOCKBYTES + off; - ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); - } - stream128_release(&state); -} - -/************************************************* -* Name: rej_eta -* -* Description: Sample uniformly random coefficients in [-ETA, ETA] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_eta(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t0, t1; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos < buflen) { - t0 = buf[pos] & 0x0F; - t1 = buf[pos++] >> 4; - - if (t0 < 15) { - t0 = t0 - (205 * t0 >> 10) * 5; - a[ctr++] = 2 - t0; - } - if (t1 < 15 && ctr < len) { - t1 = t1 - (205 * t1 >> 10) * 5; - a[ctr++] = 2 - t1; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_eta -* -* Description: Sample polynomial with uniformly random coefficients -* in [-ETA,ETA] by performing rejection sampling on the -* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce) { - unsigned int ctr; - unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES]; - stream128_state state; - - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); - - ctr = rej_eta(a->coeffs, N, buf, buflen); - - while (ctr < N) { - stream128_squeezeblocks(buf, 1, &state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); - } - stream128_release(&state); -} - -/************************************************* -* Name: poly_uniform_gamma1m1 -* -* Description: Sample polynomial with uniformly random coefficients -* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream -* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length CRHBYTES -* - uint16_t nonce: 16-bit nonce -**************************************************/ -#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES) -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_gamma1(poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce) { - uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES]; - stream256_state state; - - stream256_init(&state, seed, nonce); - stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state); - stream256_release(&state); - PQCLEAN_DILITHIUM2AES_CLEAN_polyz_unpack(a, buf); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_challenge -* -* Description: Implementation of H. Samples polynomial with TAU nonzero -* coefficients in {-1,1} using the output stream of -* SHAKE256(seed). -* -* Arguments: - poly *c: pointer to output polynomial -* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) { - unsigned int i, b, pos; - uint64_t signs; - uint8_t buf[SHAKE256_RATE]; - shake256incctx state; - - shake256_inc_init(&state); - shake256_inc_absorb(&state, seed, SEEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(buf, sizeof buf, &state); - - signs = 0; - for (i = 0; i < 8; ++i) { - signs |= (uint64_t)buf[i] << 8 * i; - } - pos = 8; - - for (i = 0; i < N; ++i) { - c->coeffs[i] = 0; - } - for (i = N - TAU; i < N; ++i) { - do { - if (pos >= SHAKE256_RATE) { - shake256_inc_squeeze(buf, sizeof buf, &state); - pos = 0; - } - - b = buf[pos++]; - } while (b > i); - - c->coeffs[i] = c->coeffs[b]; - c->coeffs[b] = 1 - 2 * (signs & 1); - signs >>= 1; - } - shake256_inc_ctx_release(&state); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_pack -* -* Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYETA_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_pack(uint8_t *r, const poly *a) { - unsigned int i; - uint8_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = (uint8_t) (ETA - a->coeffs[8 * i + 0]); - t[1] = (uint8_t) (ETA - a->coeffs[8 * i + 1]); - t[2] = (uint8_t) (ETA - a->coeffs[8 * i + 2]); - t[3] = (uint8_t) (ETA - a->coeffs[8 * i + 3]); - t[4] = (uint8_t) (ETA - a->coeffs[8 * i + 4]); - t[5] = (uint8_t) (ETA - a->coeffs[8 * i + 5]); - t[6] = (uint8_t) (ETA - a->coeffs[8 * i + 6]); - t[7] = (uint8_t) (ETA - a->coeffs[8 * i + 7]); - - r[3 * i + 0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6); - r[3 * i + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7); - r[3 * i + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_unpack -* -* Description: Unpack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = (a[3 * i + 0] >> 0) & 7; - r->coeffs[8 * i + 1] = (a[3 * i + 0] >> 3) & 7; - r->coeffs[8 * i + 2] = ((a[3 * i + 0] >> 6) | (a[3 * i + 1] << 2)) & 7; - r->coeffs[8 * i + 3] = (a[3 * i + 1] >> 1) & 7; - r->coeffs[8 * i + 4] = (a[3 * i + 1] >> 4) & 7; - r->coeffs[8 * i + 5] = ((a[3 * i + 1] >> 7) | (a[3 * i + 2] << 1)) & 7; - r->coeffs[8 * i + 6] = (a[3 * i + 2] >> 2) & 7; - r->coeffs[8 * i + 7] = (a[3 * i + 2] >> 5) & 7; - - r->coeffs[8 * i + 0] = ETA - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = ETA - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = ETA - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = ETA - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = ETA - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = ETA - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = ETA - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = ETA - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyt1_pack -* -* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. -* Input coefficients are assumed to be standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyt1_pack(uint8_t *r, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r[5 * i + 0] = (uint8_t) (a->coeffs[4 * i + 0] >> 0); - r[5 * i + 1] = (uint8_t) ((a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2)); - r[5 * i + 2] = (uint8_t) ((a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4)); - r[5 * i + 3] = (uint8_t) ((a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6)); - r[5 * i + 4] = (uint8_t) (a->coeffs[4 * i + 3] >> 2); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyt1_unpack -* -* Description: Unpack polynomial t1 with 10-bit coefficients. -* Output coefficients are standard representatives. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyt1_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r->coeffs[4 * i + 0] = ((a[5 * i + 0] >> 0) | ((uint32_t)a[5 * i + 1] << 8)) & 0x3FF; - r->coeffs[4 * i + 1] = ((a[5 * i + 1] >> 2) | ((uint32_t)a[5 * i + 2] << 6)) & 0x3FF; - r->coeffs[4 * i + 2] = ((a[5 * i + 2] >> 4) | ((uint32_t)a[5 * i + 3] << 4)) & 0x3FF; - r->coeffs[4 * i + 3] = ((a[5 * i + 3] >> 6) | ((uint32_t)a[5 * i + 4] << 2)) & 0x3FF; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyt0_pack -* -* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT0_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyt0_pack(uint8_t *r, const poly *a) { - unsigned int i; - uint32_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = (1 << (D - 1)) - a->coeffs[8 * i + 0]; - t[1] = (1 << (D - 1)) - a->coeffs[8 * i + 1]; - t[2] = (1 << (D - 1)) - a->coeffs[8 * i + 2]; - t[3] = (1 << (D - 1)) - a->coeffs[8 * i + 3]; - t[4] = (1 << (D - 1)) - a->coeffs[8 * i + 4]; - t[5] = (1 << (D - 1)) - a->coeffs[8 * i + 5]; - t[6] = (1 << (D - 1)) - a->coeffs[8 * i + 6]; - t[7] = (1 << (D - 1)) - a->coeffs[8 * i + 7]; - - r[13 * i + 0] = (uint8_t) t[0]; - r[13 * i + 1] = (uint8_t) (t[0] >> 8); - r[13 * i + 1] |= (uint8_t) (t[1] << 5); - r[13 * i + 2] = (uint8_t) (t[1] >> 3); - r[13 * i + 3] = (uint8_t) (t[1] >> 11); - r[13 * i + 3] |= (uint8_t) (t[2] << 2); - r[13 * i + 4] = (uint8_t) (t[2] >> 6); - r[13 * i + 4] |= (uint8_t) (t[3] << 7); - r[13 * i + 5] = (uint8_t) (t[3] >> 1); - r[13 * i + 6] = (uint8_t) (t[3] >> 9); - r[13 * i + 6] |= (uint8_t) (t[4] << 4); - r[13 * i + 7] = (uint8_t) (t[4] >> 4); - r[13 * i + 8] = (uint8_t) (t[4] >> 12); - r[13 * i + 8] |= (uint8_t) (t[5] << 1); - r[13 * i + 9] = (uint8_t) (t[5] >> 7); - r[13 * i + 9] |= (uint8_t) (t[6] << 6); - r[13 * i + 10] = (uint8_t) (t[6] >> 2); - r[13 * i + 11] = (uint8_t) (t[6] >> 10); - r[13 * i + 11] |= (uint8_t) (t[7] << 3); - r[13 * i + 12] = (uint8_t) (t[7] >> 5); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyt0_unpack -* -* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyt0_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = a[13 * i + 0]; - r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8; - r->coeffs[8 * i + 0] &= 0x1FFF; - - r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11; - r->coeffs[8 * i + 1] &= 0x1FFF; - - r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2; - r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6; - r->coeffs[8 * i + 2] &= 0x1FFF; - - r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9; - r->coeffs[8 * i + 3] &= 0x1FFF; - - r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12; - r->coeffs[8 * i + 4] &= 0x1FFF; - - r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1; - r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7; - r->coeffs[8 * i + 5] &= 0x1FFF; - - r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10; - r->coeffs[8 * i + 6] &= 0x1FFF; - - r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3; - r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5; - r->coeffs[8 * i + 7] &= 0x1FFF; - - r->coeffs[8 * i + 0] = (1 << (D - 1)) - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = (1 << (D - 1)) - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = (1 << (D - 1)) - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = (1 << (D - 1)) - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = (1 << (D - 1)) - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = (1 << (D - 1)) - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = (1 << (D - 1)) - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = (1 << (D - 1)) - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyz_pack -* -* Description: Bit-pack polynomial with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYZ_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyz_pack(uint8_t *r, const poly *a) { - unsigned int i; - uint32_t t[4]; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - t[0] = GAMMA1 - a->coeffs[4 * i + 0]; - t[1] = GAMMA1 - a->coeffs[4 * i + 1]; - t[2] = GAMMA1 - a->coeffs[4 * i + 2]; - t[3] = GAMMA1 - a->coeffs[4 * i + 3]; - - r[9 * i + 0] = (uint8_t) t[0]; - r[9 * i + 1] = (uint8_t) (t[0] >> 8); - r[9 * i + 2] = (uint8_t) (t[0] >> 16); - r[9 * i + 2] |= (uint8_t) (t[1] << 2); - r[9 * i + 3] = (uint8_t) (t[1] >> 6); - r[9 * i + 4] = (uint8_t) (t[1] >> 14); - r[9 * i + 4] |= (uint8_t) (t[2] << 4); - r[9 * i + 5] = (uint8_t) (t[2] >> 4); - r[9 * i + 6] = (uint8_t) (t[2] >> 12); - r[9 * i + 6] |= (uint8_t) (t[3] << 6); - r[9 * i + 7] = (uint8_t) (t[3] >> 2); - r[9 * i + 8] = (uint8_t) (t[3] >> 10); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyz_unpack -* -* Description: Unpack polynomial z with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyz_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r->coeffs[4 * i + 0] = a[9 * i + 0]; - r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 1] << 8; - r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 2] << 16; - r->coeffs[4 * i + 0] &= 0x3FFFF; - - r->coeffs[4 * i + 1] = a[9 * i + 2] >> 2; - r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 3] << 6; - r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 4] << 14; - r->coeffs[4 * i + 1] &= 0x3FFFF; - - r->coeffs[4 * i + 2] = a[9 * i + 4] >> 4; - r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 5] << 4; - r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 6] << 12; - r->coeffs[4 * i + 2] &= 0x3FFFF; - - r->coeffs[4 * i + 3] = a[9 * i + 6] >> 6; - r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 7] << 2; - r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 8] << 10; - r->coeffs[4 * i + 3] &= 0x3FFFF; - - r->coeffs[4 * i + 0] = GAMMA1 - r->coeffs[4 * i + 0]; - r->coeffs[4 * i + 1] = GAMMA1 - r->coeffs[4 * i + 1]; - r->coeffs[4 * i + 2] = GAMMA1 - r->coeffs[4 * i + 2]; - r->coeffs[4 * i + 3] = GAMMA1 - r->coeffs[4 * i + 3]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyw1_pack -* -* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. -* Input coefficients are assumed to be standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYW1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyw1_pack(uint8_t *r, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r[3 * i + 0] = (uint8_t) a->coeffs[4 * i + 0]; - r[3 * i + 0] |= (uint8_t) (a->coeffs[4 * i + 1] << 6); - r[3 * i + 1] = (uint8_t) (a->coeffs[4 * i + 1] >> 2); - r[3 * i + 1] |= (uint8_t) (a->coeffs[4 * i + 2] << 4); - r[3 * i + 2] = (uint8_t) (a->coeffs[4 * i + 2] >> 4); - r[3 * i + 2] |= (uint8_t) (a->coeffs[4 * i + 3] << 2); - } - - DBENCH_STOP(*tpack); -} diff --git a/crypto_sign/dilithium2aes/clean/poly.h b/crypto_sign/dilithium2aes/clean/poly.h deleted file mode 100644 index 6ad8405e..00000000 --- a/crypto_sign/dilithium2aes/clean/poly.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_POLY_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_POLY_H -#include "params.h" -#include - -typedef struct { - int32_t coeffs[N]; -} poly; - -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_reduce(poly *a); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_caddq(poly *a); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_freeze(poly *a); - -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_add(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_sub(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_shiftl(poly *a); - -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_ntt(poly *a); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_invntt_tomont(poly *a); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); - -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_power2round(poly *a1, poly *a0, const poly *a); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_decompose(poly *a1, poly *a0, const poly *a); -unsigned int PQCLEAN_DILITHIUM2AES_CLEAN_poly_make_hint(poly *h, const poly *a0, const poly *a1); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_use_hint(poly *b, const poly *a, const poly *h); - -int PQCLEAN_DILITHIUM2AES_CLEAN_poly_chknorm(const poly *a, int32_t B); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_gamma1(poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce); -void PQCLEAN_DILITHIUM2AES_CLEAN_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyeta_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyt1_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyt1_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyt0_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyt0_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyz_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyz_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyw1_pack(uint8_t *r, const poly *a); - -#endif diff --git a/crypto_sign/dilithium2aes/clean/polyvec.c b/crypto_sign/dilithium2aes/clean/polyvec.c deleted file mode 100644 index a7a77fb3..00000000 --- a/crypto_sign/dilithium2aes/clean/polyvec.c +++ /dev/null @@ -1,448 +0,0 @@ -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include - -/************************************************* -* Name: expand_mat -* -* Description: Implementation of ExpandA. Generates matrix A with uniformly -* random coefficients a_{i,j} by performing rejection -* sampling on the output stream of SHAKE128(rho|j|i) -* or AES256CTR(rho,j|i). -* -* Arguments: - polyvecl mat[K]: output matrix -* - const uint8_t rho[]: byte array containing seed rho -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) { - unsigned int i, j; - - for (i = 0; i < K; ++i) { - for (j = 0; j < L; ++j) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform(&mat[i].vec[j], rho, (uint16_t) ((i << 8) + j)); - } - } -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v); - } -} - -/**************************************************************/ -/************ Vectors of polynomials of length L **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_gamma1(&v->vec[i], seed, (uint16_t) (L * nonce + i)); - } -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_reduce(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_freeze -* -* Description: Reduce coefficients of polynomials in vector of length L -* to standard representatives. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_freeze(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_add -* -* Description: Add vectors of polynomials of length L. -* No modular reduction is performed. -* -* Arguments: - polyvecl *w: pointer to output vector -* - const polyvecl *u: pointer to first summand -* - const polyvecl *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_ntt -* -* Description: Forward NTT of all polynomials in vector of length L. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_ntt(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_ntt(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_invntt_tomont(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_pointwise_acc_montgomery -* -* Description: Pointwise multiply vectors of polynomials of length L, multiply -* resulting vector by 2^{-32} and add (accumulate) polynomials -* in it. Input/output vectors are in NTT domain representation. -* -* Arguments: - poly *w: output polynomial -* - const polyvecl *u: pointer to first input vector -* - const polyvecl *v: pointer to second input vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_pointwise_acc_montgomery(poly *w, - const polyvecl *u, - const polyvecl *v) { - unsigned int i; - poly t; - - PQCLEAN_DILITHIUM2AES_CLEAN_poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); - for (i = 1; i < L; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); - PQCLEAN_DILITHIUM2AES_CLEAN_poly_add(w, w, &t); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_chknorm -* -* Description: Check infinity norm of polynomials in vector of length L. -* Assumes input polyvecl to be reduced by PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_reduce(). -* -* Arguments: - const polyvecl *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < L; ++i) { - if (PQCLEAN_DILITHIUM2AES_CLEAN_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/**************************************************************/ -/************ Vectors of polynomials of length K **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce -* -* Description: Reduce coefficients of polynomials in vector of length K -* to representatives in [-6283009,6283007]. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_caddq -* -* Description: For all coefficients of polynomials in vector of length K -* add Q if coefficient is negative. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_caddq(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_caddq(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_freeze -* -* Description: Reduce coefficients of polynomials in vector of length K -* to standard representatives. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_freeze(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_add -* -* Description: Add vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first summand -* - const polyveck *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_sub -* -* Description: Subtract vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first input vector -* - const polyveck *v: pointer to second input vector to be -* subtracted from first input vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_shiftl -* -* Description: Multiply vector of polynomials of Length K by 2^D without modular -* reduction. Assumes input coefficients to be less than 2^{31-D}. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_shiftl(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_shiftl(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_ntt -* -* Description: Forward NTT of all polynomials in vector of length K. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_ntt(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_ntt(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_invntt_tomont -* -* Description: Inverse NTT and multiplication by 2^{32} of polynomials -* in vector of length K. Input coefficients need to be less -* than 2*Q. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_invntt_tomont(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_chknorm -* -* Description: Check infinity norm of polynomials in vector of length K. -* Assumes input polyveck to be reduced by PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(). -* -* Arguments: - const polyveck *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_chknorm(const polyveck *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < K; ++i) { - if (PQCLEAN_DILITHIUM2AES_CLEAN_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_power2round -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute a0, a1 such that a mod^+ Q = a1*2^D + a0 -* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_decompose -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 -* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we -* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_make_hint -* -* Description: Compute hint vector. -* -* Arguments: - polyveck *h: pointer to output vector -* - const polyveck *v0: pointer to low part of input vector -* - const polyveck *v1: pointer to high part of input vector -* -* Returns number of 1 bits. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_make_hint(polyveck *h, - const polyveck *v0, - const polyveck *v1) { - unsigned int i, s = 0; - - for (i = 0; i < K; ++i) { - s += PQCLEAN_DILITHIUM2AES_CLEAN_poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]); - } - - return s; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_use_hint -* -* Description: Use hint vector to correct the high bits of input vector. -* -* Arguments: - polyveck *w: pointer to output vector of polynomials with -* corrected high bits -* - const polyveck *u: pointer to input vector -* - const polyveck *h: pointer to input hint vector -**************************************************/ -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]); - } -} - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM2AES_CLEAN_polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]); - } -} diff --git a/crypto_sign/dilithium2aes/clean/polyvec.h b/crypto_sign/dilithium2aes/clean/polyvec.h deleted file mode 100644 index ea0ade36..00000000 --- a/crypto_sign/dilithium2aes/clean/polyvec.h +++ /dev/null @@ -1,68 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_POLYVEC_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -/* Vectors of polynomials of length L */ -typedef struct { - poly vec[L]; -} polyvecl; - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_reduce(polyvecl *v); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_freeze(polyvecl *v); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_ntt(polyvecl *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_invntt_tomont(polyvecl *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_pointwise_acc_montgomery(poly *w, - const polyvecl *u, - const polyvecl *v); - - -int PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t B); - - - -/* Vectors of polynomials of length K */ -typedef struct { - poly vec[K]; -} polyveck; - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(polyveck *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_caddq(polyveck *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_freeze(polyveck *v); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_shiftl(polyveck *v); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_ntt(polyveck *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_invntt_tomont(polyveck *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v); - -int PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_chknorm(const polyveck *v, int32_t B); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v); -unsigned int PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_make_hint(polyveck *h, - const polyveck *v0, - const polyveck *v1); -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]); - -void PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v); - -#endif diff --git a/crypto_sign/dilithium2aes/clean/reduce.c b/crypto_sign/dilithium2aes/clean/reduce.c deleted file mode 100644 index 6e8f0269..00000000 --- a/crypto_sign/dilithium2aes/clean/reduce.c +++ /dev/null @@ -1,69 +0,0 @@ -#include "params.h" -#include "reduce.h" -#include - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_montgomery_reduce -* -* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31, -* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q. -* -* Arguments: - int64_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_montgomery_reduce(int64_t a) { - int32_t t; - - t = (int32_t)((uint64_t)a * (uint64_t)QINV); - t = (a - (int64_t)t * Q) >> 32; - return t; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_reduce32 -* -* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1, -* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_reduce32(int32_t a) { - int32_t t; - - t = (a + (1 << 22)) >> 23; - t = a - t * Q; - return t; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_caddq -* -* Description: Add Q if input coefficient is negative. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_caddq(int32_t a) { - a += (a >> 31) & Q; - return a; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_freeze -* -* Description: For finite field element a, compute standard -* representative r = a mod^+ Q. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_freeze(int32_t a) { - a = PQCLEAN_DILITHIUM2AES_CLEAN_reduce32(a); - a = PQCLEAN_DILITHIUM2AES_CLEAN_caddq(a); - return a; -} diff --git a/crypto_sign/dilithium2aes/clean/reduce.h b/crypto_sign/dilithium2aes/clean/reduce.h deleted file mode 100644 index 7ba1c955..00000000 --- a/crypto_sign/dilithium2aes/clean/reduce.h +++ /dev/null @@ -1,17 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_REDUCE_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_REDUCE_H -#include "params.h" -#include - -#define MONT (-4186625) // 2^32 % Q -#define QINV 58728449 // q^(-1) mod 2^32 - -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_montgomery_reduce(int64_t a); - -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_reduce32(int32_t a); - -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_caddq(int32_t a); - -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_freeze(int32_t a); - -#endif diff --git a/crypto_sign/dilithium2aes/clean/rounding.c b/crypto_sign/dilithium2aes/clean/rounding.c deleted file mode 100644 index c467c5b3..00000000 --- a/crypto_sign/dilithium2aes/clean/rounding.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "params.h" -#include "rounding.h" -#include - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_power2round -* -* Description: For finite field element a, compute a0, a1 such that -* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}. -* Assumes a to be standard representative. -* -* Arguments: - int32_t a: input element -* - int32_t *a0: pointer to output element a0 -* -* Returns a1. -**************************************************/ -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_power2round(int32_t *a0, int32_t a) { - int32_t a1; - - a1 = (a + (1 << (D - 1)) - 1) >> D; - *a0 = a - (a1 << D); - return a1; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_decompose -* -* Description: For finite field element a, compute high and low bits a0, a1 such -* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except -* if a1 = (Q-1)/ALPHA where we set a1 = 0 and -* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard -* representative. -* -* Arguments: - int32_t a: input element -* - int32_t *a0: pointer to output element a0 -* -* Returns a1. -**************************************************/ -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_decompose(int32_t *a0, int32_t a) { - int32_t a1; - - a1 = (a + 127) >> 7; - a1 = (a1 * 11275 + (1 << 23)) >> 24; - a1 ^= ((43 - a1) >> 31) & a1; - - *a0 = a - a1 * 2 * GAMMA2; - *a0 -= (((Q - 1) / 2 - *a0) >> 31) & Q; - return a1; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_make_hint -* -* Description: Compute hint bit indicating whether the low bits of the -* input element overflow into the high bits. -* -* Arguments: - int32_t a0: low bits of input element -* - int32_t a1: high bits of input element -* -* Returns 1 if overflow. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM2AES_CLEAN_make_hint(int32_t a0, int32_t a1) { - if (a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0)) { - return 1; - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_use_hint -* -* Description: Correct high bits according to hint. -* -* Arguments: - int32_t a: input element -* - unsigned int hint: hint bit -* -* Returns corrected high bits. -**************************************************/ -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_use_hint(int32_t a, unsigned int hint) { - int32_t a0, a1; - - a1 = PQCLEAN_DILITHIUM2AES_CLEAN_decompose(&a0, a); - if (hint == 0) { - return a1; - } - - if (a0 > 0) { - if (a1 == 43) { - return 0; - } - return a1 + 1; - } - if (a1 == 0) { - return 43; - } - return a1 - 1; -} diff --git a/crypto_sign/dilithium2aes/clean/rounding.h b/crypto_sign/dilithium2aes/clean/rounding.h deleted file mode 100644 index e970c5d9..00000000 --- a/crypto_sign/dilithium2aes/clean/rounding.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_ROUNDING_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_ROUNDING_H -#include "params.h" -#include - -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_power2round(int32_t *a0, int32_t a); - -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_decompose(int32_t *a0, int32_t a); - -unsigned int PQCLEAN_DILITHIUM2AES_CLEAN_make_hint(int32_t a0, int32_t a1); - -int32_t PQCLEAN_DILITHIUM2AES_CLEAN_use_hint(int32_t a, unsigned int hint); - -#endif diff --git a/crypto_sign/dilithium2aes/clean/sign.c b/crypto_sign/dilithium2aes/clean/sign.c deleted file mode 100644 index a30df581..00000000 --- a/crypto_sign/dilithium2aes/clean/sign.c +++ /dev/null @@ -1,343 +0,0 @@ -#include "fips202.h" -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "sign.h" -#include "symmetric.h" -#include - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair -* -* Description: Generates public and private key. -* -* Arguments: - uint8_t *pk: pointer to output public key (allocated -* array of PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (allocated -* array of PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seedbuf[3 * SEEDBYTES]; - uint8_t tr[CRHBYTES]; - const uint8_t *rho, *rhoprime, *key; - polyvecl mat[K]; - polyvecl s1, s1hat; - polyveck s2, t1, t0; - - /* Get randomness for rho, rhoprime and key */ - randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); - rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; - - /* Expand matrix */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_expand(mat, rho); - - /* Sample short vectors s1 and s2 */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_eta(&s1, rhoprime, 0); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_uniform_eta(&s2, rhoprime, L); - - /* Matrix-vector multiplication */ - s1hat = s1; - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_ntt(&s1hat); - PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_pointwise_montgomery(&t1, mat, &s1hat); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(&t1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_invntt_tomont(&t1); - - /* Add error vector s2 */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_add(&t1, &t1, &s2); - - /* Extract t1 and write public key */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_caddq(&t1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_power2round(&t1, &t0, &t1); - PQCLEAN_DILITHIUM2AES_CLEAN_pack_pk(pk, rho, &t1); - - /* Compute CRH(rho, t1) and write secret key */ - crh(tr, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES); - PQCLEAN_DILITHIUM2AES_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2); - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_signature -* -* Description: Computes signature. -* -* Arguments: - uint8_t *sig: pointer to output signature (of length PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES) -* - size_t *siglen: pointer to output length of signature -* - uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_signature(uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *sk) { - unsigned int n; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; - uint8_t *rho, *tr, *key, *mu, *rhoprime; - uint16_t nonce = 0; - polyvecl mat[K], s1, y, z; - polyveck t0, s2, w1, w0, h; - poly cp; - shake256incctx state; - - rho = seedbuf; - tr = rho + SEEDBYTES; - key = tr + CRHBYTES; - mu = key + SEEDBYTES; - rhoprime = mu + CRHBYTES; - PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); - - /* Compute CRH(tr, msg) */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - crh(rhoprime, key, SEEDBYTES + CRHBYTES); - - /* Expand matrix and transform vectors */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_expand(mat, rho); - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_ntt(&s1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_ntt(&s2); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_ntt(&t0); - -rej: - /* Sample intermediate vector y */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_uniform_gamma1(&y, rhoprime, nonce++); - - /* Matrix-vector multiplication */ - z = y; - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_ntt(&z); - PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(&w1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_invntt_tomont(&w1); - - /* Decompose w and call the random oracle */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_caddq(&w1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_decompose(&w1, &w0, &w1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_pack_w1(sig, &w1); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, sig, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - PQCLEAN_DILITHIUM2AES_CLEAN_poly_challenge(&cp, sig); - PQCLEAN_DILITHIUM2AES_CLEAN_poly_ntt(&cp); - - /* Compute z, reject if it reveals secret */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_pointwise_poly_montgomery(&z, &cp, &s1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_invntt_tomont(&z); - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_add(&z, &z, &y); - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_reduce(&z); - if (PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) { - goto rej; - } - - /* Check that subtracting cs2 does not change high bits of w and low bits - * do not reveal secret information */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &s2); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_invntt_tomont(&h); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_sub(&w0, &w0, &h); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(&w0); - if (PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_chknorm(&w0, GAMMA2 - BETA)) { - goto rej; - } - - /* Compute hints for w1 */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &t0); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_invntt_tomont(&h); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(&h); - if (PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_chknorm(&h, GAMMA2)) { - goto rej; - } - - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_add(&w0, &w0, &h); - n = PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_make_hint(&h, &w0, &w1); - if (n > OMEGA) { - goto rej; - } - - /* Write signature */ - PQCLEAN_DILITHIUM2AES_CLEAN_pack_sig(sig, sig, &z, &h); - *siglen = PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign -* -* Description: Compute signed message. -* -* Arguments: - uint8_t *sm: pointer to output signed message (allocated -* array with PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES + mlen bytes), -* can be equal to m -* - size_t *smlen: pointer to output length of signed -* message -* - const uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - const uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign(uint8_t *sm, - size_t *smlen, - const uint8_t *m, - size_t mlen, - const uint8_t *sk) { - size_t i; - - for (i = 0; i < mlen; ++i) { - sm[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i]; - } - PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_signature(sm, smlen, sm + PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES, mlen, sk); - *smlen += mlen; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_verify -* -* Description: Verifies signature. -* -* Arguments: - uint8_t *m: pointer to input signature -* - size_t siglen: length of signature -* - const uint8_t *m: pointer to message -* - size_t mlen: length of message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signature could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_verify(const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pk) { - unsigned int i; - uint8_t buf[K * POLYW1_PACKEDBYTES]; - uint8_t rho[SEEDBYTES]; - uint8_t mu[CRHBYTES]; - uint8_t c[SEEDBYTES]; - uint8_t c2[SEEDBYTES]; - poly cp; - polyvecl mat[K], z; - polyveck t1, w1, h; - shake256incctx state; - - if (siglen != PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES) { - return -1; - } - - PQCLEAN_DILITHIUM2AES_CLEAN_unpack_pk(rho, &t1, pk); - if (PQCLEAN_DILITHIUM2AES_CLEAN_unpack_sig(c, &z, &h, sig)) { - return -1; - } - if (PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) { - return -1; - } - - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_PUBLICKEYBYTES); - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - /* Matrix-vector multiplication; compute Az - c2^dt1 */ - PQCLEAN_DILITHIUM2AES_CLEAN_poly_challenge(&cp, c); - PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_expand(mat, rho); - - PQCLEAN_DILITHIUM2AES_CLEAN_polyvecl_ntt(&z); - PQCLEAN_DILITHIUM2AES_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z); - - PQCLEAN_DILITHIUM2AES_CLEAN_poly_ntt(&cp); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_shiftl(&t1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_ntt(&t1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_pointwise_poly_montgomery(&t1, &cp, &t1); - - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_sub(&w1, &w1, &t1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_reduce(&w1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_invntt_tomont(&w1); - - /* Reconstruct w1 */ - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_caddq(&w1); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_use_hint(&w1, &w1, &h); - PQCLEAN_DILITHIUM2AES_CLEAN_polyveck_pack_w1(buf, &w1); - - /* Call random oracle and verify PQCLEAN_DILITHIUM2AES_CLEAN_challenge */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, buf, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(c2, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - for (i = 0; i < SEEDBYTES; ++i) { - if (c[i] != c2[i]) { - return -1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_open -* -* Description: Verify signed message. -* -* Arguments: - uint8_t *m: pointer to output message (allocated -* array with smlen bytes), can be equal to sm -* - size_t *mlen: pointer to output length of message -* - const uint8_t *sm: pointer to signed message -* - size_t smlen: length of signed message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signed message could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_open(uint8_t *m, - size_t *mlen, - const uint8_t *sm, - size_t smlen, - const uint8_t *pk) { - size_t i; - - if (smlen < PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES) { - goto badsig; - } - - *mlen = smlen - PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES; - if (PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_verify(sm, PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES, sm + PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES, *mlen, pk)) { - goto badsig; - } else { - /* All good, copy msg, return 0 */ - for (i = 0; i < *mlen; ++i) { - m[i] = sm[PQCLEAN_DILITHIUM2AES_CLEAN_CRYPTO_BYTES + i]; - } - return 0; - } - -badsig: - /* Signature verification failed */ - *mlen = (size_t) -1; - for (i = 0; i < smlen; ++i) { - m[i] = 0; - } - - return -1; -} diff --git a/crypto_sign/dilithium2aes/clean/sign.h b/crypto_sign/dilithium2aes/clean/sign.h deleted file mode 100644 index 567eb054..00000000 --- a/crypto_sign/dilithium2aes/clean/sign.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_SIGN_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_SIGN_H -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include -#include - -void PQCLEAN_DILITHIUM2AES_CLEAN_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -int PQCLEAN_DILITHIUM2AES_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium2aes/clean/symmetric-aes.c b/crypto_sign/dilithium2aes/clean/symmetric-aes.c deleted file mode 100644 index 4ae16c26..00000000 --- a/crypto_sign/dilithium2aes/clean/symmetric-aes.c +++ /dev/null @@ -1,12 +0,0 @@ -#include "aes256ctr.h" -#include "symmetric.h" -#include - -void PQCLEAN_DILITHIUM2AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint16_t nonce) { - uint8_t expnonce[12] = {0}; - expnonce[0] = (uint8_t) nonce; - expnonce[1] = (uint8_t) (nonce >> 8); - PQCLEAN_DILITHIUM2AES_CLEAN_aes256ctr_init(state, key, expnonce); -} diff --git a/crypto_sign/dilithium2aes/clean/symmetric.h b/crypto_sign/dilithium2aes/clean/symmetric.h deleted file mode 100644 index 6ef04c5c..00000000 --- a/crypto_sign/dilithium2aes/clean/symmetric.h +++ /dev/null @@ -1,33 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM2AES_CLEAN_SYMMETRIC_H -#define PQCLEAN_DILITHIUM2AES_CLEAN_SYMMETRIC_H -#include "aes256ctr.h" -#include "fips202.h" -#include "params.h" -#include - - - -typedef aes256ctr_ctx stream128_state; -typedef aes256ctr_ctx stream256_state; - -void PQCLEAN_DILITHIUM2AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint16_t nonce); - -#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES -#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) -#define stream128_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM2AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE) -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - PQCLEAN_DILITHIUM2AES_CLEAN_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream128_release(STATE) -#define stream256_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM2AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE) -#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - PQCLEAN_DILITHIUM2AES_CLEAN_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream256_release(STATE) - - -#endif diff --git a/crypto_sign/dilithium3aes/META.yml b/crypto_sign/dilithium3aes/META.yml deleted file mode 100644 index 7b42c902..00000000 --- a/crypto_sign/dilithium3aes/META.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Dilithium3-AES -type: signature -claimed-nist-level: 3 -length-public-key: 1952 -length-secret-key: 4016 -length-signature: 3293 -nistkat-sha256: c1519093239804f90d1c9386e2a95b42b45dc65cbdc7c1dd777fe27de3840517 -testvectors-sha256: 9637ff196abfad19f3479e6a6ec3e91fc6de3bae89adf8617d91154063a3262a -principal-submitters: - - Vadim Lyubashevsky -auxiliary-submitters: - - Léo Ducas - - Eike Kiltz - - Tancrède Lepoint - - Peter Schwabe - - Gregor Seiler - - Damien Stehlé -implementations: - - name: clean - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium - - name: avx2 - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - aes - - avx2 - - popcnt diff --git a/crypto_sign/dilithium3aes/avx2/LICENSE b/crypto_sign/dilithium3aes/avx2/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_sign/dilithium3aes/avx2/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_sign/dilithium3aes/avx2/aes256ctr.c b/crypto_sign/dilithium3aes/avx2/aes256ctr.c deleted file mode 100644 index e6e165b8..00000000 --- a/crypto_sign/dilithium3aes/avx2/aes256ctr.c +++ /dev/null @@ -1,142 +0,0 @@ -#include "aes256ctr.h" -#include -#include -#include -/* Based heavily on public-domain code by Romain Dolbeau - * Different handling of nonce+counter than original version using - * separated 64-bit nonce and internal 64-bit counter, starting from zero - * Public Domain */ - - -static inline void aesni_encrypt4(uint8_t out[64], __m128i *n, const __m128i rkeys[16]) { - __m128i f, f0, f1, f2, f3; - const __m128i idx = _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 7, 6, 5, 4, 3, 2, 1, 0); - - /* Load current counter value */ - f = _mm_load_si128(n); - - /* Increase counter in 4 consecutive blocks */ - f0 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(0, 0)), idx); - f1 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(1, 0)), idx); - f2 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(2, 0)), idx); - f3 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(3, 0)), idx); - - /* Write counter for next iteration, increased by 4 */ - _mm_store_si128(n, _mm_add_epi64(f, _mm_set_epi64x(4, 0))); - - /* Actual AES encryption, 4x interleaved */ - f = _mm_load_si128(&rkeys[0]); - f0 = _mm_xor_si128(f0, f); - f1 = _mm_xor_si128(f1, f); - f2 = _mm_xor_si128(f2, f); - f3 = _mm_xor_si128(f3, f); - - for (int i = 1; i < 14; i++) { - f = _mm_load_si128(&rkeys[i]); - f0 = _mm_aesenc_si128(f0, f); - f1 = _mm_aesenc_si128(f1, f); - f2 = _mm_aesenc_si128(f2, f); - f3 = _mm_aesenc_si128(f3, f); - } - - f = _mm_load_si128(&rkeys[14]); - f0 = _mm_aesenclast_si128(f0, f); - f1 = _mm_aesenclast_si128(f1, f); - f2 = _mm_aesenclast_si128(f2, f); - f3 = _mm_aesenclast_si128(f3, f); - - /* Write results */ - _mm_storeu_si128((__m128i *)(out + 0), f0); - _mm_storeu_si128((__m128i *)(out + 16), f1); - _mm_storeu_si128((__m128i *)(out + 32), f2); - _mm_storeu_si128((__m128i *)(out + 48), f3); -} - -void PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t key[32], uint64_t nonce) { - __m128i key0, key1, temp0, temp1, temp2, temp4; - int idx = 0; - - key0 = _mm_loadu_si128((__m128i *)(key + 0)); - key1 = _mm_loadu_si128((__m128i *)(key + 16)); - state->n = _mm_loadl_epi64((__m128i *)&nonce); - - state->rkeys[idx++] = key0; - temp0 = key0; - temp2 = key1; - temp4 = _mm_setzero_si128(); - -#define BLOCK1(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp2, IMM); \ - state->rkeys[idx++] = temp2; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x10); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x8c); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xff); \ - temp0 = _mm_xor_si128(temp0, temp1) - -#define BLOCK2(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp0, IMM); \ - state->rkeys[idx++] = temp0; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x10); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x8c); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xaa); \ - temp2 = _mm_xor_si128(temp2, temp1) - - BLOCK1(0x01); - BLOCK2(0x01); - - BLOCK1(0x02); - BLOCK2(0x02); - - BLOCK1(0x04); - BLOCK2(0x04); - - BLOCK1(0x08); - BLOCK2(0x08); - - BLOCK1(0x10); - BLOCK2(0x10); - - BLOCK1(0x20); - BLOCK2(0x20); - - BLOCK1(0x40); - state->rkeys[idx++] = temp0; -} - -void PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state) { - size_t i; - for (i = 0; i < nblocks; i++) { - aesni_encrypt4(out, &state->n, state->rkeys); - out += 64; - } -} - -void PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t seed[32], - uint64_t nonce) { - unsigned int i; - uint8_t buf[64]; - aes256ctr_ctx state; - - PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(&state, seed, nonce); - - while (outlen >= 64) { - aesni_encrypt4(out, &state.n, state.rkeys); - outlen -= 64; - out += 64; - } - - if (outlen) { - aesni_encrypt4(buf, &state.n, state.rkeys); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} diff --git a/crypto_sign/dilithium3aes/avx2/aes256ctr.h b/crypto_sign/dilithium3aes/avx2/aes256ctr.h deleted file mode 100644 index d0e6fda8..00000000 --- a/crypto_sign/dilithium3aes/avx2/aes256ctr.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_AES256CTR_H -#define PQCLEAN_DILITHIUM3AES_AVX2_AES256CTR_H - -#include -#include -#include - - -#define AES256CTR_BLOCKBYTES 64 - -typedef struct { - __m128i rkeys[16]; - __m128i n; -} aes256ctr_ctx; - -void PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint64_t nonce); - -void PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state); - -void PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t seed[32], - uint64_t nonce); - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/align.h b/crypto_sign/dilithium3aes/avx2/align.h deleted file mode 100644 index c041f48c..00000000 --- a/crypto_sign/dilithium3aes/avx2/align.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_ALIGN_H -#define PQCLEAN_DILITHIUM3AES_AVX2_ALIGN_H - -#include -#include - -#define ALIGNED_UINT8(N) \ - union { \ - uint8_t coeffs[N]; \ - __m256i vec[((N)+31)/32]; \ - } - -#define ALIGNED_INT32(N) \ - union { \ - int32_t coeffs[N]; \ - __m256i vec[((N)+7)/8]; \ - } - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/api.h b/crypto_sign/dilithium3aes/avx2/api.h deleted file mode 100644 index 39a2fbad..00000000 --- a/crypto_sign/dilithium3aes/avx2/api.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_API_H -#define PQCLEAN_DILITHIUM3AES_AVX2_API_H - -#include -#include - -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES 1952 -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES 4016 -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES 3293 - -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_ALGNAME "Dilithium3-AES" - - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/cdecl.h b/crypto_sign/dilithium3aes/avx2/cdecl.h deleted file mode 100644 index 50487c85..00000000 --- a/crypto_sign/dilithium3aes/avx2/cdecl.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_CDECL_H -#define PQCLEAN_DILITHIUM3AES_AVX2_CDECL_H - - - -#define _8XQ 0 -#define _8XQINV 8 -#define _8XDIV_QINV 16 -#define _8XDIV 24 -#define _ZETAS_QINV 32 -#define _ZETAS 328 - -/* The C ABI on MacOS exports all symbols with a leading - * underscore. This means that any symbols we refer to from - * C files (functions) can't be found, and all symbols we - * refer to from ASM also can't be found (nttconsts.c). - * - * This define helps us get around this - */ - -#define _cdecl(s) _##s -#define cdecl(s) s - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/consts.c b/crypto_sign/dilithium3aes/avx2/consts.c deleted file mode 100644 index d5203cf9..00000000 --- a/crypto_sign/dilithium3aes/avx2/consts.c +++ /dev/null @@ -1,101 +0,0 @@ -#include "consts.h" -#include "params.h" -#include - -#define QINV 58728449 // q^(-1) mod 2^32 -#define MONT (-4186625) // 2^32 mod q -#define DIV 41978 // mont^2/256 -#define DIV_QINV (-8395782) - -const qdata_t PQCLEAN_DILITHIUM3AES_AVX2_qdata = {{ -//#define _8XQ 0 - Q, Q, Q, Q, Q, Q, Q, Q, - -//#define _8XQINV 8 - QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV, - -//#define _8XDIV_QINV 16 - DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, - -//#define _8XDIV 24 - DIV, DIV, DIV, DIV, DIV, DIV, DIV, DIV, - -//#define _ZETAS_QINV 32 - -151046689, 1830765815, -1929875198, -1927777021, 1640767044, 1477910808, 1612161320, 1640734244, - 308362795, 308362795, 308362795, 308362795, -1815525077, -1815525077, -1815525077, -1815525077, - -1374673747, -1374673747, -1374673747, -1374673747, -1091570561, -1091570561, -1091570561, -1091570561, - -1929495947, -1929495947, -1929495947, -1929495947, 515185417, 515185417, 515185417, 515185417, - -285697463, -285697463, -285697463, -285697463, 625853735, 625853735, 625853735, 625853735, - 1727305304, 1727305304, 2082316400, 2082316400, -1364982364, -1364982364, 858240904, 858240904, - 1806278032, 1806278032, 222489248, 222489248, -346752664, -346752664, 684667771, 684667771, - 1654287830, 1654287830, -878576921, -878576921, -1257667337, -1257667337, -748618600, -748618600, - 329347125, 329347125, 1837364258, 1837364258, -1443016191, -1443016191, -1170414139, -1170414139, - -1846138265, -1631226336, -1404529459, 1838055109, 1594295555, -1076973524, -1898723372, -594436433, - -202001019, -475984260, -561427818, 1797021249, -1061813248, 2059733581, -1661512036, -1104976547, - -1750224323, -901666090, 418987550, 1831915353, -1925356481, 992097815, 879957084, 2024403852, - 1484874664, -1636082790, -285388938, -1983539117, -1495136972, -950076368, -1714807468, -952438995, - -1574918427, 1350681039, -2143979939, 1599739335, -1285853323, -993005454, -1440787840, 568627424, - -783134478, -588790216, 289871779, -1262003603, 2135294594, -1018755525, -889861155, 1665705315, - 1321868265, 1225434135, -1784632064, 666258756, 675310538, -1555941048, -1999506068, -1499481951, - -695180180, -1375177022, 1777179795, 334803717, -178766299, -518252220, 1957047970, 1146323031, - -654783359, -1974159335, 1651689966, 140455867, -1039411342, 1955560694, 1529189038, -2131021878, - -247357819, 1518161567, -86965173, 1708872713, 1787797779, 1638590967, -120646188, -1669960606, - -916321552, 1155548552, 2143745726, 1210558298, -1261461890, -318346816, 628664287, -1729304568, - 1422575624, 1424130038, -1185330464, 235321234, 168022240, 1206536194, 985155484, -894060583, - -898413, -1363460238, -605900043, 2027833504, 14253662, 1014493059, 863641633, 1819892093, - 2124962073, -1223601433, -1920467227, -1637785316, -1536588520, 694382729, 235104446, -1045062172, - 831969619, -300448763, 756955444, -260312805, 1554794072, 1339088280, -2040058690, -853476187, - -2047270596, -1723816713, -1591599803, -440824168, 1119856484, 1544891539, 155290192, -973777462, - 991903578, 912367099, -44694137, 1176904444, -421552614, -818371958, 1747917558, -325927722, - 908452108, 1851023419, -1176751719, -1354528380, -72690498, -314284737, 985022747, 963438279, - -1078959975, 604552167, -1021949428, 608791570, 173440395, -2126092136, -1316619236, -1039370342, - 6087993, -110126092, 565464272, -1758099917, -1600929361, 879867909, -1809756372, 400711272, - 1363007700, 30313375, -326425360, 1683520342, -517299994, 2027935492, -1372618620, 128353682, - -1123881663, 137583815, -635454918, -642772911, 45766801, 671509323, -2070602178, 419615363, - 1216882040, -270590488, -1276805128, 371462360, -1357098057, -384158533, 827959816, -596344473, - 702390549, -279505433, -260424530, -71875110, -1208667171, -1499603926, 2036925262, -540420426, - 746144248, -1420958686, 2032221021, 1904936414, 1257750362, 1926727420, 1931587462, 1258381762, - 885133339, 1629985060, 1967222129, 6363718, -1287922800, 1136965286, 1779436847, 1116720494, - 1042326957, 1405999311, 713994583, 940195359, -1542497137, 2061661095, -883155599, 1726753853, - -1547952704, 394851342, 283780712, 776003547, 1123958025, 201262505, 1934038751, 374860238, - -//#define _ZETAS 328 - -3975713, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, - 1826347, 1826347, 1826347, 1826347, 2353451, 2353451, 2353451, 2353451, - -359251, -359251, -359251, -359251, -2091905, -2091905, -2091905, -2091905, - 3119733, 3119733, 3119733, 3119733, -2884855, -2884855, -2884855, -2884855, - 3111497, 3111497, 3111497, 3111497, 2680103, 2680103, 2680103, 2680103, - 2725464, 2725464, 1024112, 1024112, -1079900, -1079900, 3585928, 3585928, - -549488, -549488, -1119584, -1119584, 2619752, 2619752, -2108549, -2108549, - -2118186, -2118186, -3859737, -3859737, -1399561, -1399561, -3277672, -3277672, - 1757237, 1757237, -19422, -19422, 4010497, 4010497, 280005, 280005, - 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, - -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, - -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596, - 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779, - -3930395, -3677745, -1452451, 2176455, -1257611, -4083598, -3190144, -3632928, - 3412210, 2147896, -2967645, -411027, -671102, -22981, -381987, 1852771, - -3343383, 508951, 44288, 904516, -3724342, 1653064, 2389356, 759969, - 189548, 3159746, -2409325, 1315589, 1285669, -812732, -3019102, -3628969, - -1528703, -3041255, 3475950, -1585221, 1939314, -1000202, -3157330, 126922, - -983419, 2715295, -3693493, -2477047, -1228525, -1308169, 1349076, -1430430, - 264944, 3097992, -1100098, 3958618, -8578, -3249728, -210977, -1316856, - -3553272, -1851402, -177440, 1341330, -1584928, -1439742, -3881060, 3839961, - 2091667, -3342478, 266997, -3520352, 900702, 495491, -655327, -3556995, - 342297, 3437287, 2842341, 4055324, -3767016, -2994039, -1333058, -451100, - -1279661, 1500165, -542412, -2584293, -2013608, 1957272, -3183426, 810149, - -3038916, 2213111, -426683, -1667432, -2939036, 183443, -554416, 3937738, - 3407706, 2244091, 2434439, -3759364, 1859098, -1613174, -3122442, -525098, - 286988, -3342277, 2691481, 1247620, 1250494, 1869119, 1237275, 1312455, - 1917081, 777191, -2831860, -3724270, 2432395, 3369112, 162844, 1652634, - 3523897, -975884, 1723600, -1104333, -2235985, -976891, 3919660, 1400424, - 2316500, -2446433, -1235728, -1197226, 909542, -43260, 2031748, -768622, - -2437823, 1735879, -2590150, 2486353, 2635921, 1903435, -3318210, 3306115, - -2546312, 2235880, -1671176, 594136, 2454455, 185531, 1616392, -3694233, - 3866901, 1717735, -1803090, -260646, -420899, 1612842, -48306, -846154, - 3817976, -3562462, 3513181, -3193378, 819034, -522500, 3207046, -3595838, - 4108315, 203044, 1265009, 1595974, -3548272, -1050970, -1430225, -1962642, - -1374803, 3406031, -1846953, -3776993, -164721, -1207385, 3014001, -1799107, - 269760, 472078, 1910376, -3833893, -2286327, -3545687, -1362209, 1976782, - } -}; diff --git a/crypto_sign/dilithium3aes/avx2/consts.h b/crypto_sign/dilithium3aes/avx2/consts.h deleted file mode 100644 index 3fbd6271..00000000 --- a/crypto_sign/dilithium3aes/avx2/consts.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_CONSTS_H -#define PQCLEAN_DILITHIUM3AES_AVX2_CONSTS_H -#include "align.h" -#include "cdecl.h" - - -typedef ALIGNED_INT32(624) qdata_t; -extern const qdata_t PQCLEAN_DILITHIUM3AES_AVX2_qdata; - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/invntt.S b/crypto_sign/dilithium3aes/avx2/invntt.S deleted file mode 100644 index 9cc43174..00000000 --- a/crypto_sign/dilithium3aes/avx2/invntt.S +++ /dev/null @@ -1,240 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2 -vpsubd %ymm\l,%ymm\h,%ymm12 -vpaddd %ymm\h,%ymm\l,%ymm\l - -vpmuldq %ymm\zl0,%ymm12,%ymm13 -vmovshdup %ymm12,%ymm\h -vpmuldq %ymm\zl1,%ymm\h,%ymm14 - -vpmuldq %ymm\zh0,%ymm12,%ymm12 -vpmuldq %ymm\zh1,%ymm\h,%ymm\h - -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 - -vpsubd %ymm13,%ymm12,%ymm12 -vpsubd %ymm14,%ymm\h,%ymm\h - -vmovshdup %ymm12,%ymm12 -vpblendd $0xAA,%ymm\h,%ymm12,%ymm\h -.endm - -.macro levels0t5 off -vmovdqa 256*\off+ 0(%rdi),%ymm4 -vmovdqa 256*\off+ 32(%rdi),%ymm5 -vmovdqa 256*\off+ 64(%rdi),%ymm6 -vmovdqa 256*\off+ 96(%rdi),%ymm7 -vmovdqa 256*\off+128(%rdi),%ymm8 -vmovdqa 256*\off+160(%rdi),%ymm9 -vmovdqa 256*\off+192(%rdi),%ymm10 -vmovdqa 256*\off+224(%rdi),%ymm11 - -/* level 0 */ -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-8)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-8)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 4,5,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-40)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-40)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 6,7,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-72)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-72)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 8,9,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-104)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-104)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 10,11,1,3,2,15 - -/* level 1 */ -vpermq $0x1B,(_ZETAS_QINV+168-8*\off-8)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+168-8*\off-8)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 4,6,1,3,2,15 -butterfly 5,7,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+168-8*\off-40)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+168-8*\off-40)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 8,10,1,3,2,15 -butterfly 9,11,1,3,2,15 - -/* level 2 */ -vpermq $0x1B,(_ZETAS_QINV+104-8*\off-8)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+104-8*\off-8)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 4,8,1,3,2,15 -butterfly 5,9,1,3,2,15 -butterfly 6,10,1,3,2,15 -butterfly 7,11,1,3,2,15 - -/* level 3 */ -shuffle2 4,5,3,5 -shuffle2 6,7,4,7 -shuffle2 8,9,6,9 -shuffle2 10,11,8,11 - -vpermq $0x1B,(_ZETAS_QINV+72-8*\off-8)*4(%rsi),%ymm1 -vpermq $0x1B,(_ZETAS+72-8*\off-8)*4(%rsi),%ymm2 -butterfly 3,5 -butterfly 4,7 -butterfly 6,9 -butterfly 8,11 - -/* level 4 */ -shuffle4 3,4,10,4 -shuffle4 6,8,3,8 -shuffle4 5,7,6,7 -shuffle4 9,11,5,11 - -vpermq $0x1B,(_ZETAS_QINV+40-8*\off-8)*4(%rsi),%ymm1 -vpermq $0x1B,(_ZETAS+40-8*\off-8)*4(%rsi),%ymm2 -butterfly 10,4 -butterfly 3,8 -butterfly 6,7 -butterfly 5,11 - -/* level 5 */ -shuffle8 10,3,9,3 -shuffle8 6,5,10,5 -shuffle8 4,8,6,8 -shuffle8 7,11,4,11 - -vpbroadcastd (_ZETAS_QINV+7-\off)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+7-\off)*4(%rsi),%ymm2 -butterfly 9,3 -butterfly 10,5 -butterfly 6,8 -butterfly 4,11 - -vmovdqa %ymm9,256*\off+ 0(%rdi) -vmovdqa %ymm10,256*\off+ 32(%rdi) -vmovdqa %ymm6,256*\off+ 64(%rdi) -vmovdqa %ymm4,256*\off+ 96(%rdi) -vmovdqa %ymm3,256*\off+128(%rdi) -vmovdqa %ymm5,256*\off+160(%rdi) -vmovdqa %ymm8,256*\off+192(%rdi) -vmovdqa %ymm11,256*\off+224(%rdi) -.endm - -.macro levels6t7 off -vmovdqa 0+32*\off(%rdi),%ymm4 -vmovdqa 128+32*\off(%rdi),%ymm5 -vmovdqa 256+32*\off(%rdi),%ymm6 -vmovdqa 384+32*\off(%rdi),%ymm7 -vmovdqa 512+32*\off(%rdi),%ymm8 -vmovdqa 640+32*\off(%rdi),%ymm9 -vmovdqa 768+32*\off(%rdi),%ymm10 -vmovdqa 896+32*\off(%rdi),%ymm11 - -/* level 6 */ -vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2 -butterfly 4,6 -butterfly 5,7 - -vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2 -butterfly 8,10 -butterfly 9,11 - -/* level 7 */ -vpbroadcastd (_ZETAS_QINV+0)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+0)*4(%rsi),%ymm2 - -butterfly 4,8 -butterfly 5,9 -butterfly 6,10 -butterfly 7,11 - -vmovdqa %ymm8,512+32*\off(%rdi) -vmovdqa %ymm9,640+32*\off(%rdi) -vmovdqa %ymm10,768+32*\off(%rdi) -vmovdqa %ymm11,896+32*\off(%rdi) - -vmovdqa (_8XDIV_QINV)*4(%rsi),%ymm1 -vmovdqa (_8XDIV)*4(%rsi),%ymm2 -vpmuldq %ymm1,%ymm4,%ymm12 -vpmuldq %ymm1,%ymm5,%ymm13 -vmovshdup %ymm4,%ymm8 -vmovshdup %ymm5,%ymm9 -vpmuldq %ymm1,%ymm8,%ymm14 -vpmuldq %ymm1,%ymm9,%ymm15 -vpmuldq %ymm2,%ymm4,%ymm4 -vpmuldq %ymm2,%ymm5,%ymm5 -vpmuldq %ymm2,%ymm8,%ymm8 -vpmuldq %ymm2,%ymm9,%ymm9 -vpmuldq %ymm0,%ymm12,%ymm12 -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 -vpmuldq %ymm0,%ymm15,%ymm15 -vpsubd %ymm12,%ymm4,%ymm4 -vpsubd %ymm13,%ymm5,%ymm5 -vpsubd %ymm14,%ymm8,%ymm8 -vpsubd %ymm15,%ymm9,%ymm9 -vmovshdup %ymm4,%ymm4 -vmovshdup %ymm5,%ymm5 -vpblendd $0xAA,%ymm8,%ymm4,%ymm4 -vpblendd $0xAA,%ymm9,%ymm5,%ymm5 - -vpmuldq %ymm1,%ymm6,%ymm12 -vpmuldq %ymm1,%ymm7,%ymm13 -vmovshdup %ymm6,%ymm8 -vmovshdup %ymm7,%ymm9 -vpmuldq %ymm1,%ymm8,%ymm14 -vpmuldq %ymm1,%ymm9,%ymm15 -vpmuldq %ymm2,%ymm6,%ymm6 -vpmuldq %ymm2,%ymm7,%ymm7 -vpmuldq %ymm2,%ymm8,%ymm8 -vpmuldq %ymm2,%ymm9,%ymm9 -vpmuldq %ymm0,%ymm12,%ymm12 -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 -vpmuldq %ymm0,%ymm15,%ymm15 -vpsubd %ymm12,%ymm6,%ymm6 -vpsubd %ymm13,%ymm7,%ymm7 -vpsubd %ymm14,%ymm8,%ymm8 -vpsubd %ymm15,%ymm9,%ymm9 -vmovshdup %ymm6,%ymm6 -vmovshdup %ymm7,%ymm7 -vpblendd $0xAA,%ymm8,%ymm6,%ymm6 -vpblendd $0xAA,%ymm9,%ymm7,%ymm7 - -vmovdqa %ymm4, 0+32*\off(%rdi) -vmovdqa %ymm5,128+32*\off(%rdi) -vmovdqa %ymm6,256+32*\off(%rdi) -vmovdqa %ymm7,384+32*\off(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_DILITHIUM3AES_AVX2_invntt_avx) -.global _cdecl(PQCLEAN_DILITHIUM3AES_AVX2_invntt_avx) -cdecl(PQCLEAN_DILITHIUM3AES_AVX2_invntt_avx): -_cdecl(PQCLEAN_DILITHIUM3AES_AVX2_invntt_avx): -vmovdqa _8XQ*4(%rsi),%ymm0 - -levels0t5 0 -levels0t5 1 -levels0t5 2 -levels0t5 3 - -levels6t7 0 -levels6t7 1 -levels6t7 2 -levels6t7 3 - -ret diff --git a/crypto_sign/dilithium3aes/avx2/ntt.S b/crypto_sign/dilithium3aes/avx2/ntt.S deleted file mode 100644 index 6e3920ed..00000000 --- a/crypto_sign/dilithium3aes/avx2/ntt.S +++ /dev/null @@ -1,199 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2 -vpmuldq %ymm\zl0,%ymm\h,%ymm13 -vmovshdup %ymm\h,%ymm12 -vpmuldq %ymm\zl1,%ymm12,%ymm14 - -vpmuldq %ymm\zh0,%ymm\h,%ymm\h -vpmuldq %ymm\zh1,%ymm12,%ymm12 - -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 - -vmovshdup %ymm\h,%ymm\h -vpblendd $0xAA,%ymm12,%ymm\h,%ymm\h - -vpsubd %ymm\h,%ymm\l,%ymm12 -vpaddd %ymm\h,%ymm\l,%ymm\l - -vmovshdup %ymm13,%ymm13 -vpblendd $0xAA,%ymm14,%ymm13,%ymm13 - -vpaddd %ymm13,%ymm12,%ymm\h -vpsubd %ymm13,%ymm\l,%ymm\l -.endm - -.macro levels0t1 off -/* level 0 */ -vpbroadcastd (_ZETAS_QINV+1)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+1)*4(%rsi),%ymm2 - -vmovdqa 0+32*\off(%rdi),%ymm4 -vmovdqa 128+32*\off(%rdi),%ymm5 -vmovdqa 256+32*\off(%rdi),%ymm6 -vmovdqa 384+32*\off(%rdi),%ymm7 -vmovdqa 512+32*\off(%rdi),%ymm8 -vmovdqa 640+32*\off(%rdi),%ymm9 -vmovdqa 768+32*\off(%rdi),%ymm10 -vmovdqa 896+32*\off(%rdi),%ymm11 - -butterfly 4,8 -butterfly 5,9 -butterfly 6,10 -butterfly 7,11 - -/* level 1 */ -vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2 -butterfly 4,6 -butterfly 5,7 - -vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2 -butterfly 8,10 -butterfly 9,11 - -vmovdqa %ymm4, 0+32*\off(%rdi) -vmovdqa %ymm5,128+32*\off(%rdi) -vmovdqa %ymm6,256+32*\off(%rdi) -vmovdqa %ymm7,384+32*\off(%rdi) -vmovdqa %ymm8,512+32*\off(%rdi) -vmovdqa %ymm9,640+32*\off(%rdi) -vmovdqa %ymm10,768+32*\off(%rdi) -vmovdqa %ymm11,896+32*\off(%rdi) -.endm - -.macro levels2t7 off -/* level 2 */ -vmovdqa 256*\off+ 0(%rdi),%ymm4 -vmovdqa 256*\off+ 32(%rdi),%ymm5 -vmovdqa 256*\off+ 64(%rdi),%ymm6 -vmovdqa 256*\off+ 96(%rdi),%ymm7 -vmovdqa 256*\off+128(%rdi),%ymm8 -vmovdqa 256*\off+160(%rdi),%ymm9 -vmovdqa 256*\off+192(%rdi),%ymm10 -vmovdqa 256*\off+224(%rdi),%ymm11 - -vpbroadcastd (_ZETAS_QINV+4+\off)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+4+\off)*4(%rsi),%ymm2 - -butterfly 4,8 -butterfly 5,9 -butterfly 6,10 -butterfly 7,11 - -shuffle8 4,8,3,8 -shuffle8 5,9,4,9 -shuffle8 6,10,5,10 -shuffle8 7,11,6,11 - -/* level 3 */ -vmovdqa (_ZETAS_QINV+8+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+8+8*\off)*4(%rsi),%ymm2 - -butterfly 3,5 -butterfly 8,10 -butterfly 4,6 -butterfly 9,11 - -shuffle4 3,5,7,5 -shuffle4 8,10,3,10 -shuffle4 4,6,8,6 -shuffle4 9,11,4,11 - -/* level 4 */ -vmovdqa (_ZETAS_QINV+40+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+40+8*\off)*4(%rsi),%ymm2 - -butterfly 7,8 -butterfly 5,6 -butterfly 3,4 -butterfly 10,11 - -shuffle2 7,8,9,8 -shuffle2 5,6,7,6 -shuffle2 3,4,5,4 -shuffle2 10,11,3,11 - -/* level 5 */ -vmovdqa (_ZETAS_QINV+72+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+72+8*\off)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 - -butterfly 9,5,1,10,2,15 -butterfly 8,4,1,10,2,15 -butterfly 7,3,1,10,2,15 -butterfly 6,11,1,10,2,15 - -/* level 6 */ -vmovdqa (_ZETAS_QINV+104+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+104+8*\off)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 9,7,1,10,2,15 -butterfly 8,6,1,10,2,15 - -vmovdqa (_ZETAS_QINV+104+8*\off+32)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+104+8*\off+32)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 5,3,1,10,2,15 -butterfly 4,11,1,10,2,15 - -/* level 7 */ -vmovdqa (_ZETAS_QINV+168+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 9,8,1,10,2,15 - -vmovdqa (_ZETAS_QINV+168+8*\off+32)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off+32)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 7,6,1,10,2,15 - -vmovdqa (_ZETAS_QINV+168+8*\off+64)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off+64)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 5,4,1,10,2,15 - -vmovdqa (_ZETAS_QINV+168+8*\off+96)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off+96)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 3,11,1,10,2,15 - -vmovdqa %ymm9,256*\off+ 0(%rdi) -vmovdqa %ymm8,256*\off+ 32(%rdi) -vmovdqa %ymm7,256*\off+ 64(%rdi) -vmovdqa %ymm6,256*\off+ 96(%rdi) -vmovdqa %ymm5,256*\off+128(%rdi) -vmovdqa %ymm4,256*\off+160(%rdi) -vmovdqa %ymm3,256*\off+192(%rdi) -vmovdqa %ymm11,256*\off+224(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_DILITHIUM3AES_AVX2_ntt_avx) -.global _cdecl(PQCLEAN_DILITHIUM3AES_AVX2_ntt_avx) -cdecl(PQCLEAN_DILITHIUM3AES_AVX2_ntt_avx): -_cdecl(PQCLEAN_DILITHIUM3AES_AVX2_ntt_avx): -vmovdqa _8XQ*4(%rsi),%ymm0 - -levels0t1 0 -levels0t1 1 -levels0t1 2 -levels0t1 3 - -levels2t7 0 -levels2t7 1 -levels2t7 2 -levels2t7 3 - -ret - diff --git a/crypto_sign/dilithium3aes/avx2/ntt.h b/crypto_sign/dilithium3aes/avx2/ntt.h deleted file mode 100644 index 4866c299..00000000 --- a/crypto_sign/dilithium3aes/avx2/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_NTT_H -#define PQCLEAN_DILITHIUM3AES_AVX2_NTT_H - -#include - -void PQCLEAN_DILITHIUM3AES_AVX2_ntt_avx(__m256i *a, const __m256i *PQCLEAN_DILITHIUM3AES_AVX2_qdata); -void PQCLEAN_DILITHIUM3AES_AVX2_invntt_avx(__m256i *a, const __m256i *PQCLEAN_DILITHIUM3AES_AVX2_qdata); - -void PQCLEAN_DILITHIUM3AES_AVX2_nttunpack_avx(__m256i *a); - -void PQCLEAN_DILITHIUM3AES_AVX2_pointwise_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *PQCLEAN_DILITHIUM3AES_AVX2_qdata); -void PQCLEAN_DILITHIUM3AES_AVX2_pointwise_acc_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *PQCLEAN_DILITHIUM3AES_AVX2_qdata); - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/packing.c b/crypto_sign/dilithium3aes/avx2/packing.c deleted file mode 100644 index 8a849f1f..00000000 --- a/crypto_sign/dilithium3aes/avx2/packing.c +++ /dev/null @@ -1,261 +0,0 @@ -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" - - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_pack_pk -* -* Description: Bit-pack public key pk = (rho, t1). -* -* Arguments: - uint8_t pk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const polyveck *t1: pointer to vector t1 -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES], - const uint8_t rho[SEEDBYTES], - const polyveck *t1) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - pk[i] = rho[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_unpack_pk -* -* Description: Unpack public key pk = (rho, t1). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const polyveck *t1: pointer to output vector t1 -* - uint8_t pk[]: byte array containing bit-packed pk -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t pk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = pk[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_pack_sk -* -* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - uint8_t sk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const uint8_t tr[]: byte array containing tr -* - const uint8_t key[]: byte array containing key -* - const polyveck *t0: pointer to vector t0 -* - const polyvecl *s1: pointer to vector s1 -* - const polyveck *s2: pointer to vector s2 -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = rho[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = key[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - sk[i] = tr[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk -* -* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const uint8_t tr[]: output byte array for tr -* - const uint8_t key[]: output byte array for key -* - const polyveck *t0: pointer to output vector t0 -* - const polyvecl *s1: pointer to output vector s1 -* - const polyveck *s2: pointer to output vector s2 -* - uint8_t sk[]: byte array containing bit-packed sk -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - key[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - tr[i] = sk[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_pack_sig -* -* Description: Bit-pack signature sig = (c, z, h). -* -* Arguments: - uint8_t sig[]: output byte array -* - const uint8_t *c: pointer to PQCLEAN_DILITHIUM3AES_AVX2_challenge hash length SEEDBYTES -* - const polyvecl *z: pointer to vector z -* - const polyveck *h: pointer to hint vector h -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES], - const uint8_t c[SEEDBYTES], - const polyvecl *z, - const polyveck *h) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - sig[i] = c[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Encode h */ - for (i = 0; i < OMEGA + K; ++i) { - sig[i] = 0; - } - - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - if (h->vec[i].coeffs[j] != 0) { - sig[k++] = (uint8_t) j; - } - } - - sig[OMEGA + i] = (uint8_t) k; - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_unpack_sig -* -* Description: Unpack signature sig = (c, z, h). -* -* Arguments: - uint8_t *c: pointer to output PQCLEAN_DILITHIUM3AES_AVX2_challenge hash -* - polyvecl *z: pointer to output vector z -* - polyveck *h: pointer to output hint vector h -* - const uint8_t sig[]: byte array containing -* bit-packed signature -* -* Returns 1 in case of malformed signature; otherwise 0. -**************************************************/ -int PQCLEAN_DILITHIUM3AES_AVX2_unpack_sig(uint8_t c[SEEDBYTES], - polyvecl *z, - polyveck *h, - const uint8_t sig[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES]) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - c[i] = sig[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Decode h */ - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - h->vec[i].coeffs[j] = 0; - } - - if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) { - return 1; - } - - for (j = k; j < sig[OMEGA + i]; ++j) { - /* Coefficients are ordered for strong unforgeability */ - if (j > k && sig[j] <= sig[j - 1]) { - return 1; - } - h->vec[i].coeffs[sig[j]] = 1; - } - - k = sig[OMEGA + i]; - } - - /* Extra indices are zero for strong unforgeability */ - for (j = k; j < OMEGA; ++j) { - if (sig[j]) { - return 1; - } - } - - return 0; -} diff --git a/crypto_sign/dilithium3aes/avx2/packing.h b/crypto_sign/dilithium3aes/avx2/packing.h deleted file mode 100644 index b8053269..00000000 --- a/crypto_sign/dilithium3aes/avx2/packing.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_PACKING_H -#define PQCLEAN_DILITHIUM3AES_AVX2_PACKING_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_DILITHIUM3AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1); - -void PQCLEAN_DILITHIUM3AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2); - -void PQCLEAN_DILITHIUM3AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h); - -void PQCLEAN_DILITHIUM3AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES]); - -void PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES]); - -int PQCLEAN_DILITHIUM3AES_AVX2_unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES]); - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/params.h b/crypto_sign/dilithium3aes/avx2/params.h deleted file mode 100644 index af88be1e..00000000 --- a/crypto_sign/dilithium3aes/avx2/params.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_PARAMS_H -#define PQCLEAN_DILITHIUM3AES_AVX2_PARAMS_H - - - -#define SEEDBYTES 32 -#define CRHBYTES 48 -#define N 256 -#define Q 8380417 -#define D 13 -#define ROOT_OF_UNITY 1753 - -#define K 6 -#define L 5 -#define ETA 4 -#define TAU 49 -#define BETA 196 -#define GAMMA1 (1 << 19) -#define GAMMA2 ((Q-1)/32) -#define OMEGA 55 -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_ALGNAME "Dilithium3-AES" - - -#define POLYT1_PACKEDBYTES 320 -#define POLYT0_PACKEDBYTES 416 -#define POLYVECH_PACKEDBYTES (OMEGA + K) - -#define POLYZ_PACKEDBYTES 640 - -#define POLYW1_PACKEDBYTES 128 - -#define POLYETA_PACKEDBYTES 128 - -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ - + L*POLYETA_PACKEDBYTES \ - + K*POLYETA_PACKEDBYTES \ - + K*POLYT0_PACKEDBYTES) -#define PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES) - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/pointwise.S b/crypto_sign/dilithium3aes/avx2/pointwise.S deleted file mode 100644 index 1ff0179f..00000000 --- a/crypto_sign/dilithium3aes/avx2/pointwise.S +++ /dev/null @@ -1,201 +0,0 @@ -#include "params.h" -#include "cdecl.h" - -.text -.global cdecl(PQCLEAN_DILITHIUM3AES_AVX2_pointwise_avx) -.global _cdecl(PQCLEAN_DILITHIUM3AES_AVX2_pointwise_avx) -cdecl(PQCLEAN_DILITHIUM3AES_AVX2_pointwise_avx): -_cdecl(PQCLEAN_DILITHIUM3AES_AVX2_pointwise_avx): -#consts -vmovdqa _8XQINV*4(%rcx),%ymm0 -vmovdqa _8XQ*4(%rcx),%ymm1 - -xor %eax,%eax -_looptop1: -#load -vmovdqa (%rsi),%ymm2 -vmovdqa 32(%rsi),%ymm4 -vmovdqa 64(%rsi),%ymm6 -vmovdqa (%rdx),%ymm10 -vmovdqa 32(%rdx),%ymm12 -vmovdqa 64(%rdx),%ymm14 -vpsrlq $32,%ymm2,%ymm3 -vpsrlq $32,%ymm4,%ymm5 -vmovshdup %ymm6,%ymm7 -vpsrlq $32,%ymm10,%ymm11 -vpsrlq $32,%ymm12,%ymm13 -vmovshdup %ymm14,%ymm15 - -#mul -vpmuldq %ymm2,%ymm10,%ymm2 -vpmuldq %ymm3,%ymm11,%ymm3 -vpmuldq %ymm4,%ymm12,%ymm4 -vpmuldq %ymm5,%ymm13,%ymm5 -vpmuldq %ymm6,%ymm14,%ymm6 -vpmuldq %ymm7,%ymm15,%ymm7 - -#reduce -vpmuldq %ymm0,%ymm2,%ymm10 -vpmuldq %ymm0,%ymm3,%ymm11 -vpmuldq %ymm0,%ymm4,%ymm12 -vpmuldq %ymm0,%ymm5,%ymm13 -vpmuldq %ymm0,%ymm6,%ymm14 -vpmuldq %ymm0,%ymm7,%ymm15 -vpmuldq %ymm1,%ymm10,%ymm10 -vpmuldq %ymm1,%ymm11,%ymm11 -vpmuldq %ymm1,%ymm12,%ymm12 -vpmuldq %ymm1,%ymm13,%ymm13 -vpmuldq %ymm1,%ymm14,%ymm14 -vpmuldq %ymm1,%ymm15,%ymm15 -vpsubq %ymm10,%ymm2,%ymm2 -vpsubq %ymm11,%ymm3,%ymm3 -vpsubq %ymm12,%ymm4,%ymm4 -vpsubq %ymm13,%ymm5,%ymm5 -vpsubq %ymm14,%ymm6,%ymm6 -vpsubq %ymm15,%ymm7,%ymm7 -vpsrlq $32,%ymm2,%ymm2 -vpsrlq $32,%ymm4,%ymm4 -vmovshdup %ymm6,%ymm6 - -#store -vpblendd $0xAA,%ymm3,%ymm2,%ymm2 -vpblendd $0xAA,%ymm5,%ymm4,%ymm4 -vpblendd $0xAA,%ymm7,%ymm6,%ymm6 -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm4,32(%rdi) -vmovdqa %ymm6,64(%rdi) - -add $96,%rdi -add $96,%rsi -add $96,%rdx -add $1,%eax -cmp $10,%eax -jb _looptop1 - -vmovdqa (%rsi),%ymm2 -vmovdqa 32(%rsi),%ymm4 -vmovdqa (%rdx),%ymm10 -vmovdqa 32(%rdx),%ymm12 -vpsrlq $32,%ymm2,%ymm3 -vpsrlq $32,%ymm4,%ymm5 -vmovshdup %ymm10,%ymm11 -vmovshdup %ymm12,%ymm13 - -#mul -vpmuldq %ymm2,%ymm10,%ymm2 -vpmuldq %ymm3,%ymm11,%ymm3 -vpmuldq %ymm4,%ymm12,%ymm4 -vpmuldq %ymm5,%ymm13,%ymm5 - -#reduce -vpmuldq %ymm0,%ymm2,%ymm10 -vpmuldq %ymm0,%ymm3,%ymm11 -vpmuldq %ymm0,%ymm4,%ymm12 -vpmuldq %ymm0,%ymm5,%ymm13 -vpmuldq %ymm1,%ymm10,%ymm10 -vpmuldq %ymm1,%ymm11,%ymm11 -vpmuldq %ymm1,%ymm12,%ymm12 -vpmuldq %ymm1,%ymm13,%ymm13 -vpsubq %ymm10,%ymm2,%ymm2 -vpsubq %ymm11,%ymm3,%ymm3 -vpsubq %ymm12,%ymm4,%ymm4 -vpsubq %ymm13,%ymm5,%ymm5 -vpsrlq $32,%ymm2,%ymm2 -vmovshdup %ymm4,%ymm4 - -#store -vpblendd $0x55,%ymm2,%ymm3,%ymm2 -vpblendd $0x55,%ymm4,%ymm5,%ymm4 -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm4,32(%rdi) - -ret - -.macro pointwise off -#load -vmovdqa \off(%rsi),%ymm6 -vmovdqa \off+32(%rsi),%ymm8 -vmovdqa \off(%rdx),%ymm10 -vmovdqa \off+32(%rdx),%ymm12 -vpsrlq $32,%ymm6,%ymm7 -vpsrlq $32,%ymm8,%ymm9 -vmovshdup %ymm10,%ymm11 -vmovshdup %ymm12,%ymm13 - -#mul -vpmuldq %ymm6,%ymm10,%ymm6 -vpmuldq %ymm7,%ymm11,%ymm7 -vpmuldq %ymm8,%ymm12,%ymm8 -vpmuldq %ymm9,%ymm13,%ymm9 -.endm - -.macro acc -vpaddq %ymm6,%ymm2,%ymm2 -vpaddq %ymm7,%ymm3,%ymm3 -vpaddq %ymm8,%ymm4,%ymm4 -vpaddq %ymm9,%ymm5,%ymm5 -.endm - -.global cdecl(PQCLEAN_DILITHIUM3AES_AVX2_pointwise_acc_avx) -.global _cdecl(PQCLEAN_DILITHIUM3AES_AVX2_pointwise_acc_avx) -cdecl(PQCLEAN_DILITHIUM3AES_AVX2_pointwise_acc_avx): -_cdecl(PQCLEAN_DILITHIUM3AES_AVX2_pointwise_acc_avx): -#consts -vmovdqa _8XQINV*4(%rcx),%ymm0 -vmovdqa _8XQ*4(%rcx),%ymm1 - -xor %eax,%eax -_looptop2: -pointwise 0 - -#mov -vmovdqa %ymm6,%ymm2 -vmovdqa %ymm7,%ymm3 -vmovdqa %ymm8,%ymm4 -vmovdqa %ymm9,%ymm5 - -pointwise 1024 -acc - -pointwise 2048 -acc - -pointwise 3072 -acc - -pointwise 4096 -acc - - - -#reduce -vpmuldq %ymm0,%ymm2,%ymm6 -vpmuldq %ymm0,%ymm3,%ymm7 -vpmuldq %ymm0,%ymm4,%ymm8 -vpmuldq %ymm0,%ymm5,%ymm9 -vpmuldq %ymm1,%ymm6,%ymm6 -vpmuldq %ymm1,%ymm7,%ymm7 -vpmuldq %ymm1,%ymm8,%ymm8 -vpmuldq %ymm1,%ymm9,%ymm9 -vpsubq %ymm6,%ymm2,%ymm2 -vpsubq %ymm7,%ymm3,%ymm3 -vpsubq %ymm8,%ymm4,%ymm4 -vpsubq %ymm9,%ymm5,%ymm5 -vpsrlq $32,%ymm2,%ymm2 -vmovshdup %ymm4,%ymm4 - -#store -vpblendd $0xAA,%ymm3,%ymm2,%ymm2 -vpblendd $0xAA,%ymm5,%ymm4,%ymm4 - -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm4,32(%rdi) - -add $64,%rsi -add $64,%rdx -add $64,%rdi -add $1,%eax -cmp $16,%eax -jb _looptop2 - -ret diff --git a/crypto_sign/dilithium3aes/avx2/poly.c b/crypto_sign/dilithium3aes/avx2/poly.c deleted file mode 100644 index 1bdfde28..00000000 --- a/crypto_sign/dilithium3aes/avx2/poly.c +++ /dev/null @@ -1,862 +0,0 @@ -#include "align.h" -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "rejsample.h" -#include "rounding.h" -#include "symmetric.h" -#include -#include -#include - -#define DBENCH_START() -#define DBENCH_STOP(t) - -#define _mm256_blendv_epi32(a,b,mask) \ - _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \ - _mm256_castsi256_ps(b), \ - _mm256_castsi256_ps(mask))) - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce -* -* Description: Inplace reduction of all coefficients of polynomial to -* representative in [-6283009,6283007]. Assumes input -* coefficients to be at most 2^31 - 2^22 - 1 in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(poly *a) { - unsigned int i; - __m256i f, g; - const __m256i q = _mm256_load_si256(&PQCLEAN_DILITHIUM3AES_AVX2_qdata.vec[_8XQ / 8]); - const __m256i off = _mm256_set1_epi32(1 << 22); - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_add_epi32(f, off); - g = _mm256_srai_epi32(g, 23); - g = _mm256_mullo_epi32(g, q); - f = _mm256_sub_epi32(f, g); - _mm256_store_si256(&a->vec[i], f); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: poly_addq -* -* Description: For all coefficients of in/out polynomial add Q if -* coefficient is negative. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_caddq(poly *a) { - unsigned int i; - __m256i f, g; - const __m256i q = _mm256_load_si256(&PQCLEAN_DILITHIUM3AES_AVX2_qdata.vec[_8XQ / 8]); - const __m256i zero = _mm256_setzero_si256(); - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_blendv_epi32(zero, q, f); - f = _mm256_add_epi32(f, g); - _mm256_store_si256(&a->vec[i], f); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_freeze -* -* Description: Inplace reduction of all coefficients of polynomial to -* positive standard representatives. Assumes input -* coefficients to be at most 2^31 - 2^22 + 1 in -* absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_freeze(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(a); - PQCLEAN_DILITHIUM3AES_AVX2_poly_caddq(a); - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_add -* -* Description: Add polynomials. No modular reduction is performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first summand -* - const poly *b: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_add(poly *c, const poly *a, const poly *b) { - unsigned int i; - __m256i f, g; - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_load_si256(&b->vec[i]); - f = _mm256_add_epi32(f, g); - _mm256_store_si256(&c->vec[i], f); - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_sub -* -* Description: Subtract polynomials. No modular reduction is -* performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial to be -* subtraced from first input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_sub(poly *c, const poly *a, const poly *b) { - unsigned int i; - __m256i f, g; - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_load_si256(&b->vec[i]); - f = _mm256_sub_epi32(f, g); - _mm256_store_si256(&c->vec[i], f); - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_shiftl -* -* Description: Multiply polynomial by 2^D without modular reduction. Assumes -* input coefficients to be less than 2^{31-D} in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_shiftl(poly *a) { - unsigned int i; - __m256i f; - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - f = _mm256_slli_epi32(f, D); - _mm256_store_si256(&a->vec[i], f); - } - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_ntt -* -* Description: Inplace forward NTT. Coefficients can grow by up to -* 8*Q in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_ntt(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_AVX2_ntt_avx(a->vec, PQCLEAN_DILITHIUM3AES_AVX2_qdata.vec); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont -* -* Description: Inplace inverse NTT and multiplication by 2^{32}. -* Input coefficients need to be less than Q in absolute -* value and output coefficients are again bounded by Q. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_AVX2_invntt_avx(a->vec, PQCLEAN_DILITHIUM3AES_AVX2_qdata.vec); - - DBENCH_STOP(*tmul); -} - -void PQCLEAN_DILITHIUM3AES_AVX2_poly_nttunpack(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_AVX2_nttunpack_avx(a->vec); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_pointwise_montgomery -* -* Description: Pointwise multiplication of polynomials in NTT domain -* representation and multiplication of resulting polynomial -* by 2^{-32}. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_AVX2_pointwise_avx(c->vec, a->vec, b->vec, PQCLEAN_DILITHIUM3AES_AVX2_qdata.vec); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_power2round -* -* Description: For all coefficients c of the input polynomial, -* compute c0, c1 such that c mod^+ Q = c1*2^D + c0 -* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be -* positive standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_power2round(poly *a1, poly *a0, const poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_AVX2_power2round_avx(a1->vec, a0->vec, a->vec); - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_decompose -* -* Description: For all coefficients c of the input polynomial, -* compute high and low bits c0, c1 such c mod^+ Q = c1*ALPHA + c0 -* with -ALPHA/2 < c0 <= ALPHA/2 except if c1 = (Q-1)/ALPHA where we -* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0. -* Assumes coefficients to be positive standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_decompose(poly *a1, poly *a0, const poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_AVX2_decompose_avx(a1->vec, a0->vec, a->vec); - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_make_hint -* -* Description: Compute hint array. The coefficients of which are the -* indices of the coefficients of the input polynomial -* whose low bits overflow into the high bits. -* -* Arguments: - uint8_t *h: pointer to output hint array (preallocated of length N) -* - const poly *a0: pointer to low part of input polynomial -* - const poly *a1: pointer to high part of input polynomial -* -* Returns number of hints, i.e. length of hint array. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1) { - unsigned int r; - DBENCH_START(); - - r = PQCLEAN_DILITHIUM3AES_AVX2_make_hint_avx(hint, a0->vec, a1->vec); - - DBENCH_STOP(*tround); - return r; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_use_hint -* -* Description: Use hint polynomial to correct the high bits of a polynomial. -* -* Arguments: - poly *b: pointer to output polynomial with corrected high bits -* - const poly *a: pointer to input polynomial -* - const poly *h: pointer to input hint polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_AVX2_use_hint_avx(b->vec, a->vec, h->vec); - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm -* -* Description: Check infinity norm of polynomial against given bound. -* Assumes input polynomial to be reduced by PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(). -* -* Arguments: - const poly *a: pointer to polynomial -* - int32_t B: norm bound -* -* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm(const poly *a, int32_t B) { - unsigned int i; - int r; - __m256i f, t; - const __m256i bound = _mm256_set1_epi32(B - 1); - DBENCH_START(); - - if (B > (Q - 1) / 8) { - return 1; - } - - t = _mm256_setzero_si256(); - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - f = _mm256_abs_epi32(f); - f = _mm256_cmpgt_epi32(f, bound); - t = _mm256_or_si256(t, f); - } - - r = 1 - _mm256_testz_si256(t, t); - DBENCH_STOP(*tsample); - return r; -} - -/************************************************* -* Name: rej_uniform -* -* Description: Sample uniformly random coefficients in [0, Q-1] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_uniform(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - t = buf[pos++]; - t |= (uint32_t)buf[pos++] << 8; - t |= (uint32_t)buf[pos++] << 16; - t &= 0x7FFFFF; - - if (t < Q) { - a[ctr++] = t; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform -* -* Description: Sample polynomial with uniformly random coefficients -* in [0,Q-1] by performing rejection sampling on the -* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state) { - unsigned int ctr; - /* PQCLEAN_DILITHIUM3AES_AVX2_rej_uniform_avx reads up to 8 additional bytes */ - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN + 8) buf; - - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_NBLOCKS, state); - ctr = PQCLEAN_DILITHIUM3AES_AVX2_rej_uniform_avx(a->coeffs, buf.coeffs); - - while (ctr < N) { - /* length of buf is always divisible by 3; hence, no bytes left */ - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); - } -} - -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_preinit(a, &state); - stream128_release(&state); -} - - -/************************************************* -* Name: rej_eta -* -* Description: Sample uniformly random coefficients in [-ETA, ETA] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_eta(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t0, t1; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos < buflen) { - t0 = buf[pos] & 0x0F; - t1 = buf[pos++] >> 4; - - if (t0 < 9) { - a[ctr++] = 4 - t0; - } - if (t1 < 9 && ctr < len) { - a[ctr++] = 4 - t1; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta -* -* Description: Sample polynomial with uniformly random coefficients -* in [-ETA,ETA] by performing rejection sampling using the -* output stream of SHAKE256(seed|nonce) -* or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) { - unsigned int ctr; - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf; - - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); - ctr = PQCLEAN_DILITHIUM3AES_AVX2_rej_eta_avx(a->coeffs, buf.coeffs); - - while (ctr < N) { - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); - } -} - -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(a, &state); - stream128_release(&state); -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1 -* -* Description: Sample polynomial with uniformly random coefficients -* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream -* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length CRHBYTES -* - uint16_t nonce: 16-bit nonce -**************************************************/ -#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES) -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state) { - /* PQCLEAN_DILITHIUM3AES_AVX2_polyz_unpack reads 14 additional bytes */ - ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES + 14) buf; - stream256_squeezeblocks(buf.coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, state); - PQCLEAN_DILITHIUM3AES_AVX2_polyz_unpack(a, buf.coeffs); -} - -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) { - stream256_state state; - stream256_init(&state, seed, nonce); - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1_preinit(a, &state); - stream256_release(&state); -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_challenge -* -* Description: Implementation of H. Samples polynomial with TAU nonzero -* coefficients in {-1,1} using the output stream of -* SHAKE256(seed). -* -* Arguments: - poly *c: pointer to output polynomial -* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_poly_challenge(poly *restrict c, const uint8_t seed[SEEDBYTES]) { - unsigned int i, b, pos; - uint64_t signs; - ALIGNED_UINT8(SHAKE256_RATE) buf; - shake256incctx state; - - shake256_inc_init(&state); - shake256_inc_absorb(&state, seed, SEEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state); - - memcpy(&signs, buf.coeffs, 8); - pos = 8; - - memset(c->vec, 0, sizeof(poly)); - for (i = N - TAU; i < N; ++i) { - do { - if (pos >= SHAKE256_RATE) { - shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state); - pos = 0; - } - - b = buf.coeffs[pos++]; - } while (b > i); - - c->coeffs[i] = c->coeffs[b]; - c->coeffs[b] = 1 - 2 * (signs & 1); - signs >>= 1; - } - shake256_inc_ctx_release(&state); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack -* -* Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYETA_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - uint8_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - t[0] = ETA - a->coeffs[2 * i + 0]; - t[1] = ETA - a->coeffs[2 * i + 1]; - r[i] = t[0] | (t[1] << 4); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyeta_unpack -* -* Description: Unpack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyeta_unpack(poly *restrict r, const uint8_t a[POLYETA_PACKEDBYTES]) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - r->coeffs[2 * i + 0] = a[i] & 0x0F; - r->coeffs[2 * i + 1] = a[i] >> 4; - r->coeffs[2 * i + 0] = ETA - r->coeffs[2 * i + 0]; - r->coeffs[2 * i + 1] = ETA - r->coeffs[2 * i + 1]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyt1_pack -* -* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. -* Input coefficients are assumed to be positive standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r[5 * i + 0] = (a->coeffs[4 * i + 0] >> 0); - r[5 * i + 1] = (a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2); - r[5 * i + 2] = (a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4); - r[5 * i + 3] = (a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6); - r[5 * i + 4] = (a->coeffs[4 * i + 3] >> 2); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyt1_unpack -* -* Description: Unpack polynomial t1 with 10-bit coefficients. -* Output coefficients are positive standard representatives. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyt1_unpack(poly *restrict r, const uint8_t a[POLYT1_PACKEDBYTES]) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r->coeffs[4 * i + 0] = ((a[5 * i + 0] >> 0) | ((uint32_t)a[5 * i + 1] << 8)) & 0x3FF; - r->coeffs[4 * i + 1] = ((a[5 * i + 1] >> 2) | ((uint32_t)a[5 * i + 2] << 6)) & 0x3FF; - r->coeffs[4 * i + 2] = ((a[5 * i + 2] >> 4) | ((uint32_t)a[5 * i + 3] << 4)) & 0x3FF; - r->coeffs[4 * i + 3] = ((a[5 * i + 3] >> 6) | ((uint32_t)a[5 * i + 4] << 2)) & 0x3FF; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyt0_pack -* -* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT0_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - uint32_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = (1 << (D - 1)) - a->coeffs[8 * i + 0]; - t[1] = (1 << (D - 1)) - a->coeffs[8 * i + 1]; - t[2] = (1 << (D - 1)) - a->coeffs[8 * i + 2]; - t[3] = (1 << (D - 1)) - a->coeffs[8 * i + 3]; - t[4] = (1 << (D - 1)) - a->coeffs[8 * i + 4]; - t[5] = (1 << (D - 1)) - a->coeffs[8 * i + 5]; - t[6] = (1 << (D - 1)) - a->coeffs[8 * i + 6]; - t[7] = (1 << (D - 1)) - a->coeffs[8 * i + 7]; - - r[13 * i + 0] = t[0]; - r[13 * i + 1] = t[0] >> 8; - r[13 * i + 1] |= t[1] << 5; - r[13 * i + 2] = t[1] >> 3; - r[13 * i + 3] = t[1] >> 11; - r[13 * i + 3] |= t[2] << 2; - r[13 * i + 4] = t[2] >> 6; - r[13 * i + 4] |= t[3] << 7; - r[13 * i + 5] = t[3] >> 1; - r[13 * i + 6] = t[3] >> 9; - r[13 * i + 6] |= t[4] << 4; - r[13 * i + 7] = t[4] >> 4; - r[13 * i + 8] = t[4] >> 12; - r[13 * i + 8] |= t[5] << 1; - r[13 * i + 9] = t[5] >> 7; - r[13 * i + 9] |= t[6] << 6; - r[13 * i + 10] = t[6] >> 2; - r[13 * i + 11] = t[6] >> 10; - r[13 * i + 11] |= t[7] << 3; - r[13 * i + 12] = t[7] >> 5; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyt0_unpack -* -* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyt0_unpack(poly *restrict r, const uint8_t a[POLYT0_PACKEDBYTES]) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = a[13 * i + 0]; - r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8; - r->coeffs[8 * i + 0] &= 0x1FFF; - - r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11; - r->coeffs[8 * i + 1] &= 0x1FFF; - - r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2; - r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6; - r->coeffs[8 * i + 2] &= 0x1FFF; - - r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9; - r->coeffs[8 * i + 3] &= 0x1FFF; - - r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12; - r->coeffs[8 * i + 4] &= 0x1FFF; - - r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1; - r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7; - r->coeffs[8 * i + 5] &= 0x1FFF; - - r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10; - r->coeffs[8 * i + 6] &= 0x1FFF; - - r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3; - r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5; - r->coeffs[8 * i + 7] &= 0x1FFF; - - r->coeffs[8 * i + 0] = (1 << (D - 1)) - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = (1 << (D - 1)) - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = (1 << (D - 1)) - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = (1 << (D - 1)) - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = (1 << (D - 1)) - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = (1 << (D - 1)) - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = (1 << (D - 1)) - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = (1 << (D - 1)) - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyz_pack -* -* Description: Bit-pack polynomial with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYZ_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - uint32_t t[4]; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - t[0] = GAMMA1 - a->coeffs[2 * i + 0]; - t[1] = GAMMA1 - a->coeffs[2 * i + 1]; - - r[5 * i + 0] = t[0]; - r[5 * i + 1] = t[0] >> 8; - r[5 * i + 2] = t[0] >> 16; - r[5 * i + 2] |= t[1] << 4; - r[5 * i + 3] = t[1] >> 4; - r[5 * i + 4] = t[1] >> 12; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyz_unpack -* -* Description: Unpack polynomial z with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyz_unpack(poly *restrict r, const uint8_t a[POLYZ_PACKEDBYTES + 12]) { - unsigned int i; - __m256i f; - const __m256i shufbidx = _mm256_set_epi8(-1, 11, 10, 9, -1, 9, 8, 7, -1, 6, 5, 4, -1, 4, 3, 2, - -1, 9, 8, 7, -1, 7, 6, 5, -1, 4, 3, 2, -1, 2, 1, 0); - const __m256i srlvdidx = _mm256_set1_epi64x((uint64_t)4 << 32); - const __m256i mask = _mm256_set1_epi32(0xFFFFF); - const __m256i gamma1 = _mm256_set1_epi32(GAMMA1); - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_loadu_si256((__m256i *)&a[20 * i]); - f = _mm256_permute4x64_epi64(f, 0x94); - f = _mm256_shuffle_epi8(f, shufbidx); - f = _mm256_srlv_epi32(f, srlvdidx); - f = _mm256_and_si256(f, mask); - f = _mm256_sub_epi32(gamma1, f); - _mm256_store_si256(&r->vec[i], f); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyw1_pack -* -* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. -* Input coefficients are assumed to be positive standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYW1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyw1_pack(uint8_t r[POLYW1_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - __m256i f0, f1, f2, f3, f4, f5, f6, f7; - const __m256i shift = _mm256_set1_epi16((16 << 8) + 1); - const __m256i shufbidx = _mm256_set_epi8(15, 14, 7, 6, 13, 12, 5, 4, 11, 10, 3, 2, 9, 8, 1, 0, - 15, 14, 7, 6, 13, 12, 5, 4, 11, 10, 3, 2, 9, 8, 1, 0); - DBENCH_START(); - - for (i = 0; i < N / 64; ++i) { - f0 = _mm256_load_si256(&a->vec[8 * i + 0]); - f1 = _mm256_load_si256(&a->vec[8 * i + 1]); - f2 = _mm256_load_si256(&a->vec[8 * i + 2]); - f3 = _mm256_load_si256(&a->vec[8 * i + 3]); - f4 = _mm256_load_si256(&a->vec[8 * i + 4]); - f5 = _mm256_load_si256(&a->vec[8 * i + 5]); - f6 = _mm256_load_si256(&a->vec[8 * i + 6]); - f7 = _mm256_load_si256(&a->vec[8 * i + 7]); - f0 = _mm256_packus_epi32(f0, f1); - f1 = _mm256_packus_epi32(f2, f3); - f2 = _mm256_packus_epi32(f4, f5); - f3 = _mm256_packus_epi32(f6, f7); - f0 = _mm256_packus_epi16(f0, f1); - f1 = _mm256_packus_epi16(f2, f3); - f0 = _mm256_maddubs_epi16(f0, shift); - f1 = _mm256_maddubs_epi16(f1, shift); - f0 = _mm256_packus_epi16(f0, f1); - f0 = _mm256_permute4x64_epi64(f0, 0xD8); - f0 = _mm256_shuffle_epi8(f0, shufbidx); - _mm256_storeu_si256((__m256i *)&r[32 * i], f0); - } - - DBENCH_STOP(*tpack); -} diff --git a/crypto_sign/dilithium3aes/avx2/poly.h b/crypto_sign/dilithium3aes/avx2/poly.h deleted file mode 100644 index 6b6cf193..00000000 --- a/crypto_sign/dilithium3aes/avx2/poly.h +++ /dev/null @@ -1,52 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_POLY_H -#define PQCLEAN_DILITHIUM3AES_AVX2_POLY_H -#include "align.h" -#include "params.h" -#include "symmetric.h" -#include - -typedef ALIGNED_INT32(N) poly; - -void PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_caddq(poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_freeze(poly *a); - -void PQCLEAN_DILITHIUM3AES_AVX2_poly_add(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_sub(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_shiftl(poly *a); - -void PQCLEAN_DILITHIUM3AES_AVX2_poly_ntt(poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont(poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_nttunpack(poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); - -void PQCLEAN_DILITHIUM3AES_AVX2_poly_power2round(poly *a1, poly *a0, const poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_decompose(poly *a1, poly *a0, const poly *a); -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h); - -int PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm(const poly *a, int32_t B); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM3AES_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - - -void PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_polyeta_unpack(poly *r, const uint8_t a[POLYETA_PACKEDBYTES]); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_polyt1_unpack(poly *r, const uint8_t a[POLYT1_PACKEDBYTES]); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_polyt0_unpack(poly *r, const uint8_t a[POLYT0_PACKEDBYTES]); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM3AES_AVX2_polyz_unpack(poly *r, const uint8_t a[POLYZ_PACKEDBYTES + 14]); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyw1_pack(uint8_t r[POLYW1_PACKEDBYTES + 8], const poly *a); - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/polyvec.c b/crypto_sign/dilithium3aes/avx2/polyvec.c deleted file mode 100644 index 1047740e..00000000 --- a/crypto_sign/dilithium3aes/avx2/polyvec.c +++ /dev/null @@ -1,449 +0,0 @@ -#include "aes256ctr.h" -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include - -#define UNUSED(x) (void)x - -/************************************************* -* Name: expand_mat -* -* Description: Implementation of ExpandA. Generates matrix A with uniformly -* random coefficients a_{i,j} by performing rejection -* sampling on the output stream of SHAKE128(rho|j|i) -* or AES256CTR(rho,j|i). -* -* Arguments: - polyvecl mat[K]: output matrix -* - const uint8_t rho[]: byte array containing seed rho -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) { - unsigned int i, j; - uint64_t nonce; - aes256ctr_ctx state; - - PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(&state, rho, 0); - - for (i = 0; i < K; i++) { - for (j = 0; j < L; j++) { - nonce = (i << 8) + j; - state.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_preinit(&mat[i].vec[j], &state); - PQCLEAN_DILITHIUM3AES_AVX2_poly_nttunpack(&mat[i].vec[j]); - } - } -} - - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v); - } -} - -/**************************************************************/ -/************ Vectors of polynomials of length L **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1(&v->vec[i], seed, L * nonce + i); - } -} - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_reduce(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_freeze -* -* Description: Reduce coefficients of polynomials in vector of length L -* to standard representatives. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_freeze(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_add -* -* Description: Add vectors of polynomials of length L. -* No modular reduction is performed. -* -* Arguments: - polyvecl *w: pointer to output vector -* - const polyvecl *u: pointer to first summand -* - const polyvecl *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_ntt -* -* Description: Forward NTT of all polynomials in vector of length L. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_ntt(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_ntt(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_invntt_tomont(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_pointwise_acc_montgomery -* -* Description: Pointwise multiply vectors of polynomials of length L, multiply -* resulting vector by 2^{-32} and add (accumulate) polynomials -* in it. Input/output vectors are in NTT domain representation. -* -* Arguments: - poly *w: output polynomial -* - const polyvecl *u: pointer to first input vector -* - const polyvecl *v: pointer to second input vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_pointwise_acc_montgomery(poly *w, const polyvecl *u, const polyvecl *v) { - PQCLEAN_DILITHIUM3AES_AVX2_pointwise_acc_avx(w->vec, u->vec->vec, v->vec->vec, PQCLEAN_DILITHIUM3AES_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_chknorm -* -* Description: Check infinity norm of polynomials in vector of length L. -* Assumes input polyvecl to be reduced by PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_reduce(). -* -* Arguments: - const polyvecl *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < L; ++i) { - if (PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/**************************************************************/ -/************ Vectors of polynomials of length K **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_reduce -* -* Description: Reduce coefficients of polynomials in vector of length K -* to representatives in [-6283009,6283007]. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_reduce(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_caddq -* -* Description: For all coefficients of polynomials in vector of length K -* add Q if coefficient is negative. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_caddq(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_caddq(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_freeze -* -* Description: Reduce coefficients of polynomials in vector of length K -* to standard representatives. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_freeze(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_add -* -* Description: Add vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first summand -* - const polyveck *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_sub -* -* Description: Subtract vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first input vector -* - const polyveck *v: pointer to second input vector to be -* subtracted from first input vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_shiftl -* -* Description: Multiply vector of polynomials of Length K by 2^D without modular -* reduction. Assumes input coefficients to be less than 2^{31-D}. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_shiftl(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_shiftl(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_ntt -* -* Description: Forward NTT of all polynomials in vector of length K. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_ntt(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_ntt(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_invntt_tomont -* -* Description: Inverse NTT and multiplication by 2^{32} of polynomials -* in vector of length K. Input coefficients need to be less -* than 2*Q. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_invntt_tomont(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_chknorm -* -* Description: Check infinity norm of polynomials in vector of length K. -* Assumes input polyveck to be reduced by PQCLEAN_DILITHIUM3AES_AVX2_polyveck_reduce(). -* -* Arguments: - const polyveck *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM3AES_AVX2_polyveck_chknorm(const polyveck *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < K; ++i) { - if (PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_power2round -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute a0, a1 such that a mod^+ Q = a1*2^D + a0 -* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_decompose -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 -* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we -* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_make_hint -* -* Description: Compute hint vector. -* -* Arguments: - uint8_t *hint: pointer to output hint array -* - const polyveck *v0: pointer to low part of input vector -* - const polyveck *v1: pointer to high part of input vector -* -* Returns number of 1 bits. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1) { - unsigned int i, n = 0; - - for (i = 0; i < K; ++i) { - n += PQCLEAN_DILITHIUM3AES_AVX2_poly_make_hint(&hint[n], &v0->vec[i], &v1->vec[i]); - } - - return n; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_polyveck_use_hint -* -* Description: Use hint vector to correct the high bits of input vector. -* -* Arguments: - polyveck *w: pointer to output vector of polynomials with -* corrected high bits -* - const polyveck *u: pointer to input vector -* - const polyveck *h: pointer to input hint vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]); - } -} - -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_AVX2_polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]); - } -} diff --git a/crypto_sign/dilithium3aes/avx2/polyvec.h b/crypto_sign/dilithium3aes/avx2/polyvec.h deleted file mode 100644 index 0a76db3d..00000000 --- a/crypto_sign/dilithium3aes/avx2/polyvec.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_POLYVEC_H -#define PQCLEAN_DILITHIUM3AES_AVX2_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -/* Vectors of polynomials of length L */ -typedef struct { - poly vec[L]; -} polyvecl; - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_reduce(polyvecl *v); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_freeze(polyvecl *v); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_ntt(polyvecl *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_invntt_tomont(polyvecl *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_pointwise_acc_montgomery(poly *w, - const polyvecl *u, - const polyvecl *v); - -int PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t B); - -/* Vectors of polynomials of length K */ -typedef struct { - poly vec[K]; -} polyveck; - -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_reduce(polyveck *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_caddq(polyveck *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_freeze(polyveck *v); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_shiftl(polyveck *v); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_ntt(polyveck *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_invntt_tomont(polyveck *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v); - -int PQCLEAN_DILITHIUM3AES_AVX2_polyveck_chknorm(const polyveck *v, int32_t B); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v); -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v); -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1); -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1); - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]); - - -void PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v); - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/rejsample.c b/crypto_sign/dilithium3aes/avx2/rejsample.c deleted file mode 100644 index 04af5fde..00000000 --- a/crypto_sign/dilithium3aes/avx2/rejsample.c +++ /dev/null @@ -1,378 +0,0 @@ -#include "params.h" -#include "rejsample.h" -#include "symmetric.h" -#include -#include - -const uint8_t PQCLEAN_DILITHIUM3AES_AVX2_idxlut[256][8] = { - { 0, 0, 0, 0, 0, 0, 0, 0}, - { 0, 0, 0, 0, 0, 0, 0, 0}, - { 1, 0, 0, 0, 0, 0, 0, 0}, - { 0, 1, 0, 0, 0, 0, 0, 0}, - { 2, 0, 0, 0, 0, 0, 0, 0}, - { 0, 2, 0, 0, 0, 0, 0, 0}, - { 1, 2, 0, 0, 0, 0, 0, 0}, - { 0, 1, 2, 0, 0, 0, 0, 0}, - { 3, 0, 0, 0, 0, 0, 0, 0}, - { 0, 3, 0, 0, 0, 0, 0, 0}, - { 1, 3, 0, 0, 0, 0, 0, 0}, - { 0, 1, 3, 0, 0, 0, 0, 0}, - { 2, 3, 0, 0, 0, 0, 0, 0}, - { 0, 2, 3, 0, 0, 0, 0, 0}, - { 1, 2, 3, 0, 0, 0, 0, 0}, - { 0, 1, 2, 3, 0, 0, 0, 0}, - { 4, 0, 0, 0, 0, 0, 0, 0}, - { 0, 4, 0, 0, 0, 0, 0, 0}, - { 1, 4, 0, 0, 0, 0, 0, 0}, - { 0, 1, 4, 0, 0, 0, 0, 0}, - { 2, 4, 0, 0, 0, 0, 0, 0}, - { 0, 2, 4, 0, 0, 0, 0, 0}, - { 1, 2, 4, 0, 0, 0, 0, 0}, - { 0, 1, 2, 4, 0, 0, 0, 0}, - { 3, 4, 0, 0, 0, 0, 0, 0}, - { 0, 3, 4, 0, 0, 0, 0, 0}, - { 1, 3, 4, 0, 0, 0, 0, 0}, - { 0, 1, 3, 4, 0, 0, 0, 0}, - { 2, 3, 4, 0, 0, 0, 0, 0}, - { 0, 2, 3, 4, 0, 0, 0, 0}, - { 1, 2, 3, 4, 0, 0, 0, 0}, - { 0, 1, 2, 3, 4, 0, 0, 0}, - { 5, 0, 0, 0, 0, 0, 0, 0}, - { 0, 5, 0, 0, 0, 0, 0, 0}, - { 1, 5, 0, 0, 0, 0, 0, 0}, - { 0, 1, 5, 0, 0, 0, 0, 0}, - { 2, 5, 0, 0, 0, 0, 0, 0}, - { 0, 2, 5, 0, 0, 0, 0, 0}, - { 1, 2, 5, 0, 0, 0, 0, 0}, - { 0, 1, 2, 5, 0, 0, 0, 0}, - { 3, 5, 0, 0, 0, 0, 0, 0}, - { 0, 3, 5, 0, 0, 0, 0, 0}, - { 1, 3, 5, 0, 0, 0, 0, 0}, - { 0, 1, 3, 5, 0, 0, 0, 0}, - { 2, 3, 5, 0, 0, 0, 0, 0}, - { 0, 2, 3, 5, 0, 0, 0, 0}, - { 1, 2, 3, 5, 0, 0, 0, 0}, - { 0, 1, 2, 3, 5, 0, 0, 0}, - { 4, 5, 0, 0, 0, 0, 0, 0}, - { 0, 4, 5, 0, 0, 0, 0, 0}, - { 1, 4, 5, 0, 0, 0, 0, 0}, - { 0, 1, 4, 5, 0, 0, 0, 0}, - { 2, 4, 5, 0, 0, 0, 0, 0}, - { 0, 2, 4, 5, 0, 0, 0, 0}, - { 1, 2, 4, 5, 0, 0, 0, 0}, - { 0, 1, 2, 4, 5, 0, 0, 0}, - { 3, 4, 5, 0, 0, 0, 0, 0}, - { 0, 3, 4, 5, 0, 0, 0, 0}, - { 1, 3, 4, 5, 0, 0, 0, 0}, - { 0, 1, 3, 4, 5, 0, 0, 0}, - { 2, 3, 4, 5, 0, 0, 0, 0}, - { 0, 2, 3, 4, 5, 0, 0, 0}, - { 1, 2, 3, 4, 5, 0, 0, 0}, - { 0, 1, 2, 3, 4, 5, 0, 0}, - { 6, 0, 0, 0, 0, 0, 0, 0}, - { 0, 6, 0, 0, 0, 0, 0, 0}, - { 1, 6, 0, 0, 0, 0, 0, 0}, - { 0, 1, 6, 0, 0, 0, 0, 0}, - { 2, 6, 0, 0, 0, 0, 0, 0}, - { 0, 2, 6, 0, 0, 0, 0, 0}, - { 1, 2, 6, 0, 0, 0, 0, 0}, - { 0, 1, 2, 6, 0, 0, 0, 0}, - { 3, 6, 0, 0, 0, 0, 0, 0}, - { 0, 3, 6, 0, 0, 0, 0, 0}, - { 1, 3, 6, 0, 0, 0, 0, 0}, - { 0, 1, 3, 6, 0, 0, 0, 0}, - { 2, 3, 6, 0, 0, 0, 0, 0}, - { 0, 2, 3, 6, 0, 0, 0, 0}, - { 1, 2, 3, 6, 0, 0, 0, 0}, - { 0, 1, 2, 3, 6, 0, 0, 0}, - { 4, 6, 0, 0, 0, 0, 0, 0}, - { 0, 4, 6, 0, 0, 0, 0, 0}, - { 1, 4, 6, 0, 0, 0, 0, 0}, - { 0, 1, 4, 6, 0, 0, 0, 0}, - { 2, 4, 6, 0, 0, 0, 0, 0}, - { 0, 2, 4, 6, 0, 0, 0, 0}, - { 1, 2, 4, 6, 0, 0, 0, 0}, - { 0, 1, 2, 4, 6, 0, 0, 0}, - { 3, 4, 6, 0, 0, 0, 0, 0}, - { 0, 3, 4, 6, 0, 0, 0, 0}, - { 1, 3, 4, 6, 0, 0, 0, 0}, - { 0, 1, 3, 4, 6, 0, 0, 0}, - { 2, 3, 4, 6, 0, 0, 0, 0}, - { 0, 2, 3, 4, 6, 0, 0, 0}, - { 1, 2, 3, 4, 6, 0, 0, 0}, - { 0, 1, 2, 3, 4, 6, 0, 0}, - { 5, 6, 0, 0, 0, 0, 0, 0}, - { 0, 5, 6, 0, 0, 0, 0, 0}, - { 1, 5, 6, 0, 0, 0, 0, 0}, - { 0, 1, 5, 6, 0, 0, 0, 0}, - { 2, 5, 6, 0, 0, 0, 0, 0}, - { 0, 2, 5, 6, 0, 0, 0, 0}, - { 1, 2, 5, 6, 0, 0, 0, 0}, - { 0, 1, 2, 5, 6, 0, 0, 0}, - { 3, 5, 6, 0, 0, 0, 0, 0}, - { 0, 3, 5, 6, 0, 0, 0, 0}, - { 1, 3, 5, 6, 0, 0, 0, 0}, - { 0, 1, 3, 5, 6, 0, 0, 0}, - { 2, 3, 5, 6, 0, 0, 0, 0}, - { 0, 2, 3, 5, 6, 0, 0, 0}, - { 1, 2, 3, 5, 6, 0, 0, 0}, - { 0, 1, 2, 3, 5, 6, 0, 0}, - { 4, 5, 6, 0, 0, 0, 0, 0}, - { 0, 4, 5, 6, 0, 0, 0, 0}, - { 1, 4, 5, 6, 0, 0, 0, 0}, - { 0, 1, 4, 5, 6, 0, 0, 0}, - { 2, 4, 5, 6, 0, 0, 0, 0}, - { 0, 2, 4, 5, 6, 0, 0, 0}, - { 1, 2, 4, 5, 6, 0, 0, 0}, - { 0, 1, 2, 4, 5, 6, 0, 0}, - { 3, 4, 5, 6, 0, 0, 0, 0}, - { 0, 3, 4, 5, 6, 0, 0, 0}, - { 1, 3, 4, 5, 6, 0, 0, 0}, - { 0, 1, 3, 4, 5, 6, 0, 0}, - { 2, 3, 4, 5, 6, 0, 0, 0}, - { 0, 2, 3, 4, 5, 6, 0, 0}, - { 1, 2, 3, 4, 5, 6, 0, 0}, - { 0, 1, 2, 3, 4, 5, 6, 0}, - { 7, 0, 0, 0, 0, 0, 0, 0}, - { 0, 7, 0, 0, 0, 0, 0, 0}, - { 1, 7, 0, 0, 0, 0, 0, 0}, - { 0, 1, 7, 0, 0, 0, 0, 0}, - { 2, 7, 0, 0, 0, 0, 0, 0}, - { 0, 2, 7, 0, 0, 0, 0, 0}, - { 1, 2, 7, 0, 0, 0, 0, 0}, - { 0, 1, 2, 7, 0, 0, 0, 0}, - { 3, 7, 0, 0, 0, 0, 0, 0}, - { 0, 3, 7, 0, 0, 0, 0, 0}, - { 1, 3, 7, 0, 0, 0, 0, 0}, - { 0, 1, 3, 7, 0, 0, 0, 0}, - { 2, 3, 7, 0, 0, 0, 0, 0}, - { 0, 2, 3, 7, 0, 0, 0, 0}, - { 1, 2, 3, 7, 0, 0, 0, 0}, - { 0, 1, 2, 3, 7, 0, 0, 0}, - { 4, 7, 0, 0, 0, 0, 0, 0}, - { 0, 4, 7, 0, 0, 0, 0, 0}, - { 1, 4, 7, 0, 0, 0, 0, 0}, - { 0, 1, 4, 7, 0, 0, 0, 0}, - { 2, 4, 7, 0, 0, 0, 0, 0}, - { 0, 2, 4, 7, 0, 0, 0, 0}, - { 1, 2, 4, 7, 0, 0, 0, 0}, - { 0, 1, 2, 4, 7, 0, 0, 0}, - { 3, 4, 7, 0, 0, 0, 0, 0}, - { 0, 3, 4, 7, 0, 0, 0, 0}, - { 1, 3, 4, 7, 0, 0, 0, 0}, - { 0, 1, 3, 4, 7, 0, 0, 0}, - { 2, 3, 4, 7, 0, 0, 0, 0}, - { 0, 2, 3, 4, 7, 0, 0, 0}, - { 1, 2, 3, 4, 7, 0, 0, 0}, - { 0, 1, 2, 3, 4, 7, 0, 0}, - { 5, 7, 0, 0, 0, 0, 0, 0}, - { 0, 5, 7, 0, 0, 0, 0, 0}, - { 1, 5, 7, 0, 0, 0, 0, 0}, - { 0, 1, 5, 7, 0, 0, 0, 0}, - { 2, 5, 7, 0, 0, 0, 0, 0}, - { 0, 2, 5, 7, 0, 0, 0, 0}, - { 1, 2, 5, 7, 0, 0, 0, 0}, - { 0, 1, 2, 5, 7, 0, 0, 0}, - { 3, 5, 7, 0, 0, 0, 0, 0}, - { 0, 3, 5, 7, 0, 0, 0, 0}, - { 1, 3, 5, 7, 0, 0, 0, 0}, - { 0, 1, 3, 5, 7, 0, 0, 0}, - { 2, 3, 5, 7, 0, 0, 0, 0}, - { 0, 2, 3, 5, 7, 0, 0, 0}, - { 1, 2, 3, 5, 7, 0, 0, 0}, - { 0, 1, 2, 3, 5, 7, 0, 0}, - { 4, 5, 7, 0, 0, 0, 0, 0}, - { 0, 4, 5, 7, 0, 0, 0, 0}, - { 1, 4, 5, 7, 0, 0, 0, 0}, - { 0, 1, 4, 5, 7, 0, 0, 0}, - { 2, 4, 5, 7, 0, 0, 0, 0}, - { 0, 2, 4, 5, 7, 0, 0, 0}, - { 1, 2, 4, 5, 7, 0, 0, 0}, - { 0, 1, 2, 4, 5, 7, 0, 0}, - { 3, 4, 5, 7, 0, 0, 0, 0}, - { 0, 3, 4, 5, 7, 0, 0, 0}, - { 1, 3, 4, 5, 7, 0, 0, 0}, - { 0, 1, 3, 4, 5, 7, 0, 0}, - { 2, 3, 4, 5, 7, 0, 0, 0}, - { 0, 2, 3, 4, 5, 7, 0, 0}, - { 1, 2, 3, 4, 5, 7, 0, 0}, - { 0, 1, 2, 3, 4, 5, 7, 0}, - { 6, 7, 0, 0, 0, 0, 0, 0}, - { 0, 6, 7, 0, 0, 0, 0, 0}, - { 1, 6, 7, 0, 0, 0, 0, 0}, - { 0, 1, 6, 7, 0, 0, 0, 0}, - { 2, 6, 7, 0, 0, 0, 0, 0}, - { 0, 2, 6, 7, 0, 0, 0, 0}, - { 1, 2, 6, 7, 0, 0, 0, 0}, - { 0, 1, 2, 6, 7, 0, 0, 0}, - { 3, 6, 7, 0, 0, 0, 0, 0}, - { 0, 3, 6, 7, 0, 0, 0, 0}, - { 1, 3, 6, 7, 0, 0, 0, 0}, - { 0, 1, 3, 6, 7, 0, 0, 0}, - { 2, 3, 6, 7, 0, 0, 0, 0}, - { 0, 2, 3, 6, 7, 0, 0, 0}, - { 1, 2, 3, 6, 7, 0, 0, 0}, - { 0, 1, 2, 3, 6, 7, 0, 0}, - { 4, 6, 7, 0, 0, 0, 0, 0}, - { 0, 4, 6, 7, 0, 0, 0, 0}, - { 1, 4, 6, 7, 0, 0, 0, 0}, - { 0, 1, 4, 6, 7, 0, 0, 0}, - { 2, 4, 6, 7, 0, 0, 0, 0}, - { 0, 2, 4, 6, 7, 0, 0, 0}, - { 1, 2, 4, 6, 7, 0, 0, 0}, - { 0, 1, 2, 4, 6, 7, 0, 0}, - { 3, 4, 6, 7, 0, 0, 0, 0}, - { 0, 3, 4, 6, 7, 0, 0, 0}, - { 1, 3, 4, 6, 7, 0, 0, 0}, - { 0, 1, 3, 4, 6, 7, 0, 0}, - { 2, 3, 4, 6, 7, 0, 0, 0}, - { 0, 2, 3, 4, 6, 7, 0, 0}, - { 1, 2, 3, 4, 6, 7, 0, 0}, - { 0, 1, 2, 3, 4, 6, 7, 0}, - { 5, 6, 7, 0, 0, 0, 0, 0}, - { 0, 5, 6, 7, 0, 0, 0, 0}, - { 1, 5, 6, 7, 0, 0, 0, 0}, - { 0, 1, 5, 6, 7, 0, 0, 0}, - { 2, 5, 6, 7, 0, 0, 0, 0}, - { 0, 2, 5, 6, 7, 0, 0, 0}, - { 1, 2, 5, 6, 7, 0, 0, 0}, - { 0, 1, 2, 5, 6, 7, 0, 0}, - { 3, 5, 6, 7, 0, 0, 0, 0}, - { 0, 3, 5, 6, 7, 0, 0, 0}, - { 1, 3, 5, 6, 7, 0, 0, 0}, - { 0, 1, 3, 5, 6, 7, 0, 0}, - { 2, 3, 5, 6, 7, 0, 0, 0}, - { 0, 2, 3, 5, 6, 7, 0, 0}, - { 1, 2, 3, 5, 6, 7, 0, 0}, - { 0, 1, 2, 3, 5, 6, 7, 0}, - { 4, 5, 6, 7, 0, 0, 0, 0}, - { 0, 4, 5, 6, 7, 0, 0, 0}, - { 1, 4, 5, 6, 7, 0, 0, 0}, - { 0, 1, 4, 5, 6, 7, 0, 0}, - { 2, 4, 5, 6, 7, 0, 0, 0}, - { 0, 2, 4, 5, 6, 7, 0, 0}, - { 1, 2, 4, 5, 6, 7, 0, 0}, - { 0, 1, 2, 4, 5, 6, 7, 0}, - { 3, 4, 5, 6, 7, 0, 0, 0}, - { 0, 3, 4, 5, 6, 7, 0, 0}, - { 1, 3, 4, 5, 6, 7, 0, 0}, - { 0, 1, 3, 4, 5, 6, 7, 0}, - { 2, 3, 4, 5, 6, 7, 0, 0}, - { 0, 2, 3, 4, 5, 6, 7, 0}, - { 1, 2, 3, 4, 5, 6, 7, 0}, - { 0, 1, 2, 3, 4, 5, 6, 7} -}; - -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_rej_uniform_avx(int32_t *restrict r, const uint8_t buf[REJ_UNIFORM_BUFLEN + 8]) { - unsigned int ctr, pos; - uint32_t good; - __m256i d, tmp; - const __m256i bound = _mm256_set1_epi32(Q); - const __m256i mask = _mm256_set1_epi32(0x7FFFFF); - const __m256i idx8 = _mm256_set_epi8(-1, 15, 14, 13, -1, 12, 11, 10, - -1, 9, 8, 7, -1, 6, 5, 4, - -1, 11, 10, 9, -1, 8, 7, 6, - -1, 5, 4, 3, -1, 2, 1, 0); - - ctr = pos = 0; - while (pos <= REJ_UNIFORM_BUFLEN - 24) { - d = _mm256_loadu_si256((__m256i *)&buf[pos]); - d = _mm256_permute4x64_epi64(d, 0x94); - d = _mm256_shuffle_epi8(d, idx8); - d = _mm256_and_si256(d, mask); - pos += 24; - - tmp = _mm256_sub_epi32(d, bound); - good = _mm256_movemask_ps((__m256)tmp); - tmp = _mm256_cvtepu8_epi32(_mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM3AES_AVX2_idxlut[good])); - d = _mm256_permutevar8x32_epi32(d, tmp); - - _mm256_storeu_si256((__m256i *)&r[ctr], d); - ctr += _mm_popcnt_u32(good); - - } - - - return ctr; -} - -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_rej_eta_avx(int32_t *restrict r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]) { - unsigned int ctr, pos; - uint32_t good; - __m256i f0, f1; - __m128i g0, g1; - const __m256i mask = _mm256_set1_epi8(15); - const __m256i eta = _mm256_set1_epi8(4); - const __m256i bound = _mm256_set1_epi8(9); - - ctr = pos = 0; - while (ctr <= N - 8 && pos <= REJ_UNIFORM_ETA_BUFLEN - 16) { - f0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *)&buf[pos])); - f1 = _mm256_slli_epi16(f0, 4); - f0 = _mm256_or_si256(f0, f1); - f0 = _mm256_and_si256(f0, mask); - - f1 = _mm256_sub_epi8(f0, bound); - f0 = _mm256_sub_epi8(eta, f0); - good = _mm256_movemask_epi8(f1); - - g0 = _mm256_castsi256_si128(f0); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM3AES_AVX2_idxlut[good & 0xFF]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good & 0xFF); - good >>= 8; - pos += 4; - - if (ctr > N - 8) { - break; - } - g0 = _mm_bsrli_si128(g0, 8); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM3AES_AVX2_idxlut[good & 0xFF]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good & 0xFF); - good >>= 8; - pos += 4; - - if (ctr > N - 8) { - break; - } - g0 = _mm256_extracti128_si256(f0, 1); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM3AES_AVX2_idxlut[good & 0xFF]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good & 0xFF); - good >>= 8; - pos += 4; - - if (ctr > N - 8) { - break; - } - g0 = _mm_bsrli_si128(g0, 8); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM3AES_AVX2_idxlut[good]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good); - pos += 4; - } - - uint32_t t0, t1; - while (ctr < N && pos < REJ_UNIFORM_ETA_BUFLEN) { - t0 = buf[pos] & 0x0F; - t1 = buf[pos++] >> 4; - - if (t0 < 9) { - r[ctr++] = 4 - t0; - } - if (t1 < 9 && ctr < N) { - r[ctr++] = 4 - t1; - } - } - - return ctr; -} diff --git a/crypto_sign/dilithium3aes/avx2/rejsample.h b/crypto_sign/dilithium3aes/avx2/rejsample.h deleted file mode 100644 index 2f52d684..00000000 --- a/crypto_sign/dilithium3aes/avx2/rejsample.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_REJSAMPLE_H -#define PQCLEAN_DILITHIUM3AES_AVX2_REJSAMPLE_H -#include "params.h" -#include "symmetric.h" -#include - -#define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES) - -#define REJ_UNIFORM_ETA_NBLOCKS ((228+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES) - -extern const uint8_t PQCLEAN_DILITHIUM3AES_AVX2_idxlut[256][8]; - -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_rej_uniform_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_BUFLEN + 8]); - -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_rej_eta_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_BUFLEN]); - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/rounding.c b/crypto_sign/dilithium3aes/avx2/rounding.c deleted file mode 100644 index f7475870..00000000 --- a/crypto_sign/dilithium3aes/avx2/rounding.c +++ /dev/null @@ -1,154 +0,0 @@ -#include "consts.h" -#include "params.h" -#include "rejsample.h" -#include "rounding.h" -#include -#include -#include - -#define _mm256_blendv_epi32(a,b,mask) \ - _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \ - _mm256_castsi256_ps(b), \ - _mm256_castsi256_ps(mask))) - -/************************************************* -* Name: power2round -* -* Description: For finite field elements a, compute a0, a1 such that -* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}. -* Assumes a to be positive standard representative. -* -* Arguments: - __m256i *a1: output array of length N/8 with high bits -* - __m256i *a0: output array of length N/8 with low bits a0 -* - const __m256i *a: input array of length N/8 -* -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a) { - unsigned int i; - __m256i f, f0, f1; - const __m256i mask = _mm256_set1_epi32(-(1 << D)); - const __m256i half = _mm256_set1_epi32((1 << (D - 1)) - 1); - - for (i = 0; i < N / 8; ++i) { - f = _mm256_load_si256(&a[i]); - f1 = _mm256_add_epi32(f, half); - f0 = _mm256_and_si256(f1, mask); - f1 = _mm256_srli_epi32(f1, D); - f0 = _mm256_sub_epi32(f, f0); - _mm256_store_si256(&a1[i], f1); - _mm256_store_si256(&a0[i], f0); - } -} - -/************************************************* -* Name: decompose -* -* Description: For finite field element a, compute high and low parts a0, a1 such -* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except -* if a1 = (Q-1)/ALPHA where we set a1 = 0 and -* -ALPHA/2 <= a0 = a mod Q - Q < 0. Assumes a to be positive standard -* representative. -* -* Arguments: - __m256i *a1: output array of length N/8 with high parts -* - __m256i *a0: output array of length N/8 with low parts a0 -* - const __m256i *a: input array of length N/8 -* -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a) { - unsigned int i; - __m256i f, f0, f1; - const __m256i q = _mm256_load_si256(&PQCLEAN_DILITHIUM3AES_AVX2_qdata.vec[_8XQ / 8]); - const __m256i hq = _mm256_srli_epi32(q, 1); - const __m256i v = _mm256_set1_epi32(1025); - const __m256i alpha = _mm256_set1_epi32(2 * GAMMA2); - const __m256i off = _mm256_set1_epi32(127); - const __m256i shift = _mm256_set1_epi32(512); - const __m256i mask = _mm256_set1_epi32(15); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a[i]); - f1 = _mm256_add_epi32(f, off); - f1 = _mm256_srli_epi32(f1, 7); - f1 = _mm256_mulhi_epu16(f1, v); - f1 = _mm256_mulhrs_epi16(f1, shift); - f1 = _mm256_and_si256(f1, mask); - f0 = _mm256_mullo_epi32(f1, alpha); - f0 = _mm256_sub_epi32(f, f0); - f = _mm256_cmpgt_epi32(f0, hq); - f = _mm256_and_si256(f, q); - f0 = _mm256_sub_epi32(f0, f); - _mm256_store_si256(&a1[i], f1); - _mm256_store_si256(&a0[i], f0); - } -} - - -/************************************************* -* Name: make_hint -* -* Description: Compute indices of polynomial coefficients whose low bits -* overflow into the high bits. -* -* Arguments: - uint8_t *hint: hint array -* - const __m256i *a0: low bits of input elements -* - const __m256i *a1: high bits of input elements -* -* Returns number of overflowing low bits -**************************************************/ -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_make_hint_avx(uint8_t hint[N], const __m256i *restrict a0, const __m256i *restrict a1) { - unsigned int i, n = 0; - __m256i f0, f1, g0, g1; - uint32_t bad; - uint64_t idx; - const __m256i low = _mm256_set1_epi32(-GAMMA2); - const __m256i high = _mm256_set1_epi32(GAMMA2); - - for (i = 0; i < N / 8; ++i) { - f0 = _mm256_load_si256(&a0[i]); - f1 = _mm256_load_si256(&a1[i]); - g0 = _mm256_abs_epi32(f0); - g0 = _mm256_cmpgt_epi32(g0, high); - g1 = _mm256_cmpeq_epi32(f0, low); - g1 = _mm256_sign_epi32(g1, f1); - g0 = _mm256_or_si256(g0, g1); - - bad = _mm256_movemask_ps((__m256)g0); - memcpy(&idx, PQCLEAN_DILITHIUM3AES_AVX2_idxlut[bad], 8); - idx += (uint64_t)0x0808080808080808 * i; - memcpy(&hint[n], &idx, 8); - n += _mm_popcnt_u32(bad); - } - - return n; -} - -/************************************************* -* Name: use_hint -* -* Description: Correct high parts according to hint. -* -* Arguments: - __m256i *b: output array of length N/8 with corrected high parts -* - const __m256i *a: input array of length N/8 -* - const __m256i *a: input array of length N/8 with hint bits -* -**************************************************/ -void PQCLEAN_DILITHIUM3AES_AVX2_use_hint_avx(__m256i *b, const __m256i *a, const __m256i *restrict hint) { - unsigned int i; - __m256i a0[N / 8]; - __m256i f, g, h, t; - const __m256i zero = _mm256_setzero_si256(); - const __m256i mask = _mm256_set1_epi32(15); - - PQCLEAN_DILITHIUM3AES_AVX2_decompose_avx(b, a0, a); - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a0[i]); - g = _mm256_load_si256(&b[i]); - h = _mm256_load_si256(&hint[i]); - t = _mm256_blendv_epi32(zero, h, f); - t = _mm256_slli_epi32(t, 1); - h = _mm256_sub_epi32(h, t); - g = _mm256_add_epi32(g, h); - g = _mm256_and_si256(g, mask); - _mm256_store_si256(&b[i], g); - } -} diff --git a/crypto_sign/dilithium3aes/avx2/rounding.h b/crypto_sign/dilithium3aes/avx2/rounding.h deleted file mode 100644 index 7ed2686b..00000000 --- a/crypto_sign/dilithium3aes/avx2/rounding.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_ROUNDING_H -#define PQCLEAN_DILITHIUM3AES_AVX2_ROUNDING_H -#include "params.h" -#include -#include - -void PQCLEAN_DILITHIUM3AES_AVX2_power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a); -void PQCLEAN_DILITHIUM3AES_AVX2_decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a); -unsigned int PQCLEAN_DILITHIUM3AES_AVX2_make_hint_avx(uint8_t hint[N], const __m256i *a0, const __m256i *a1); -void PQCLEAN_DILITHIUM3AES_AVX2_use_hint_avx(__m256i *b, const __m256i *a, const __m256i *hint); - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/shuffle.S b/crypto_sign/dilithium3aes/avx2/shuffle.S deleted file mode 100644 index 77a42ea5..00000000 --- a/crypto_sign/dilithium3aes/avx2/shuffle.S +++ /dev/null @@ -1,54 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.text -nttunpack128_avx: -#load -vmovdqa (%rdi),%ymm4 -vmovdqa 32(%rdi),%ymm5 -vmovdqa 64(%rdi),%ymm6 -vmovdqa 96(%rdi),%ymm7 -vmovdqa 128(%rdi),%ymm8 -vmovdqa 160(%rdi),%ymm9 -vmovdqa 192(%rdi),%ymm10 -vmovdqa 224(%rdi),%ymm11 - -shuffle8 4,8,3,8 -shuffle8 5,9,4,9 -shuffle8 6,10,5,10 -shuffle8 7,11,6,11 - -shuffle4 3,5,7,5 -shuffle4 8,10,3,10 -shuffle4 4,6,8,6 -shuffle4 9,11,4,11 - -shuffle2 7,8,9,8 -shuffle2 5,6,7,6 -shuffle2 3,4,5,4 -shuffle2 10,11,3,11 - -#store -vmovdqa %ymm9,(%rdi) -vmovdqa %ymm8,32(%rdi) -vmovdqa %ymm7,64(%rdi) -vmovdqa %ymm6,96(%rdi) -vmovdqa %ymm5,128(%rdi) -vmovdqa %ymm4,160(%rdi) -vmovdqa %ymm3,192(%rdi) -vmovdqa %ymm11,224(%rdi) - -ret - -.global cdecl(PQCLEAN_DILITHIUM3AES_AVX2_nttunpack_avx) -.global _cdecl(PQCLEAN_DILITHIUM3AES_AVX2_nttunpack_avx) -cdecl(PQCLEAN_DILITHIUM3AES_AVX2_nttunpack_avx): -_cdecl(PQCLEAN_DILITHIUM3AES_AVX2_nttunpack_avx): -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -ret diff --git a/crypto_sign/dilithium3aes/avx2/shuffle.inc b/crypto_sign/dilithium3aes/avx2/shuffle.inc deleted file mode 100644 index 73e9ffe0..00000000 --- a/crypto_sign/dilithium3aes/avx2/shuffle.inc +++ /dev/null @@ -1,25 +0,0 @@ -.macro shuffle8 r0,r1,r2,r3 -vperm2i128 $0x20,%ymm\r1,%ymm\r0,%ymm\r2 -vperm2i128 $0x31,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle4 r0,r1,r2,r3 -vpunpcklqdq %ymm\r1,%ymm\r0,%ymm\r2 -vpunpckhqdq %ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle2 r0,r1,r2,r3 -#vpsllq $32,%ymm\r1,%ymm\r2 -vmovsldup %ymm\r1,%ymm\r2 -vpblendd $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrlq $32,%ymm\r0,%ymm\r0 -#vmovshdup %ymm\r0,%ymm\r0 -vpblendd $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle1 r0,r1,r2,r3 -vpslld $16,%ymm\r1,%ymm\r2 -vpblendw $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrld $16,%ymm\r0,%ymm\r0 -vpblendw $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm diff --git a/crypto_sign/dilithium3aes/avx2/sign.c b/crypto_sign/dilithium3aes/avx2/sign.c deleted file mode 100644 index 7c2c2a08..00000000 --- a/crypto_sign/dilithium3aes/avx2/sign.c +++ /dev/null @@ -1,425 +0,0 @@ -#include "aes256ctr.h" -#include "align.h" -#include "fips202.h" -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "sign.h" -#include "symmetric.h" -#include -#include - - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair -* -* Description: Generates public and private key. -* -* Arguments: - uint8_t *pk: pointer to output public key (allocated -* array of PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (allocated -* array of PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - unsigned int i; - uint8_t seedbuf[3 * SEEDBYTES]; - const uint8_t *rho, *rhoprime, *key; - uint64_t nonce; - aes256ctr_ctx aesctx; - polyvecl rowbuf[1]; - polyvecl s1, *row = rowbuf; - polyveck s2; - poly t1, t0; - - /* Get randomness for rho, rhoprime and key */ - randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); - rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; - - /* Store rho, key */ - memcpy(pk, rho, SEEDBYTES); - memcpy(sk, rho, SEEDBYTES); - memcpy(sk + SEEDBYTES, key, SEEDBYTES); - - /* Sample short vectors s1 and s2 */ - PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(&aesctx, rhoprime, 0); - for (i = 0; i < L; ++i) { - nonce = i; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(&s1.vec[i], &aesctx); - } - for (i = 0; i < K; ++i) { - nonce = L + i; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_eta_preinit(&s2.vec[i], &aesctx); - } - - /* Pack secret vectors */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); - } - for (i = 0; i < K; i++) { - PQCLEAN_DILITHIUM3AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); - } - - /* Transform s1 */ - PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_ntt(&s1); - - PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(&aesctx, rho, 0); - - for (i = 0; i < K; i++) { - /* Expand matrix row */ - for (unsigned int j = 0; j < L; j++) { - nonce = (i << 8) + j; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_preinit(&row->vec[j], &aesctx); - PQCLEAN_DILITHIUM3AES_AVX2_poly_nttunpack(&row->vec[j]); - } - - /* Compute inner-product */ - PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_pointwise_acc_montgomery(&t1, row, &s1); - PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont(&t1); - - /* Add error polynomial */ - PQCLEAN_DILITHIUM3AES_AVX2_poly_add(&t1, &t1, &s2.vec[i]); - - /* Round t and pack t1, t0 */ - PQCLEAN_DILITHIUM3AES_AVX2_poly_caddq(&t1); - PQCLEAN_DILITHIUM3AES_AVX2_poly_power2round(&t1, &t0, &t1); - PQCLEAN_DILITHIUM3AES_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1); - PQCLEAN_DILITHIUM3AES_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); - } - - /* Compute CRH(rho, t1) and store in secret key */ - crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES); - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature -* -* Description: Computes signature. -* -* Arguments: - uint8_t *sig: pointer to output signature (of length PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES) -* - size_t *siglen: pointer to output length of signature -* - uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { - unsigned int i, n, pos; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; - uint8_t *rho, *tr, *key, *mu, *rhoprime; - uint8_t hintbuf[N]; - uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; - uint64_t nonce = 0; - polyvecl mat[K], s1, z; - polyveck t0, s2, w1; - poly c, tmp; - union { - polyvecl y; - polyveck w0; - } tmpv; - shake256incctx state; - - rho = seedbuf; - tr = rho + SEEDBYTES; - key = tr + CRHBYTES; - mu = key + SEEDBYTES; - rhoprime = mu + CRHBYTES; - PQCLEAN_DILITHIUM3AES_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); - - /* Compute CRH(tr, msg) */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - crh(rhoprime, key, SEEDBYTES + CRHBYTES); - - /* Expand matrix and transform vectors */ - PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_expand(mat, rho); - PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_ntt(&s1); - PQCLEAN_DILITHIUM3AES_AVX2_polyveck_ntt(&s2); - PQCLEAN_DILITHIUM3AES_AVX2_polyveck_ntt(&t0); - - aes256ctr_ctx aesctx; - PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(&aesctx, rhoprime, 0); - -rej: - /* Sample intermediate vector y */ - for (i = 0; i < L; ++i) { - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce++; - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_gamma1_preinit(&z.vec[i], &aesctx); - } - - /* Matrix-vector product */ - tmpv.y = z; - PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_ntt(&tmpv.y); - PQCLEAN_DILITHIUM3AES_AVX2_polyvec_matrix_pointwise_montgomery(&w1, mat, &tmpv.y); - PQCLEAN_DILITHIUM3AES_AVX2_polyveck_invntt_tomont(&w1); - - /* Decompose w and call the random oracle */ - PQCLEAN_DILITHIUM3AES_AVX2_polyveck_caddq(&w1); - PQCLEAN_DILITHIUM3AES_AVX2_polyveck_decompose(&w1, &tmpv.w0, &w1); - PQCLEAN_DILITHIUM3AES_AVX2_polyveck_pack_w1(sig, &w1); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, sig, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - PQCLEAN_DILITHIUM3AES_AVX2_poly_challenge(&c, sig); - PQCLEAN_DILITHIUM3AES_AVX2_poly_ntt(&c); - - /* Compute z, reject if it reveals secret */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM3AES_AVX2_poly_pointwise_montgomery(&tmp, &c, &s1.vec[i]); - PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont(&tmp); - PQCLEAN_DILITHIUM3AES_AVX2_poly_add(&z.vec[i], &z.vec[i], &tmp); - PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(&z.vec[i]); - if (PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm(&z.vec[i], GAMMA1 - BETA)) { - goto rej; - } - } - - /* Zero hint vector in signature */ - pos = 0; - memset(hint, 0, OMEGA); - - for (i = 0; i < K; i++) { - /* Check that subtracting cs2 does not change high bits of w and low bits - * do not reveal secret information */ - PQCLEAN_DILITHIUM3AES_AVX2_poly_pointwise_montgomery(&tmp, &c, &s2.vec[i]); - PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont(&tmp); - PQCLEAN_DILITHIUM3AES_AVX2_poly_sub(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp); - PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(&tmpv.w0.vec[i]); - if (PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm(&tmpv.w0.vec[i], GAMMA2 - BETA)) { - goto rej; - } - - /* Compute hints */ - PQCLEAN_DILITHIUM3AES_AVX2_poly_pointwise_montgomery(&tmp, &c, &t0.vec[i]); - PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont(&tmp); - PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(&tmp); - if (PQCLEAN_DILITHIUM3AES_AVX2_poly_chknorm(&tmp, GAMMA2)) { - goto rej; - } - - PQCLEAN_DILITHIUM3AES_AVX2_poly_add(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp); - n = PQCLEAN_DILITHIUM3AES_AVX2_poly_make_hint(hintbuf, &tmpv.w0.vec[i], &w1.vec[i]); - if (pos + n > OMEGA) { - goto rej; - } - - /* Store hints in signature */ - memcpy(&hint[pos], hintbuf, n); - hint[OMEGA + i] = pos = pos + n; - } - - /* Pack z into signature */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM3AES_AVX2_polyz_pack(sig + SEEDBYTES + i * POLYZ_PACKEDBYTES, &z.vec[i]); - } - - *siglen = PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign -* -* Description: Compute signed message. -* -* Arguments: - uint8_t *sm: pointer to output signed message (allocated -* array with PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES + mlen bytes), -* can be equal to m -* - size_t *smlen: pointer to output length of signed -* message -* - const uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - const uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t i; - - for (i = 0; i < mlen; ++i) { - sm[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i]; - } - PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature(sm, smlen, sm + PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES, mlen, sk); - *smlen += mlen; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_verify -* -* Description: Verifies signature. -* -* Arguments: - uint8_t *m: pointer to input signature -* - size_t siglen: length of signature -* - const uint8_t *m: pointer to message -* - size_t mlen: length of message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signature could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) { - unsigned int i, j, pos = 0; - /* PQCLEAN_DILITHIUM3AES_AVX2_polyw1_pack writes additional 14 bytes */ - ALIGNED_UINT8(K * POLYW1_PACKEDBYTES + 14) buf; - uint8_t mu[CRHBYTES]; - const uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; - uint64_t nonce; - aes256ctr_ctx aesctx; - polyvecl rowbuf[1]; - polyvecl *row = rowbuf; - polyvecl z; - poly c, w1, h; - shake256incctx state; - - if (siglen != PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES) { - return -1; - } - - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_PUBLICKEYBYTES); - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - /* Expand PQCLEAN_DILITHIUM3AES_AVX2_challenge */ - PQCLEAN_DILITHIUM3AES_AVX2_poly_challenge(&c, sig); - PQCLEAN_DILITHIUM3AES_AVX2_poly_ntt(&c); - - /* Unpack z; shortness follows from unpacking */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM3AES_AVX2_polyz_unpack(&z.vec[i], sig + SEEDBYTES + i * POLYZ_PACKEDBYTES); - PQCLEAN_DILITHIUM3AES_AVX2_poly_ntt(&z.vec[i]); - } - - PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(&aesctx, pk, 0); - - for (i = 0; i < K; i++) { - /* Expand matrix row */ - for (j = 0; j < L; j++) { - nonce = (i << 8) + j; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM3AES_AVX2_poly_uniform_preinit(&row->vec[j], &aesctx); - PQCLEAN_DILITHIUM3AES_AVX2_poly_nttunpack(&row->vec[j]); - } - - /* Compute i-th row of Az - c2^Dt1 */ - PQCLEAN_DILITHIUM3AES_AVX2_polyvecl_pointwise_acc_montgomery(&w1, row, &z); - - PQCLEAN_DILITHIUM3AES_AVX2_polyt1_unpack(&h, pk + SEEDBYTES + i * POLYT1_PACKEDBYTES); - PQCLEAN_DILITHIUM3AES_AVX2_poly_shiftl(&h); - PQCLEAN_DILITHIUM3AES_AVX2_poly_ntt(&h); - PQCLEAN_DILITHIUM3AES_AVX2_poly_pointwise_montgomery(&h, &c, &h); - - PQCLEAN_DILITHIUM3AES_AVX2_poly_sub(&w1, &w1, &h); - PQCLEAN_DILITHIUM3AES_AVX2_poly_reduce(&w1); - PQCLEAN_DILITHIUM3AES_AVX2_poly_invntt_tomont(&w1); - - /* Get hint polynomial and reconstruct w1 */ - memset(h.vec, 0, sizeof(poly)); - if (hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) { - return -1; - } - - for (j = pos; j < hint[OMEGA + i]; ++j) { - /* Coefficients are ordered for strong unforgeability */ - if (j > pos && hint[j] <= hint[j - 1]) { - return -1; - } - h.coeffs[hint[j]] = 1; - } - pos = hint[OMEGA + i]; - - PQCLEAN_DILITHIUM3AES_AVX2_poly_caddq(&w1); - PQCLEAN_DILITHIUM3AES_AVX2_poly_use_hint(&w1, &w1, &h); - PQCLEAN_DILITHIUM3AES_AVX2_polyw1_pack(buf.coeffs + i * POLYW1_PACKEDBYTES, &w1); - } - - /* Extra indices are zero for strong unforgeability */ - for (j = pos; j < OMEGA; ++j) { - if (hint[j]) { - return -1; - } - } - - /* Call random oracle and verify PQCLEAN_DILITHIUM3AES_AVX2_challenge */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, buf.coeffs, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - for (i = 0; i < SEEDBYTES; ++i) { - if (buf.coeffs[i] != sig[i]) { - return -1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_open -* -* Description: Verify signed message. -* -* Arguments: - uint8_t *m: pointer to output message (allocated -* array with smlen bytes), can be equal to sm -* - size_t *mlen: pointer to output length of message -* - const uint8_t *sm: pointer to signed message -* - size_t smlen: length of signed message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signed message could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { - size_t i; - - if (smlen < PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES) { - goto badsig; - } - - *mlen = smlen - PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES; - if (PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_verify(sm, PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES, sm + PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES, *mlen, pk)) { - goto badsig; - } else { - /* All good, copy msg, return 0 */ - for (i = 0; i < *mlen; ++i) { - m[i] = sm[PQCLEAN_DILITHIUM3AES_AVX2_CRYPTO_BYTES + i]; - } - return 0; - } - -badsig: - /* Signature verification failed */ - *mlen = -1; - for (i = 0; i < smlen; ++i) { - m[i] = 0; - } - - return -1; -} diff --git a/crypto_sign/dilithium3aes/avx2/sign.h b/crypto_sign/dilithium3aes/avx2/sign.h deleted file mode 100644 index 4b6feee1..00000000 --- a/crypto_sign/dilithium3aes/avx2/sign.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_SIGN_H -#define PQCLEAN_DILITHIUM3AES_AVX2_SIGN_H -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include -#include - -void PQCLEAN_DILITHIUM3AES_AVX2_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -int PQCLEAN_DILITHIUM3AES_AVX2_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium3aes/avx2/symmetric.h b/crypto_sign/dilithium3aes/avx2/symmetric.h deleted file mode 100644 index 6cfad5ba..00000000 --- a/crypto_sign/dilithium3aes/avx2/symmetric.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_AVX2_SYMMETRIC_H -#define PQCLEAN_DILITHIUM3AES_AVX2_SYMMETRIC_H -#include "aes256ctr.h" -#include "fips202.h" -#include "params.h" -#include - - - -typedef aes256ctr_ctx stream128_state; -typedef aes256ctr_ctx stream256_state; - -#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES -#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) -#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(STATE, SEED, NONCE) -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream128_release(STATE) -#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_init(STATE, SEED, NONCE) -#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM3AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream256_release(STATE) - - -#endif diff --git a/crypto_sign/dilithium3aes/clean/LICENSE b/crypto_sign/dilithium3aes/clean/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_sign/dilithium3aes/clean/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_sign/dilithium3aes/clean/Makefile.Microsoft_nmake b/crypto_sign/dilithium3aes/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 0de00dcc..00000000 --- a/crypto_sign/dilithium3aes/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libdilithium3aes_clean.lib -OBJECTS=aes256ctr.obj ntt.obj packing.obj poly.obj polyvec.obj reduce.obj rounding.obj sign.obj symmetric-aes.obj - -# Warning C4146 is raised when a unary minus operator is applied to an -# unsigned type; this has nonetheless been standard and portable for as -# long as there has been a C standard, and we need it for constant-time -# computations. Thus, we disable that spurious warning. -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/dilithium3aes/clean/aes256ctr.c b/crypto_sign/dilithium3aes/clean/aes256ctr.c deleted file mode 100644 index 688cb5e7..00000000 --- a/crypto_sign/dilithium3aes/clean/aes256ctr.c +++ /dev/null @@ -1,564 +0,0 @@ -#include "aes256ctr.h" -#include -#include -/* - * Copyright (c) 2016 Thomas Pornin - * - * Permission is hereby granted, free of charge, to any person obtaining - * a copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - - -static inline uint32_t br_dec32le(const uint8_t *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const uint8_t *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline uint32_t br_swap32(uint32_t x) { - x = ((x & (uint32_t)0x00FF00FF) << 8) - | ((x >> 8) & (uint32_t)0x00FF00FF); - return (x << 16) | (x >> 16); -} - -static inline void br_enc32le(uint8_t *dst, uint32_t x) { - dst[0] = (uint8_t)x; - dst[1] = (uint8_t)(x >> 8); - dst[2] = (uint8_t)(x >> 16); - dst[3] = (uint8_t)(x >> 24); -} - -static void br_range_enc32le(uint8_t *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static const uint8_t Rcon[] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36 -}; - -static uint32_t sub_word(uint32_t x) { - uint64_t q[8]; - - memset(q, 0, sizeof q); - q[0] = x; - br_aes_ct64_ortho(q); - br_aes_ct64_bitslice_Sbox(q); - br_aes_ct64_ortho(q); - return (uint32_t)q[0]; -} - -static void br_aes_ct64_keysched(uint64_t *comp_skey, const uint8_t *key) { - int i, j, k, nk, nkf; - uint32_t tmp; - uint32_t skey[60]; - - int key_len = 32; - - nk = (int)(key_len >> 2); - nkf = (int)((14 + 1) << 2); - br_range_dec32le(skey, (key_len >> 2), key); - tmp = skey[(key_len >> 2) - 1]; - for (i = nk, j = 0, k = 0; i < nkf; i ++) { - if (j == 0) { - tmp = (tmp << 24) | (tmp >> 8); - tmp = sub_word(tmp) ^ Rcon[k]; - } else if (nk > 6 && j == 4) { - tmp = sub_word(tmp); - } - tmp ^= skey[i - nk]; - skey[i] = tmp; - if (++ j == nk) { - j = 0; - k ++; - } - } - - for (i = 0, j = 0; i < nkf; i += 4, j += 2) { - uint64_t q[8]; - - br_aes_ct64_interleave_in(&q[0], &q[4], skey + i); - q[1] = q[0]; - q[2] = q[0]; - q[3] = q[0]; - q[5] = q[4]; - q[6] = q[4]; - q[7] = q[4]; - br_aes_ct64_ortho(q); - comp_skey[j + 0] = - (q[0] & (uint64_t)0x1111111111111111) - | (q[1] & (uint64_t)0x2222222222222222) - | (q[2] & (uint64_t)0x4444444444444444) - | (q[3] & (uint64_t)0x8888888888888888); - comp_skey[j + 1] = - (q[4] & (uint64_t)0x1111111111111111) - | (q[5] & (uint64_t)0x2222222222222222) - | (q[6] & (uint64_t)0x4444444444444444) - | (q[7] & (uint64_t)0x8888888888888888); - } -} - -static void br_aes_ct64_skey_expand(uint64_t *skey, const uint64_t *comp_skey) { - unsigned u, v, n; - - n = (14 + 1) << 1; - for (u = 0, v = 0; u < n; u ++, v += 4) { - uint64_t x0, x1, x2, x3; - - x0 = x1 = x2 = x3 = comp_skey[u]; - x0 &= (uint64_t)0x1111111111111111; - x1 &= (uint64_t)0x2222222222222222; - x2 &= (uint64_t)0x4444444444444444; - x3 &= (uint64_t)0x8888888888888888; - x1 >>= 1; - x2 >>= 2; - x3 >>= 3; - skey[v + 0] = (x0 << 4) - x0; - skey[v + 1] = (x1 << 4) - x1; - skey[v + 2] = (x2 << 4) - x2; - skey[v + 3] = (x3 << 4) - x3; - } -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i ++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void inc4_be(uint32_t *x) { - *x = br_swap32(*x) + 4; - *x = br_swap32(*x); -} - -static void aes_ctr4x(uint8_t out[64], uint32_t ivw[16], uint64_t sk_exp[64]) { - uint32_t w[16]; - uint64_t q[8]; - int i; - - memcpy(w, ivw, sizeof(w)); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - add_round_key(q, sk_exp); - for (i = 1; i < 14; i++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, sk_exp + (i << 3)); - } - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - add_round_key(q, sk_exp + 112); - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); - - /* Increase counter for next 4 blocks */ - inc4_be(ivw + 3); - inc4_be(ivw + 7); - inc4_be(ivw + 11); - inc4_be(ivw + 15); -} - -static void br_aes_ct64_ctr_init(uint64_t sk_exp[120], const uint8_t *key) { - uint64_t skey[30]; - - br_aes_ct64_keysched(skey, key); - br_aes_ct64_skey_expand(sk_exp, skey); -} - -static void br_aes_ct64_ctr_run(uint64_t sk_exp[120], const uint8_t *iv, uint32_t cc, uint8_t *data, size_t len) { - uint32_t ivw[16]; - size_t i; - - br_range_dec32le(ivw, 3, iv); - memcpy(ivw + 4, ivw, 3 * sizeof(uint32_t)); - memcpy(ivw + 8, ivw, 3 * sizeof(uint32_t)); - memcpy(ivw + 12, ivw, 3 * sizeof(uint32_t)); - ivw[ 3] = br_swap32(cc); - ivw[ 7] = br_swap32(cc + 1); - ivw[11] = br_swap32(cc + 2); - ivw[15] = br_swap32(cc + 3); - - while (len > 64) { - aes_ctr4x(data, ivw, sk_exp); - data += 64; - len -= 64; - } - if (len > 0) { - uint8_t tmp[64]; - aes_ctr4x(tmp, ivw, sk_exp); - for (i = 0; i < len; i++) { - data[i] = tmp[i]; - } - } -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t *key, const uint8_t *nonce) { - uint64_t sk_exp[120]; - - br_aes_ct64_ctr_init(sk_exp, key); - br_aes_ct64_ctr_run(sk_exp, nonce, 0, out, outlen); -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_aes256ctr_init(aes256ctr_ctx *s, const uint8_t *key, const uint8_t *nonce) { - br_aes_ct64_ctr_init(s->sk_exp, key); - - br_range_dec32le(s->ivw, 3, nonce); - memcpy(s->ivw + 4, s->ivw, 3 * sizeof(uint32_t)); - memcpy(s->ivw + 8, s->ivw, 3 * sizeof(uint32_t)); - memcpy(s->ivw + 12, s->ivw, 3 * sizeof(uint32_t)); - s->ivw[ 3] = br_swap32(0); - s->ivw[ 7] = br_swap32(1); - s->ivw[11] = br_swap32(2); - s->ivw[15] = br_swap32(3); -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_aes256ctr_squeezeblocks(uint8_t *out, size_t nblocks, aes256ctr_ctx *s) { - while (nblocks > 0) { - aes_ctr4x(out, s->ivw, s->sk_exp); - out += 64; - nblocks--; - } -} diff --git a/crypto_sign/dilithium3aes/clean/aes256ctr.h b/crypto_sign/dilithium3aes/clean/aes256ctr.h deleted file mode 100644 index b2e7e3d6..00000000 --- a/crypto_sign/dilithium3aes/clean/aes256ctr.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_AES256CTR_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_AES256CTR_H - -#include -#include - -#define AES256CTR_BLOCKBYTES 64 - - -typedef struct { - uint64_t sk_exp[120]; - uint32_t ivw[16]; -} aes256ctr_ctx; - -void PQCLEAN_DILITHIUM3AES_CLEAN_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t key[32], - const uint8_t nonce[12]); - -void PQCLEAN_DILITHIUM3AES_CLEAN_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - const uint8_t nonce[12]); - -void PQCLEAN_DILITHIUM3AES_CLEAN_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state); - -#endif diff --git a/crypto_sign/dilithium3aes/clean/api.h b/crypto_sign/dilithium3aes/clean/api.h deleted file mode 100644 index 495dd5db..00000000 --- a/crypto_sign/dilithium3aes/clean/api.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_API_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_API_H - -#include -#include - -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES 1952 -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES 4016 -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES 3293 - -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_ALGNAME "Dilithium3-AES" - - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium3aes/clean/ntt.c b/crypto_sign/dilithium3aes/clean/ntt.c deleted file mode 100644 index 6c036dbb..00000000 --- a/crypto_sign/dilithium3aes/clean/ntt.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "reduce.h" -#include - -static const int32_t zetas[N] = { - 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, - 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 3111497, 2680103, - 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549, - -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, 280005, - 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, - -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, - -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596, - 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779, - -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, 2176455, -1585221, - -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922, - 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, - -671102, -1228525, -22981, -1308169, -381987, 1349076, 1852771, -1430430, - -3343383, 264944, 508951, 3097992, 44288, -1100098, 904516, 3958618, - -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856, - 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, - 1285669, -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, - 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462, - 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378, - 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500, - -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, - 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, - 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974, - -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970, - -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642, - -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, - -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, - -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385, - -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, - -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078, - -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, - -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, - -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782 -}; - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_ntt -* -* Description: Forward NTT, in-place. No modular reduction is performed after -* additions or subtractions. Output vector is in bitreversed order. -* -* Arguments: - uint32_t p[N]: input/output coefficient array -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_ntt(int32_t a[N]) { - unsigned int len, start, j, k; - int32_t zeta, t; - - k = 0; - for (len = 128; len > 0; len >>= 1) { - for (start = 0; start < N; start = j + len) { - zeta = zetas[++k]; - for (j = start; j < start + len; ++j) { - t = PQCLEAN_DILITHIUM3AES_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]); - a[j + len] = a[j] - t; - a[j] = a[j] + t; - } - } - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_invntt_tomont -* -* Description: Inverse NTT and multiplication by Montgomery factor 2^32. -* In-place. No modular reductions after additions or -* subtractions; input coefficients need to be smaller than -* Q in absolute value. Output coefficient are smaller than Q in -* absolute value. -* -* Arguments: - uint32_t p[N]: input/output coefficient array -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_invntt_tomont(int32_t a[N]) { - unsigned int start, len, j, k; - int32_t t, zeta; - const int32_t f = 41978; // mont^2/256 - - k = 256; - for (len = 1; len < N; len <<= 1) { - for (start = 0; start < N; start = j + len) { - zeta = -zetas[--k]; - for (j = start; j < start + len; ++j) { - t = a[j]; - a[j] = t + a[j + len]; - a[j + len] = t - a[j + len]; - a[j + len] = PQCLEAN_DILITHIUM3AES_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]); - } - } - } - - for (j = 0; j < N; ++j) { - a[j] = PQCLEAN_DILITHIUM3AES_CLEAN_montgomery_reduce((int64_t)f * a[j]); - } -} diff --git a/crypto_sign/dilithium3aes/clean/ntt.h b/crypto_sign/dilithium3aes/clean/ntt.h deleted file mode 100644 index 9d40f949..00000000 --- a/crypto_sign/dilithium3aes/clean/ntt.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_NTT_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_NTT_H -#include "params.h" -#include - -void PQCLEAN_DILITHIUM3AES_CLEAN_ntt(int32_t a[N]); - -void PQCLEAN_DILITHIUM3AES_CLEAN_invntt_tomont(int32_t a[N]); - -#endif diff --git a/crypto_sign/dilithium3aes/clean/packing.c b/crypto_sign/dilithium3aes/clean/packing.c deleted file mode 100644 index 9a32261d..00000000 --- a/crypto_sign/dilithium3aes/clean/packing.c +++ /dev/null @@ -1,261 +0,0 @@ -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" - - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_pack_pk -* -* Description: Bit-pack public key pk = (rho, t1). -* -* Arguments: - uint8_t pk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const polyveck *t1: pointer to vector t1 -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES], - const uint8_t rho[SEEDBYTES], - const polyveck *t1) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - pk[i] = rho[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_unpack_pk -* -* Description: Unpack public key pk = (rho, t1). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const polyveck *t1: pointer to output vector t1 -* - uint8_t pk[]: byte array containing bit-packed pk -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t pk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = pk[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk -* -* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - uint8_t sk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const uint8_t tr[]: byte array containing tr -* - const uint8_t key[]: byte array containing key -* - const polyveck *t0: pointer to vector t0 -* - const polyvecl *s1: pointer to vector s1 -* - const polyveck *s2: pointer to vector s2 -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = rho[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = key[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - sk[i] = tr[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk -* -* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const uint8_t tr[]: output byte array for tr -* - const uint8_t key[]: output byte array for key -* - const polyveck *t0: pointer to output vector t0 -* - const polyvecl *s1: pointer to output vector s1 -* - const polyveck *s2: pointer to output vector s2 -* - uint8_t sk[]: byte array containing bit-packed sk -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - key[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - tr[i] = sk[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_pack_sig -* -* Description: Bit-pack signature sig = (c, z, h). -* -* Arguments: - uint8_t sig[]: output byte array -* - const uint8_t *c: pointer to PQCLEAN_DILITHIUM3AES_CLEAN_challenge hash length SEEDBYTES -* - const polyvecl *z: pointer to vector z -* - const polyveck *h: pointer to hint vector h -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES], - const uint8_t c[SEEDBYTES], - const polyvecl *z, - const polyveck *h) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - sig[i] = c[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Encode h */ - for (i = 0; i < OMEGA + K; ++i) { - sig[i] = 0; - } - - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - if (h->vec[i].coeffs[j] != 0) { - sig[k++] = (uint8_t) j; - } - } - - sig[OMEGA + i] = (uint8_t) k; - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sig -* -* Description: Unpack signature sig = (c, z, h). -* -* Arguments: - uint8_t *c: pointer to output PQCLEAN_DILITHIUM3AES_CLEAN_challenge hash -* - polyvecl *z: pointer to output vector z -* - polyveck *h: pointer to output hint vector h -* - const uint8_t sig[]: byte array containing -* bit-packed signature -* -* Returns 1 in case of malformed signature; otherwise 0. -**************************************************/ -int PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sig(uint8_t c[SEEDBYTES], - polyvecl *z, - polyveck *h, - const uint8_t sig[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES]) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - c[i] = sig[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Decode h */ - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - h->vec[i].coeffs[j] = 0; - } - - if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) { - return 1; - } - - for (j = k; j < sig[OMEGA + i]; ++j) { - /* Coefficients are ordered for strong unforgeability */ - if (j > k && sig[j] <= sig[j - 1]) { - return 1; - } - h->vec[i].coeffs[sig[j]] = 1; - } - - k = sig[OMEGA + i]; - } - - /* Extra indices are zero for strong unforgeability */ - for (j = k; j < OMEGA; ++j) { - if (sig[j]) { - return 1; - } - } - - return 0; -} diff --git a/crypto_sign/dilithium3aes/clean/packing.h b/crypto_sign/dilithium3aes/clean/packing.h deleted file mode 100644 index f5e608cf..00000000 --- a/crypto_sign/dilithium3aes/clean/packing.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_PACKING_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_PACKING_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_DILITHIUM3AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1); - -void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2); - -void PQCLEAN_DILITHIUM3AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h); - -void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES]); - -void PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES]); - -int PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES]); - -#endif diff --git a/crypto_sign/dilithium3aes/clean/params.h b/crypto_sign/dilithium3aes/clean/params.h deleted file mode 100644 index 4f315e50..00000000 --- a/crypto_sign/dilithium3aes/clean/params.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_PARAMS_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_PARAMS_H - - - -#define SEEDBYTES 32 -#define CRHBYTES 48 -#define N 256 -#define Q 8380417 -#define D 13 -#define ROOT_OF_UNITY 1753 - -#define K 6 -#define L 5 -#define ETA 4 -#define TAU 49 -#define BETA 196 -#define GAMMA1 (1 << 19) -#define GAMMA2 ((Q-1)/32) -#define OMEGA 55 -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_ALGNAME "Dilithium3-AES" - - -#define POLYT1_PACKEDBYTES 320 -#define POLYT0_PACKEDBYTES 416 -#define POLYVECH_PACKEDBYTES (OMEGA + K) - -#define POLYZ_PACKEDBYTES 640 - -#define POLYW1_PACKEDBYTES 128 - -#define POLYETA_PACKEDBYTES 128 - -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ - + L*POLYETA_PACKEDBYTES \ - + K*POLYETA_PACKEDBYTES \ - + K*POLYT0_PACKEDBYTES) -#define PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES) - -#endif diff --git a/crypto_sign/dilithium3aes/clean/poly.c b/crypto_sign/dilithium3aes/clean/poly.c deleted file mode 100644 index ea7e8ad4..00000000 --- a/crypto_sign/dilithium3aes/clean/poly.c +++ /dev/null @@ -1,818 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "rounding.h" -#include "symmetric.h" -#include - -#define DBENCH_START() -#define DBENCH_STOP(t) - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_reduce -* -* Description: Inplace reduction of all coefficients of polynomial to -* representative in [-6283009,6283007]. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_reduce(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] = PQCLEAN_DILITHIUM3AES_CLEAN_reduce32(a->coeffs[i]); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_caddq -* -* Description: For all coefficients of in/out polynomial add Q if -* coefficient is negative. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_caddq(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] = PQCLEAN_DILITHIUM3AES_CLEAN_caddq(a->coeffs[i]); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_freeze -* -* Description: Inplace reduction of all coefficients of polynomial to -* standard representatives. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_freeze(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] = PQCLEAN_DILITHIUM3AES_CLEAN_freeze(a->coeffs[i]); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_add -* -* Description: Add polynomials. No modular reduction is performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first summand -* - const poly *b: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_add(poly *c, const poly *a, const poly *b) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - c->coeffs[i] = a->coeffs[i] + b->coeffs[i]; - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_sub -* -* Description: Subtract polynomials. No modular reduction is -* performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial to be -* subtraced from first input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_sub(poly *c, const poly *a, const poly *b) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - c->coeffs[i] = a->coeffs[i] - b->coeffs[i]; - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_shiftl -* -* Description: Multiply polynomial by 2^D without modular reduction. Assumes -* input coefficients to be less than 2^{31-D} in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_shiftl(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] <<= D; - } - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_ntt -* -* Description: Inplace forward NTT. Coefficients can grow by -* 8*Q in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_ntt(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_CLEAN_ntt(a->coeffs); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_invntt_tomont -* -* Description: Inplace inverse NTT and multiplication by 2^{32}. -* Input coefficients need to be less than Q in absolute -* value and output coefficients are again bounded by Q. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_invntt_tomont(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM3AES_CLEAN_invntt_tomont(a->coeffs); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_pointwise_montgomery -* -* Description: Pointwise multiplication of polynomials in NTT domain -* representation and multiplication of resulting polynomial -* by 2^{-32}. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - c->coeffs[i] = PQCLEAN_DILITHIUM3AES_CLEAN_montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]); - } - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_power2round -* -* Description: For all coefficients c of the input polynomial, -* compute c0, c1 such that c mod Q = c1*2^D + c0 -* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_power2round(poly *a1, poly *a0, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a1->coeffs[i] = PQCLEAN_DILITHIUM3AES_CLEAN_power2round(&a0->coeffs[i], a->coeffs[i]); - } - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_decompose -* -* Description: For all coefficients c of the input polynomial, -* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0 -* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we -* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_decompose(poly *a1, poly *a0, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a1->coeffs[i] = PQCLEAN_DILITHIUM3AES_CLEAN_decompose(&a0->coeffs[i], a->coeffs[i]); - } - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_make_hint -* -* Description: Compute hint polynomial. The coefficients of which indicate -* whether the low bits of the corresponding coefficient of -* the input polynomial overflow into the high bits. -* -* Arguments: - poly *h: pointer to output hint polynomial -* - const poly *a0: pointer to low part of input polynomial -* - const poly *a1: pointer to high part of input polynomial -* -* Returns number of 1 bits. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM3AES_CLEAN_poly_make_hint(poly *h, const poly *a0, const poly *a1) { - unsigned int i, s = 0; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - h->coeffs[i] = PQCLEAN_DILITHIUM3AES_CLEAN_make_hint(a0->coeffs[i], a1->coeffs[i]); - s += h->coeffs[i]; - } - - DBENCH_STOP(*tround); - return s; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_use_hint -* -* Description: Use hint polynomial to correct the high bits of a polynomial. -* -* Arguments: - poly *b: pointer to output polynomial with corrected high bits -* - const poly *a: pointer to input polynomial -* - const poly *h: pointer to input hint polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_use_hint(poly *b, const poly *a, const poly *h) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - b->coeffs[i] = PQCLEAN_DILITHIUM3AES_CLEAN_use_hint(a->coeffs[i], h->coeffs[i]); - } - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_chknorm -* -* Description: Check infinity norm of polynomial against given bound. -* Assumes input coefficients were reduced by PQCLEAN_DILITHIUM3AES_CLEAN_reduce32(). -* -* Arguments: - const poly *a: pointer to polynomial -* - int32_t B: norm bound -* -* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM3AES_CLEAN_poly_chknorm(const poly *a, int32_t B) { - unsigned int i; - int32_t t; - DBENCH_START(); - - if (B > (Q - 1) / 8) { - return 1; - } - - /* It is ok to leak which coefficient violates the bound since - the probability for each coefficient is independent of secret - data but we must not leak the sign of the centralized representative. */ - for (i = 0; i < N; ++i) { - /* Absolute value */ - t = a->coeffs[i] >> 31; - t = a->coeffs[i] - (t & 2 * a->coeffs[i]); - - if (t >= B) { - DBENCH_STOP(*tsample); - return 1; - } - } - - DBENCH_STOP(*tsample); - return 0; -} - -/************************************************* -* Name: rej_uniform -* -* Description: Sample uniformly random coefficients in [0, Q-1] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_uniform(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - t = buf[pos++]; - t |= (uint32_t)buf[pos++] << 8; - t |= (uint32_t)buf[pos++] << 16; - t &= 0x7FFFFF; - - if (t < Q) { - a[ctr++] = t; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform -* -* Description: Sample polynomial with uniformly random coefficients -* in [0,Q-1] by performing rejection sampling on the -* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -#define POLY_UNIFORM_NBLOCKS ((768 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce) { - unsigned int i, ctr, off; - unsigned int buflen = POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2]; - stream128_state state; - - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state); - - ctr = rej_uniform(a->coeffs, N, buf, buflen); - - while (ctr < N) { - off = buflen % 3; - for (i = 0; i < off; ++i) { - buf[i] = buf[buflen - off + i]; - } - - stream128_squeezeblocks(buf + off, 1, &state); - buflen = STREAM128_BLOCKBYTES + off; - ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); - } - stream128_release(&state); -} - -/************************************************* -* Name: rej_eta -* -* Description: Sample uniformly random coefficients in [-ETA, ETA] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_eta(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t0, t1; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos < buflen) { - t0 = buf[pos] & 0x0F; - t1 = buf[pos++] >> 4; - - if (t0 < 9) { - a[ctr++] = 4 - t0; - } - if (t1 < 9 && ctr < len) { - a[ctr++] = 4 - t1; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_eta -* -* Description: Sample polynomial with uniformly random coefficients -* in [-ETA,ETA] by performing rejection sampling on the -* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce) { - unsigned int ctr; - unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES]; - stream128_state state; - - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); - - ctr = rej_eta(a->coeffs, N, buf, buflen); - - while (ctr < N) { - stream128_squeezeblocks(buf, 1, &state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); - } - stream128_release(&state); -} - -/************************************************* -* Name: poly_uniform_gamma1m1 -* -* Description: Sample polynomial with uniformly random coefficients -* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream -* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length CRHBYTES -* - uint16_t nonce: 16-bit nonce -**************************************************/ -#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES) -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_gamma1(poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce) { - uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES]; - stream256_state state; - - stream256_init(&state, seed, nonce); - stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state); - stream256_release(&state); - PQCLEAN_DILITHIUM3AES_CLEAN_polyz_unpack(a, buf); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_challenge -* -* Description: Implementation of H. Samples polynomial with TAU nonzero -* coefficients in {-1,1} using the output stream of -* SHAKE256(seed). -* -* Arguments: - poly *c: pointer to output polynomial -* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) { - unsigned int i, b, pos; - uint64_t signs; - uint8_t buf[SHAKE256_RATE]; - shake256incctx state; - - shake256_inc_init(&state); - shake256_inc_absorb(&state, seed, SEEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(buf, sizeof buf, &state); - - signs = 0; - for (i = 0; i < 8; ++i) { - signs |= (uint64_t)buf[i] << 8 * i; - } - pos = 8; - - for (i = 0; i < N; ++i) { - c->coeffs[i] = 0; - } - for (i = N - TAU; i < N; ++i) { - do { - if (pos >= SHAKE256_RATE) { - shake256_inc_squeeze(buf, sizeof buf, &state); - pos = 0; - } - - b = buf[pos++]; - } while (b > i); - - c->coeffs[i] = c->coeffs[b]; - c->coeffs[b] = 1 - 2 * (signs & 1); - signs >>= 1; - } - shake256_inc_ctx_release(&state); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_pack -* -* Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYETA_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_pack(uint8_t *r, const poly *a) { - unsigned int i; - uint8_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - t[0] = (uint8_t) (ETA - a->coeffs[2 * i + 0]); - t[1] = (uint8_t) (ETA - a->coeffs[2 * i + 1]); - r[i] = t[0] | (t[1] << 4); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_unpack -* -* Description: Unpack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - r->coeffs[2 * i + 0] = a[i] & 0x0F; - r->coeffs[2 * i + 1] = a[i] >> 4; - r->coeffs[2 * i + 0] = ETA - r->coeffs[2 * i + 0]; - r->coeffs[2 * i + 1] = ETA - r->coeffs[2 * i + 1]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyt1_pack -* -* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. -* Input coefficients are assumed to be standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyt1_pack(uint8_t *r, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r[5 * i + 0] = (uint8_t) (a->coeffs[4 * i + 0] >> 0); - r[5 * i + 1] = (uint8_t) ((a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2)); - r[5 * i + 2] = (uint8_t) ((a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4)); - r[5 * i + 3] = (uint8_t) ((a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6)); - r[5 * i + 4] = (uint8_t) (a->coeffs[4 * i + 3] >> 2); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyt1_unpack -* -* Description: Unpack polynomial t1 with 10-bit coefficients. -* Output coefficients are standard representatives. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyt1_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r->coeffs[4 * i + 0] = ((a[5 * i + 0] >> 0) | ((uint32_t)a[5 * i + 1] << 8)) & 0x3FF; - r->coeffs[4 * i + 1] = ((a[5 * i + 1] >> 2) | ((uint32_t)a[5 * i + 2] << 6)) & 0x3FF; - r->coeffs[4 * i + 2] = ((a[5 * i + 2] >> 4) | ((uint32_t)a[5 * i + 3] << 4)) & 0x3FF; - r->coeffs[4 * i + 3] = ((a[5 * i + 3] >> 6) | ((uint32_t)a[5 * i + 4] << 2)) & 0x3FF; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyt0_pack -* -* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT0_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyt0_pack(uint8_t *r, const poly *a) { - unsigned int i; - uint32_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = (1 << (D - 1)) - a->coeffs[8 * i + 0]; - t[1] = (1 << (D - 1)) - a->coeffs[8 * i + 1]; - t[2] = (1 << (D - 1)) - a->coeffs[8 * i + 2]; - t[3] = (1 << (D - 1)) - a->coeffs[8 * i + 3]; - t[4] = (1 << (D - 1)) - a->coeffs[8 * i + 4]; - t[5] = (1 << (D - 1)) - a->coeffs[8 * i + 5]; - t[6] = (1 << (D - 1)) - a->coeffs[8 * i + 6]; - t[7] = (1 << (D - 1)) - a->coeffs[8 * i + 7]; - - r[13 * i + 0] = (uint8_t) t[0]; - r[13 * i + 1] = (uint8_t) (t[0] >> 8); - r[13 * i + 1] |= (uint8_t) (t[1] << 5); - r[13 * i + 2] = (uint8_t) (t[1] >> 3); - r[13 * i + 3] = (uint8_t) (t[1] >> 11); - r[13 * i + 3] |= (uint8_t) (t[2] << 2); - r[13 * i + 4] = (uint8_t) (t[2] >> 6); - r[13 * i + 4] |= (uint8_t) (t[3] << 7); - r[13 * i + 5] = (uint8_t) (t[3] >> 1); - r[13 * i + 6] = (uint8_t) (t[3] >> 9); - r[13 * i + 6] |= (uint8_t) (t[4] << 4); - r[13 * i + 7] = (uint8_t) (t[4] >> 4); - r[13 * i + 8] = (uint8_t) (t[4] >> 12); - r[13 * i + 8] |= (uint8_t) (t[5] << 1); - r[13 * i + 9] = (uint8_t) (t[5] >> 7); - r[13 * i + 9] |= (uint8_t) (t[6] << 6); - r[13 * i + 10] = (uint8_t) (t[6] >> 2); - r[13 * i + 11] = (uint8_t) (t[6] >> 10); - r[13 * i + 11] |= (uint8_t) (t[7] << 3); - r[13 * i + 12] = (uint8_t) (t[7] >> 5); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyt0_unpack -* -* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyt0_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = a[13 * i + 0]; - r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8; - r->coeffs[8 * i + 0] &= 0x1FFF; - - r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11; - r->coeffs[8 * i + 1] &= 0x1FFF; - - r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2; - r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6; - r->coeffs[8 * i + 2] &= 0x1FFF; - - r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9; - r->coeffs[8 * i + 3] &= 0x1FFF; - - r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12; - r->coeffs[8 * i + 4] &= 0x1FFF; - - r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1; - r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7; - r->coeffs[8 * i + 5] &= 0x1FFF; - - r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10; - r->coeffs[8 * i + 6] &= 0x1FFF; - - r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3; - r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5; - r->coeffs[8 * i + 7] &= 0x1FFF; - - r->coeffs[8 * i + 0] = (1 << (D - 1)) - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = (1 << (D - 1)) - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = (1 << (D - 1)) - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = (1 << (D - 1)) - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = (1 << (D - 1)) - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = (1 << (D - 1)) - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = (1 << (D - 1)) - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = (1 << (D - 1)) - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyz_pack -* -* Description: Bit-pack polynomial with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYZ_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyz_pack(uint8_t *r, const poly *a) { - unsigned int i; - uint32_t t[4]; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - t[0] = GAMMA1 - a->coeffs[2 * i + 0]; - t[1] = GAMMA1 - a->coeffs[2 * i + 1]; - - r[5 * i + 0] = (uint8_t) t[0]; - r[5 * i + 1] = (uint8_t) (t[0] >> 8); - r[5 * i + 2] = (uint8_t) (t[0] >> 16); - r[5 * i + 2] |= (uint8_t) (t[1] << 4); - r[5 * i + 3] = (uint8_t) (t[1] >> 4); - r[5 * i + 4] = (uint8_t) (t[1] >> 12); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyz_unpack -* -* Description: Unpack polynomial z with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyz_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - r->coeffs[2 * i + 0] = a[5 * i + 0]; - r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 1] << 8; - r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 2] << 16; - r->coeffs[2 * i + 0] &= 0xFFFFF; - - r->coeffs[2 * i + 1] = a[5 * i + 2] >> 4; - r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 3] << 4; - r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 4] << 12; - r->coeffs[2 * i + 0] &= 0xFFFFF; - - r->coeffs[2 * i + 0] = GAMMA1 - r->coeffs[2 * i + 0]; - r->coeffs[2 * i + 1] = GAMMA1 - r->coeffs[2 * i + 1]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyw1_pack -* -* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. -* Input coefficients are assumed to be standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYW1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyw1_pack(uint8_t *r, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - r[i] = (uint8_t) (a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4)); - } - - DBENCH_STOP(*tpack); -} diff --git a/crypto_sign/dilithium3aes/clean/poly.h b/crypto_sign/dilithium3aes/clean/poly.h deleted file mode 100644 index 092576ca..00000000 --- a/crypto_sign/dilithium3aes/clean/poly.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_POLY_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_POLY_H -#include "params.h" -#include - -typedef struct { - int32_t coeffs[N]; -} poly; - -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_reduce(poly *a); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_caddq(poly *a); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_freeze(poly *a); - -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_add(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_sub(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_shiftl(poly *a); - -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_ntt(poly *a); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_invntt_tomont(poly *a); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); - -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_power2round(poly *a1, poly *a0, const poly *a); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_decompose(poly *a1, poly *a0, const poly *a); -unsigned int PQCLEAN_DILITHIUM3AES_CLEAN_poly_make_hint(poly *h, const poly *a0, const poly *a1); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_use_hint(poly *b, const poly *a, const poly *h); - -int PQCLEAN_DILITHIUM3AES_CLEAN_poly_chknorm(const poly *a, int32_t B); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_gamma1(poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce); -void PQCLEAN_DILITHIUM3AES_CLEAN_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyeta_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyt1_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyt1_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyt0_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyt0_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyz_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyz_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyw1_pack(uint8_t *r, const poly *a); - -#endif diff --git a/crypto_sign/dilithium3aes/clean/polyvec.c b/crypto_sign/dilithium3aes/clean/polyvec.c deleted file mode 100644 index a30d322d..00000000 --- a/crypto_sign/dilithium3aes/clean/polyvec.c +++ /dev/null @@ -1,448 +0,0 @@ -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include - -/************************************************* -* Name: expand_mat -* -* Description: Implementation of ExpandA. Generates matrix A with uniformly -* random coefficients a_{i,j} by performing rejection -* sampling on the output stream of SHAKE128(rho|j|i) -* or AES256CTR(rho,j|i). -* -* Arguments: - polyvecl mat[K]: output matrix -* - const uint8_t rho[]: byte array containing seed rho -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) { - unsigned int i, j; - - for (i = 0; i < K; ++i) { - for (j = 0; j < L; ++j) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform(&mat[i].vec[j], rho, (uint16_t) ((i << 8) + j)); - } - } -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v); - } -} - -/**************************************************************/ -/************ Vectors of polynomials of length L **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_gamma1(&v->vec[i], seed, (uint16_t) (L * nonce + i)); - } -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_reduce(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_freeze -* -* Description: Reduce coefficients of polynomials in vector of length L -* to standard representatives. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_freeze(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_add -* -* Description: Add vectors of polynomials of length L. -* No modular reduction is performed. -* -* Arguments: - polyvecl *w: pointer to output vector -* - const polyvecl *u: pointer to first summand -* - const polyvecl *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_ntt -* -* Description: Forward NTT of all polynomials in vector of length L. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_ntt(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_ntt(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_invntt_tomont(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_pointwise_acc_montgomery -* -* Description: Pointwise multiply vectors of polynomials of length L, multiply -* resulting vector by 2^{-32} and add (accumulate) polynomials -* in it. Input/output vectors are in NTT domain representation. -* -* Arguments: - poly *w: output polynomial -* - const polyvecl *u: pointer to first input vector -* - const polyvecl *v: pointer to second input vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_pointwise_acc_montgomery(poly *w, - const polyvecl *u, - const polyvecl *v) { - unsigned int i; - poly t; - - PQCLEAN_DILITHIUM3AES_CLEAN_poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); - for (i = 1; i < L; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); - PQCLEAN_DILITHIUM3AES_CLEAN_poly_add(w, w, &t); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_chknorm -* -* Description: Check infinity norm of polynomials in vector of length L. -* Assumes input polyvecl to be reduced by PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_reduce(). -* -* Arguments: - const polyvecl *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < L; ++i) { - if (PQCLEAN_DILITHIUM3AES_CLEAN_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/**************************************************************/ -/************ Vectors of polynomials of length K **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce -* -* Description: Reduce coefficients of polynomials in vector of length K -* to representatives in [-6283009,6283007]. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_caddq -* -* Description: For all coefficients of polynomials in vector of length K -* add Q if coefficient is negative. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_caddq(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_caddq(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_freeze -* -* Description: Reduce coefficients of polynomials in vector of length K -* to standard representatives. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_freeze(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_add -* -* Description: Add vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first summand -* - const polyveck *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_sub -* -* Description: Subtract vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first input vector -* - const polyveck *v: pointer to second input vector to be -* subtracted from first input vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_shiftl -* -* Description: Multiply vector of polynomials of Length K by 2^D without modular -* reduction. Assumes input coefficients to be less than 2^{31-D}. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_shiftl(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_shiftl(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_ntt -* -* Description: Forward NTT of all polynomials in vector of length K. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_ntt(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_ntt(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_invntt_tomont -* -* Description: Inverse NTT and multiplication by 2^{32} of polynomials -* in vector of length K. Input coefficients need to be less -* than 2*Q. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_invntt_tomont(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_chknorm -* -* Description: Check infinity norm of polynomials in vector of length K. -* Assumes input polyveck to be reduced by PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(). -* -* Arguments: - const polyveck *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_chknorm(const polyveck *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < K; ++i) { - if (PQCLEAN_DILITHIUM3AES_CLEAN_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_power2round -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute a0, a1 such that a mod^+ Q = a1*2^D + a0 -* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_decompose -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 -* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we -* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_make_hint -* -* Description: Compute hint vector. -* -* Arguments: - polyveck *h: pointer to output vector -* - const polyveck *v0: pointer to low part of input vector -* - const polyveck *v1: pointer to high part of input vector -* -* Returns number of 1 bits. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_make_hint(polyveck *h, - const polyveck *v0, - const polyveck *v1) { - unsigned int i, s = 0; - - for (i = 0; i < K; ++i) { - s += PQCLEAN_DILITHIUM3AES_CLEAN_poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]); - } - - return s; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_use_hint -* -* Description: Use hint vector to correct the high bits of input vector. -* -* Arguments: - polyveck *w: pointer to output vector of polynomials with -* corrected high bits -* - const polyveck *u: pointer to input vector -* - const polyveck *h: pointer to input hint vector -**************************************************/ -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]); - } -} - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM3AES_CLEAN_polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]); - } -} diff --git a/crypto_sign/dilithium3aes/clean/polyvec.h b/crypto_sign/dilithium3aes/clean/polyvec.h deleted file mode 100644 index 668b284a..00000000 --- a/crypto_sign/dilithium3aes/clean/polyvec.h +++ /dev/null @@ -1,68 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_POLYVEC_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -/* Vectors of polynomials of length L */ -typedef struct { - poly vec[L]; -} polyvecl; - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_reduce(polyvecl *v); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_freeze(polyvecl *v); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_ntt(polyvecl *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_invntt_tomont(polyvecl *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_pointwise_acc_montgomery(poly *w, - const polyvecl *u, - const polyvecl *v); - - -int PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t B); - - - -/* Vectors of polynomials of length K */ -typedef struct { - poly vec[K]; -} polyveck; - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(polyveck *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_caddq(polyveck *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_freeze(polyveck *v); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_shiftl(polyveck *v); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_ntt(polyveck *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_invntt_tomont(polyveck *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v); - -int PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_chknorm(const polyveck *v, int32_t B); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v); -unsigned int PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_make_hint(polyveck *h, - const polyveck *v0, - const polyveck *v1); -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]); - -void PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v); - -#endif diff --git a/crypto_sign/dilithium3aes/clean/reduce.c b/crypto_sign/dilithium3aes/clean/reduce.c deleted file mode 100644 index 551e06f6..00000000 --- a/crypto_sign/dilithium3aes/clean/reduce.c +++ /dev/null @@ -1,69 +0,0 @@ -#include "params.h" -#include "reduce.h" -#include - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_montgomery_reduce -* -* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31, -* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q. -* -* Arguments: - int64_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_montgomery_reduce(int64_t a) { - int32_t t; - - t = (int32_t)((uint64_t)a * (uint64_t)QINV); - t = (a - (int64_t)t * Q) >> 32; - return t; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_reduce32 -* -* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1, -* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_reduce32(int32_t a) { - int32_t t; - - t = (a + (1 << 22)) >> 23; - t = a - t * Q; - return t; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_caddq -* -* Description: Add Q if input coefficient is negative. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_caddq(int32_t a) { - a += (a >> 31) & Q; - return a; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_freeze -* -* Description: For finite field element a, compute standard -* representative r = a mod^+ Q. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_freeze(int32_t a) { - a = PQCLEAN_DILITHIUM3AES_CLEAN_reduce32(a); - a = PQCLEAN_DILITHIUM3AES_CLEAN_caddq(a); - return a; -} diff --git a/crypto_sign/dilithium3aes/clean/reduce.h b/crypto_sign/dilithium3aes/clean/reduce.h deleted file mode 100644 index fa9cc09d..00000000 --- a/crypto_sign/dilithium3aes/clean/reduce.h +++ /dev/null @@ -1,17 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_REDUCE_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_REDUCE_H -#include "params.h" -#include - -#define MONT (-4186625) // 2^32 % Q -#define QINV 58728449 // q^(-1) mod 2^32 - -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_montgomery_reduce(int64_t a); - -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_reduce32(int32_t a); - -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_caddq(int32_t a); - -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_freeze(int32_t a); - -#endif diff --git a/crypto_sign/dilithium3aes/clean/rounding.c b/crypto_sign/dilithium3aes/clean/rounding.c deleted file mode 100644 index 6dd2665e..00000000 --- a/crypto_sign/dilithium3aes/clean/rounding.c +++ /dev/null @@ -1,92 +0,0 @@ -#include "params.h" -#include "rounding.h" -#include - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_power2round -* -* Description: For finite field element a, compute a0, a1 such that -* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}. -* Assumes a to be standard representative. -* -* Arguments: - int32_t a: input element -* - int32_t *a0: pointer to output element a0 -* -* Returns a1. -**************************************************/ -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_power2round(int32_t *a0, int32_t a) { - int32_t a1; - - a1 = (a + (1 << (D - 1)) - 1) >> D; - *a0 = a - (a1 << D); - return a1; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_decompose -* -* Description: For finite field element a, compute high and low bits a0, a1 such -* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except -* if a1 = (Q-1)/ALPHA where we set a1 = 0 and -* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard -* representative. -* -* Arguments: - int32_t a: input element -* - int32_t *a0: pointer to output element a0 -* -* Returns a1. -**************************************************/ -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_decompose(int32_t *a0, int32_t a) { - int32_t a1; - - a1 = (a + 127) >> 7; - a1 = (a1 * 1025 + (1 << 21)) >> 22; - a1 &= 15; - - *a0 = a - a1 * 2 * GAMMA2; - *a0 -= (((Q - 1) / 2 - *a0) >> 31) & Q; - return a1; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_make_hint -* -* Description: Compute hint bit indicating whether the low bits of the -* input element overflow into the high bits. -* -* Arguments: - int32_t a0: low bits of input element -* - int32_t a1: high bits of input element -* -* Returns 1 if overflow. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM3AES_CLEAN_make_hint(int32_t a0, int32_t a1) { - if (a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0)) { - return 1; - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_use_hint -* -* Description: Correct high bits according to hint. -* -* Arguments: - int32_t a: input element -* - unsigned int hint: hint bit -* -* Returns corrected high bits. -**************************************************/ -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_use_hint(int32_t a, unsigned int hint) { - int32_t a0, a1; - - a1 = PQCLEAN_DILITHIUM3AES_CLEAN_decompose(&a0, a); - if (hint == 0) { - return a1; - } - - if (a0 > 0) { - return (a1 + 1) & 15; - } - return (a1 - 1) & 15; -} diff --git a/crypto_sign/dilithium3aes/clean/rounding.h b/crypto_sign/dilithium3aes/clean/rounding.h deleted file mode 100644 index af049b63..00000000 --- a/crypto_sign/dilithium3aes/clean/rounding.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_ROUNDING_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_ROUNDING_H -#include "params.h" -#include - -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_power2round(int32_t *a0, int32_t a); - -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_decompose(int32_t *a0, int32_t a); - -unsigned int PQCLEAN_DILITHIUM3AES_CLEAN_make_hint(int32_t a0, int32_t a1); - -int32_t PQCLEAN_DILITHIUM3AES_CLEAN_use_hint(int32_t a, unsigned int hint); - -#endif diff --git a/crypto_sign/dilithium3aes/clean/sign.c b/crypto_sign/dilithium3aes/clean/sign.c deleted file mode 100644 index 3d96ee26..00000000 --- a/crypto_sign/dilithium3aes/clean/sign.c +++ /dev/null @@ -1,343 +0,0 @@ -#include "fips202.h" -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "sign.h" -#include "symmetric.h" -#include - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair -* -* Description: Generates public and private key. -* -* Arguments: - uint8_t *pk: pointer to output public key (allocated -* array of PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (allocated -* array of PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seedbuf[3 * SEEDBYTES]; - uint8_t tr[CRHBYTES]; - const uint8_t *rho, *rhoprime, *key; - polyvecl mat[K]; - polyvecl s1, s1hat; - polyveck s2, t1, t0; - - /* Get randomness for rho, rhoprime and key */ - randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); - rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; - - /* Expand matrix */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_expand(mat, rho); - - /* Sample short vectors s1 and s2 */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_eta(&s1, rhoprime, 0); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_uniform_eta(&s2, rhoprime, L); - - /* Matrix-vector multiplication */ - s1hat = s1; - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_ntt(&s1hat); - PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_pointwise_montgomery(&t1, mat, &s1hat); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(&t1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_invntt_tomont(&t1); - - /* Add error vector s2 */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_add(&t1, &t1, &s2); - - /* Extract t1 and write public key */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_caddq(&t1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_power2round(&t1, &t0, &t1); - PQCLEAN_DILITHIUM3AES_CLEAN_pack_pk(pk, rho, &t1); - - /* Compute CRH(rho, t1) and write secret key */ - crh(tr, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES); - PQCLEAN_DILITHIUM3AES_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2); - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature -* -* Description: Computes signature. -* -* Arguments: - uint8_t *sig: pointer to output signature (of length PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES) -* - size_t *siglen: pointer to output length of signature -* - uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature(uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *sk) { - unsigned int n; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; - uint8_t *rho, *tr, *key, *mu, *rhoprime; - uint16_t nonce = 0; - polyvecl mat[K], s1, y, z; - polyveck t0, s2, w1, w0, h; - poly cp; - shake256incctx state; - - rho = seedbuf; - tr = rho + SEEDBYTES; - key = tr + CRHBYTES; - mu = key + SEEDBYTES; - rhoprime = mu + CRHBYTES; - PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); - - /* Compute CRH(tr, msg) */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - crh(rhoprime, key, SEEDBYTES + CRHBYTES); - - /* Expand matrix and transform vectors */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_expand(mat, rho); - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_ntt(&s1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_ntt(&s2); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_ntt(&t0); - -rej: - /* Sample intermediate vector y */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_uniform_gamma1(&y, rhoprime, nonce++); - - /* Matrix-vector multiplication */ - z = y; - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_ntt(&z); - PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(&w1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_invntt_tomont(&w1); - - /* Decompose w and call the random oracle */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_caddq(&w1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_decompose(&w1, &w0, &w1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_pack_w1(sig, &w1); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, sig, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - PQCLEAN_DILITHIUM3AES_CLEAN_poly_challenge(&cp, sig); - PQCLEAN_DILITHIUM3AES_CLEAN_poly_ntt(&cp); - - /* Compute z, reject if it reveals secret */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_pointwise_poly_montgomery(&z, &cp, &s1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_invntt_tomont(&z); - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_add(&z, &z, &y); - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_reduce(&z); - if (PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) { - goto rej; - } - - /* Check that subtracting cs2 does not change high bits of w and low bits - * do not reveal secret information */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &s2); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_invntt_tomont(&h); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_sub(&w0, &w0, &h); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(&w0); - if (PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_chknorm(&w0, GAMMA2 - BETA)) { - goto rej; - } - - /* Compute hints for w1 */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &t0); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_invntt_tomont(&h); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(&h); - if (PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_chknorm(&h, GAMMA2)) { - goto rej; - } - - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_add(&w0, &w0, &h); - n = PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_make_hint(&h, &w0, &w1); - if (n > OMEGA) { - goto rej; - } - - /* Write signature */ - PQCLEAN_DILITHIUM3AES_CLEAN_pack_sig(sig, sig, &z, &h); - *siglen = PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign -* -* Description: Compute signed message. -* -* Arguments: - uint8_t *sm: pointer to output signed message (allocated -* array with PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES + mlen bytes), -* can be equal to m -* - size_t *smlen: pointer to output length of signed -* message -* - const uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - const uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign(uint8_t *sm, - size_t *smlen, - const uint8_t *m, - size_t mlen, - const uint8_t *sk) { - size_t i; - - for (i = 0; i < mlen; ++i) { - sm[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i]; - } - PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature(sm, smlen, sm + PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES, mlen, sk); - *smlen += mlen; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_verify -* -* Description: Verifies signature. -* -* Arguments: - uint8_t *m: pointer to input signature -* - size_t siglen: length of signature -* - const uint8_t *m: pointer to message -* - size_t mlen: length of message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signature could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_verify(const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pk) { - unsigned int i; - uint8_t buf[K * POLYW1_PACKEDBYTES]; - uint8_t rho[SEEDBYTES]; - uint8_t mu[CRHBYTES]; - uint8_t c[SEEDBYTES]; - uint8_t c2[SEEDBYTES]; - poly cp; - polyvecl mat[K], z; - polyveck t1, w1, h; - shake256incctx state; - - if (siglen != PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES) { - return -1; - } - - PQCLEAN_DILITHIUM3AES_CLEAN_unpack_pk(rho, &t1, pk); - if (PQCLEAN_DILITHIUM3AES_CLEAN_unpack_sig(c, &z, &h, sig)) { - return -1; - } - if (PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) { - return -1; - } - - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_PUBLICKEYBYTES); - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - /* Matrix-vector multiplication; compute Az - c2^dt1 */ - PQCLEAN_DILITHIUM3AES_CLEAN_poly_challenge(&cp, c); - PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_expand(mat, rho); - - PQCLEAN_DILITHIUM3AES_CLEAN_polyvecl_ntt(&z); - PQCLEAN_DILITHIUM3AES_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z); - - PQCLEAN_DILITHIUM3AES_CLEAN_poly_ntt(&cp); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_shiftl(&t1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_ntt(&t1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_pointwise_poly_montgomery(&t1, &cp, &t1); - - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_sub(&w1, &w1, &t1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_reduce(&w1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_invntt_tomont(&w1); - - /* Reconstruct w1 */ - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_caddq(&w1); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_use_hint(&w1, &w1, &h); - PQCLEAN_DILITHIUM3AES_CLEAN_polyveck_pack_w1(buf, &w1); - - /* Call random oracle and verify PQCLEAN_DILITHIUM3AES_CLEAN_challenge */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, buf, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(c2, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - for (i = 0; i < SEEDBYTES; ++i) { - if (c[i] != c2[i]) { - return -1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_open -* -* Description: Verify signed message. -* -* Arguments: - uint8_t *m: pointer to output message (allocated -* array with smlen bytes), can be equal to sm -* - size_t *mlen: pointer to output length of message -* - const uint8_t *sm: pointer to signed message -* - size_t smlen: length of signed message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signed message could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_open(uint8_t *m, - size_t *mlen, - const uint8_t *sm, - size_t smlen, - const uint8_t *pk) { - size_t i; - - if (smlen < PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES) { - goto badsig; - } - - *mlen = smlen - PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES; - if (PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_verify(sm, PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES, sm + PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES, *mlen, pk)) { - goto badsig; - } else { - /* All good, copy msg, return 0 */ - for (i = 0; i < *mlen; ++i) { - m[i] = sm[PQCLEAN_DILITHIUM3AES_CLEAN_CRYPTO_BYTES + i]; - } - return 0; - } - -badsig: - /* Signature verification failed */ - *mlen = (size_t) -1; - for (i = 0; i < smlen; ++i) { - m[i] = 0; - } - - return -1; -} diff --git a/crypto_sign/dilithium3aes/clean/sign.h b/crypto_sign/dilithium3aes/clean/sign.h deleted file mode 100644 index 29008459..00000000 --- a/crypto_sign/dilithium3aes/clean/sign.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_SIGN_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_SIGN_H -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include -#include - -void PQCLEAN_DILITHIUM3AES_CLEAN_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -int PQCLEAN_DILITHIUM3AES_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium3aes/clean/symmetric-aes.c b/crypto_sign/dilithium3aes/clean/symmetric-aes.c deleted file mode 100644 index ac0e9c86..00000000 --- a/crypto_sign/dilithium3aes/clean/symmetric-aes.c +++ /dev/null @@ -1,12 +0,0 @@ -#include "aes256ctr.h" -#include "symmetric.h" -#include - -void PQCLEAN_DILITHIUM3AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint16_t nonce) { - uint8_t expnonce[12] = {0}; - expnonce[0] = (uint8_t) nonce; - expnonce[1] = (uint8_t) (nonce >> 8); - PQCLEAN_DILITHIUM3AES_CLEAN_aes256ctr_init(state, key, expnonce); -} diff --git a/crypto_sign/dilithium3aes/clean/symmetric.h b/crypto_sign/dilithium3aes/clean/symmetric.h deleted file mode 100644 index 380b510e..00000000 --- a/crypto_sign/dilithium3aes/clean/symmetric.h +++ /dev/null @@ -1,33 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM3AES_CLEAN_SYMMETRIC_H -#define PQCLEAN_DILITHIUM3AES_CLEAN_SYMMETRIC_H -#include "aes256ctr.h" -#include "fips202.h" -#include "params.h" -#include - - - -typedef aes256ctr_ctx stream128_state; -typedef aes256ctr_ctx stream256_state; - -void PQCLEAN_DILITHIUM3AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint16_t nonce); - -#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES -#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) -#define stream128_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM3AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE) -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - PQCLEAN_DILITHIUM3AES_CLEAN_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream128_release(STATE) -#define stream256_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM3AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE) -#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - PQCLEAN_DILITHIUM3AES_CLEAN_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream256_release(STATE) - - -#endif diff --git a/crypto_sign/dilithium5aes/META.yml b/crypto_sign/dilithium5aes/META.yml deleted file mode 100644 index e14b2cf7..00000000 --- a/crypto_sign/dilithium5aes/META.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Dilithium5-AES -type: signature -claimed-nist-level: 5 -length-public-key: 2592 -length-secret-key: 4880 -length-signature: 4595 -nistkat-sha256: 882d5050d6289875cbaa3bd920ec60ff3e2895257cbe8f76ed9d3735daa188c6 -testvectors-sha256: 8289af5b8aeb78bd6a642d1899364ce3ab9f3b2bd4c66da9a9031a9832e71545 -principal-submitters: - - Vadim Lyubashevsky -auxiliary-submitters: - - Léo Ducas - - Eike Kiltz - - Tancrède Lepoint - - Peter Schwabe - - Gregor Seiler - - Damien Stehlé -implementations: - - name: clean - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium - - name: avx2 - version: https://github.com/pq-crystals/dilithium/commit/1e63a1e880401166f105ab44ec67464c9714a315 via https://github.com/jschanck/package-pqclean/tree/b158a891/dilithium - supported_platforms: - - architecture: x86_64 - operating_systems: - - Linux - - Darwin - required_flags: - - aes - - avx2 - - popcnt diff --git a/crypto_sign/dilithium5aes/avx2/LICENSE b/crypto_sign/dilithium5aes/avx2/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_sign/dilithium5aes/avx2/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_sign/dilithium5aes/avx2/aes256ctr.c b/crypto_sign/dilithium5aes/avx2/aes256ctr.c deleted file mode 100644 index ab61383d..00000000 --- a/crypto_sign/dilithium5aes/avx2/aes256ctr.c +++ /dev/null @@ -1,142 +0,0 @@ -#include "aes256ctr.h" -#include -#include -#include -/* Based heavily on public-domain code by Romain Dolbeau - * Different handling of nonce+counter than original version using - * separated 64-bit nonce and internal 64-bit counter, starting from zero - * Public Domain */ - - -static inline void aesni_encrypt4(uint8_t out[64], __m128i *n, const __m128i rkeys[16]) { - __m128i f, f0, f1, f2, f3; - const __m128i idx = _mm_set_epi8(8, 9, 10, 11, 12, 13, 14, 15, 7, 6, 5, 4, 3, 2, 1, 0); - - /* Load current counter value */ - f = _mm_load_si128(n); - - /* Increase counter in 4 consecutive blocks */ - f0 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(0, 0)), idx); - f1 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(1, 0)), idx); - f2 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(2, 0)), idx); - f3 = _mm_shuffle_epi8(_mm_add_epi64(f, _mm_set_epi64x(3, 0)), idx); - - /* Write counter for next iteration, increased by 4 */ - _mm_store_si128(n, _mm_add_epi64(f, _mm_set_epi64x(4, 0))); - - /* Actual AES encryption, 4x interleaved */ - f = _mm_load_si128(&rkeys[0]); - f0 = _mm_xor_si128(f0, f); - f1 = _mm_xor_si128(f1, f); - f2 = _mm_xor_si128(f2, f); - f3 = _mm_xor_si128(f3, f); - - for (int i = 1; i < 14; i++) { - f = _mm_load_si128(&rkeys[i]); - f0 = _mm_aesenc_si128(f0, f); - f1 = _mm_aesenc_si128(f1, f); - f2 = _mm_aesenc_si128(f2, f); - f3 = _mm_aesenc_si128(f3, f); - } - - f = _mm_load_si128(&rkeys[14]); - f0 = _mm_aesenclast_si128(f0, f); - f1 = _mm_aesenclast_si128(f1, f); - f2 = _mm_aesenclast_si128(f2, f); - f3 = _mm_aesenclast_si128(f3, f); - - /* Write results */ - _mm_storeu_si128((__m128i *)(out + 0), f0); - _mm_storeu_si128((__m128i *)(out + 16), f1); - _mm_storeu_si128((__m128i *)(out + 32), f2); - _mm_storeu_si128((__m128i *)(out + 48), f3); -} - -void PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(aes256ctr_ctx *state, const uint8_t key[32], uint64_t nonce) { - __m128i key0, key1, temp0, temp1, temp2, temp4; - int idx = 0; - - key0 = _mm_loadu_si128((__m128i *)(key + 0)); - key1 = _mm_loadu_si128((__m128i *)(key + 16)); - state->n = _mm_loadl_epi64((__m128i *)&nonce); - - state->rkeys[idx++] = key0; - temp0 = key0; - temp2 = key1; - temp4 = _mm_setzero_si128(); - -#define BLOCK1(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp2, IMM); \ - state->rkeys[idx++] = temp2; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x10); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp0, 0x8c); \ - temp0 = _mm_xor_si128(temp0, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xff); \ - temp0 = _mm_xor_si128(temp0, temp1) - -#define BLOCK2(IMM) \ - temp1 = _mm_aeskeygenassist_si128(temp0, IMM); \ - state->rkeys[idx++] = temp0; \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x10); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp4 = (__m128i)_mm_shuffle_ps((__m128)temp4, (__m128)temp2, 0x8c); \ - temp2 = _mm_xor_si128(temp2, temp4); \ - temp1 = (__m128i)_mm_shuffle_ps((__m128)temp1, (__m128)temp1, 0xaa); \ - temp2 = _mm_xor_si128(temp2, temp1) - - BLOCK1(0x01); - BLOCK2(0x01); - - BLOCK1(0x02); - BLOCK2(0x02); - - BLOCK1(0x04); - BLOCK2(0x04); - - BLOCK1(0x08); - BLOCK2(0x08); - - BLOCK1(0x10); - BLOCK2(0x10); - - BLOCK1(0x20); - BLOCK2(0x20); - - BLOCK1(0x40); - state->rkeys[idx++] = temp0; -} - -void PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state) { - size_t i; - for (i = 0; i < nblocks; i++) { - aesni_encrypt4(out, &state->n, state->rkeys); - out += 64; - } -} - -void PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t seed[32], - uint64_t nonce) { - unsigned int i; - uint8_t buf[64]; - aes256ctr_ctx state; - - PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(&state, seed, nonce); - - while (outlen >= 64) { - aesni_encrypt4(out, &state.n, state.rkeys); - outlen -= 64; - out += 64; - } - - if (outlen) { - aesni_encrypt4(buf, &state.n, state.rkeys); - for (i = 0; i < outlen; i++) { - out[i] = buf[i]; - } - } -} diff --git a/crypto_sign/dilithium5aes/avx2/aes256ctr.h b/crypto_sign/dilithium5aes/avx2/aes256ctr.h deleted file mode 100644 index 9245f9ef..00000000 --- a/crypto_sign/dilithium5aes/avx2/aes256ctr.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_AES256CTR_H -#define PQCLEAN_DILITHIUM5AES_AVX2_AES256CTR_H - -#include -#include -#include - - -#define AES256CTR_BLOCKBYTES 64 - -typedef struct { - __m128i rkeys[16]; - __m128i n; -} aes256ctr_ctx; - -void PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint64_t nonce); - -void PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state); - -void PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t seed[32], - uint64_t nonce); - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/align.h b/crypto_sign/dilithium5aes/avx2/align.h deleted file mode 100644 index 27bd9ce9..00000000 --- a/crypto_sign/dilithium5aes/avx2/align.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_ALIGN_H -#define PQCLEAN_DILITHIUM5AES_AVX2_ALIGN_H - -#include -#include - -#define ALIGNED_UINT8(N) \ - union { \ - uint8_t coeffs[N]; \ - __m256i vec[((N)+31)/32]; \ - } - -#define ALIGNED_INT32(N) \ - union { \ - int32_t coeffs[N]; \ - __m256i vec[((N)+7)/8]; \ - } - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/api.h b/crypto_sign/dilithium5aes/avx2/api.h deleted file mode 100644 index a6399853..00000000 --- a/crypto_sign/dilithium5aes/avx2/api.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_API_H -#define PQCLEAN_DILITHIUM5AES_AVX2_API_H - -#include -#include - -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES 2592 -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES 4880 -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES 4595 -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_ALGNAME "Dilithium5-AES" - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/cdecl.h b/crypto_sign/dilithium5aes/avx2/cdecl.h deleted file mode 100644 index f23c2742..00000000 --- a/crypto_sign/dilithium5aes/avx2/cdecl.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_CDECL_H -#define PQCLEAN_DILITHIUM5AES_AVX2_CDECL_H - - - -#define _8XQ 0 -#define _8XQINV 8 -#define _8XDIV_QINV 16 -#define _8XDIV 24 -#define _ZETAS_QINV 32 -#define _ZETAS 328 - -/* The C ABI on MacOS exports all symbols with a leading - * underscore. This means that any symbols we refer to from - * C files (functions) can't be found, and all symbols we - * refer to from ASM also can't be found (nttconsts.c). - * - * This define helps us get around this - */ - -#define _cdecl(s) _##s -#define cdecl(s) s - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/consts.c b/crypto_sign/dilithium5aes/avx2/consts.c deleted file mode 100644 index 6d3c7afc..00000000 --- a/crypto_sign/dilithium5aes/avx2/consts.c +++ /dev/null @@ -1,101 +0,0 @@ -#include "consts.h" -#include "params.h" -#include - -#define QINV 58728449 // q^(-1) mod 2^32 -#define MONT (-4186625) // 2^32 mod q -#define DIV 41978 // mont^2/256 -#define DIV_QINV (-8395782) - -const qdata_t PQCLEAN_DILITHIUM5AES_AVX2_qdata = {{ -//#define _8XQ 0 - Q, Q, Q, Q, Q, Q, Q, Q, - -//#define _8XQINV 8 - QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV, - -//#define _8XDIV_QINV 16 - DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, - -//#define _8XDIV 24 - DIV, DIV, DIV, DIV, DIV, DIV, DIV, DIV, - -//#define _ZETAS_QINV 32 - -151046689, 1830765815, -1929875198, -1927777021, 1640767044, 1477910808, 1612161320, 1640734244, - 308362795, 308362795, 308362795, 308362795, -1815525077, -1815525077, -1815525077, -1815525077, - -1374673747, -1374673747, -1374673747, -1374673747, -1091570561, -1091570561, -1091570561, -1091570561, - -1929495947, -1929495947, -1929495947, -1929495947, 515185417, 515185417, 515185417, 515185417, - -285697463, -285697463, -285697463, -285697463, 625853735, 625853735, 625853735, 625853735, - 1727305304, 1727305304, 2082316400, 2082316400, -1364982364, -1364982364, 858240904, 858240904, - 1806278032, 1806278032, 222489248, 222489248, -346752664, -346752664, 684667771, 684667771, - 1654287830, 1654287830, -878576921, -878576921, -1257667337, -1257667337, -748618600, -748618600, - 329347125, 329347125, 1837364258, 1837364258, -1443016191, -1443016191, -1170414139, -1170414139, - -1846138265, -1631226336, -1404529459, 1838055109, 1594295555, -1076973524, -1898723372, -594436433, - -202001019, -475984260, -561427818, 1797021249, -1061813248, 2059733581, -1661512036, -1104976547, - -1750224323, -901666090, 418987550, 1831915353, -1925356481, 992097815, 879957084, 2024403852, - 1484874664, -1636082790, -285388938, -1983539117, -1495136972, -950076368, -1714807468, -952438995, - -1574918427, 1350681039, -2143979939, 1599739335, -1285853323, -993005454, -1440787840, 568627424, - -783134478, -588790216, 289871779, -1262003603, 2135294594, -1018755525, -889861155, 1665705315, - 1321868265, 1225434135, -1784632064, 666258756, 675310538, -1555941048, -1999506068, -1499481951, - -695180180, -1375177022, 1777179795, 334803717, -178766299, -518252220, 1957047970, 1146323031, - -654783359, -1974159335, 1651689966, 140455867, -1039411342, 1955560694, 1529189038, -2131021878, - -247357819, 1518161567, -86965173, 1708872713, 1787797779, 1638590967, -120646188, -1669960606, - -916321552, 1155548552, 2143745726, 1210558298, -1261461890, -318346816, 628664287, -1729304568, - 1422575624, 1424130038, -1185330464, 235321234, 168022240, 1206536194, 985155484, -894060583, - -898413, -1363460238, -605900043, 2027833504, 14253662, 1014493059, 863641633, 1819892093, - 2124962073, -1223601433, -1920467227, -1637785316, -1536588520, 694382729, 235104446, -1045062172, - 831969619, -300448763, 756955444, -260312805, 1554794072, 1339088280, -2040058690, -853476187, - -2047270596, -1723816713, -1591599803, -440824168, 1119856484, 1544891539, 155290192, -973777462, - 991903578, 912367099, -44694137, 1176904444, -421552614, -818371958, 1747917558, -325927722, - 908452108, 1851023419, -1176751719, -1354528380, -72690498, -314284737, 985022747, 963438279, - -1078959975, 604552167, -1021949428, 608791570, 173440395, -2126092136, -1316619236, -1039370342, - 6087993, -110126092, 565464272, -1758099917, -1600929361, 879867909, -1809756372, 400711272, - 1363007700, 30313375, -326425360, 1683520342, -517299994, 2027935492, -1372618620, 128353682, - -1123881663, 137583815, -635454918, -642772911, 45766801, 671509323, -2070602178, 419615363, - 1216882040, -270590488, -1276805128, 371462360, -1357098057, -384158533, 827959816, -596344473, - 702390549, -279505433, -260424530, -71875110, -1208667171, -1499603926, 2036925262, -540420426, - 746144248, -1420958686, 2032221021, 1904936414, 1257750362, 1926727420, 1931587462, 1258381762, - 885133339, 1629985060, 1967222129, 6363718, -1287922800, 1136965286, 1779436847, 1116720494, - 1042326957, 1405999311, 713994583, 940195359, -1542497137, 2061661095, -883155599, 1726753853, - -1547952704, 394851342, 283780712, 776003547, 1123958025, 201262505, 1934038751, 374860238, - -//#define _ZETAS 328 - -3975713, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, - 1826347, 1826347, 1826347, 1826347, 2353451, 2353451, 2353451, 2353451, - -359251, -359251, -359251, -359251, -2091905, -2091905, -2091905, -2091905, - 3119733, 3119733, 3119733, 3119733, -2884855, -2884855, -2884855, -2884855, - 3111497, 3111497, 3111497, 3111497, 2680103, 2680103, 2680103, 2680103, - 2725464, 2725464, 1024112, 1024112, -1079900, -1079900, 3585928, 3585928, - -549488, -549488, -1119584, -1119584, 2619752, 2619752, -2108549, -2108549, - -2118186, -2118186, -3859737, -3859737, -1399561, -1399561, -3277672, -3277672, - 1757237, 1757237, -19422, -19422, 4010497, 4010497, 280005, 280005, - 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, - -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, - -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596, - 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779, - -3930395, -3677745, -1452451, 2176455, -1257611, -4083598, -3190144, -3632928, - 3412210, 2147896, -2967645, -411027, -671102, -22981, -381987, 1852771, - -3343383, 508951, 44288, 904516, -3724342, 1653064, 2389356, 759969, - 189548, 3159746, -2409325, 1315589, 1285669, -812732, -3019102, -3628969, - -1528703, -3041255, 3475950, -1585221, 1939314, -1000202, -3157330, 126922, - -983419, 2715295, -3693493, -2477047, -1228525, -1308169, 1349076, -1430430, - 264944, 3097992, -1100098, 3958618, -8578, -3249728, -210977, -1316856, - -3553272, -1851402, -177440, 1341330, -1584928, -1439742, -3881060, 3839961, - 2091667, -3342478, 266997, -3520352, 900702, 495491, -655327, -3556995, - 342297, 3437287, 2842341, 4055324, -3767016, -2994039, -1333058, -451100, - -1279661, 1500165, -542412, -2584293, -2013608, 1957272, -3183426, 810149, - -3038916, 2213111, -426683, -1667432, -2939036, 183443, -554416, 3937738, - 3407706, 2244091, 2434439, -3759364, 1859098, -1613174, -3122442, -525098, - 286988, -3342277, 2691481, 1247620, 1250494, 1869119, 1237275, 1312455, - 1917081, 777191, -2831860, -3724270, 2432395, 3369112, 162844, 1652634, - 3523897, -975884, 1723600, -1104333, -2235985, -976891, 3919660, 1400424, - 2316500, -2446433, -1235728, -1197226, 909542, -43260, 2031748, -768622, - -2437823, 1735879, -2590150, 2486353, 2635921, 1903435, -3318210, 3306115, - -2546312, 2235880, -1671176, 594136, 2454455, 185531, 1616392, -3694233, - 3866901, 1717735, -1803090, -260646, -420899, 1612842, -48306, -846154, - 3817976, -3562462, 3513181, -3193378, 819034, -522500, 3207046, -3595838, - 4108315, 203044, 1265009, 1595974, -3548272, -1050970, -1430225, -1962642, - -1374803, 3406031, -1846953, -3776993, -164721, -1207385, 3014001, -1799107, - 269760, 472078, 1910376, -3833893, -2286327, -3545687, -1362209, 1976782, - } -}; diff --git a/crypto_sign/dilithium5aes/avx2/consts.h b/crypto_sign/dilithium5aes/avx2/consts.h deleted file mode 100644 index 3bebc6b0..00000000 --- a/crypto_sign/dilithium5aes/avx2/consts.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_CONSTS_H -#define PQCLEAN_DILITHIUM5AES_AVX2_CONSTS_H -#include "align.h" -#include "cdecl.h" - - -typedef ALIGNED_INT32(624) qdata_t; -extern const qdata_t PQCLEAN_DILITHIUM5AES_AVX2_qdata; - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/invntt.S b/crypto_sign/dilithium5aes/avx2/invntt.S deleted file mode 100644 index f30535f1..00000000 --- a/crypto_sign/dilithium5aes/avx2/invntt.S +++ /dev/null @@ -1,240 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2 -vpsubd %ymm\l,%ymm\h,%ymm12 -vpaddd %ymm\h,%ymm\l,%ymm\l - -vpmuldq %ymm\zl0,%ymm12,%ymm13 -vmovshdup %ymm12,%ymm\h -vpmuldq %ymm\zl1,%ymm\h,%ymm14 - -vpmuldq %ymm\zh0,%ymm12,%ymm12 -vpmuldq %ymm\zh1,%ymm\h,%ymm\h - -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 - -vpsubd %ymm13,%ymm12,%ymm12 -vpsubd %ymm14,%ymm\h,%ymm\h - -vmovshdup %ymm12,%ymm12 -vpblendd $0xAA,%ymm\h,%ymm12,%ymm\h -.endm - -.macro levels0t5 off -vmovdqa 256*\off+ 0(%rdi),%ymm4 -vmovdqa 256*\off+ 32(%rdi),%ymm5 -vmovdqa 256*\off+ 64(%rdi),%ymm6 -vmovdqa 256*\off+ 96(%rdi),%ymm7 -vmovdqa 256*\off+128(%rdi),%ymm8 -vmovdqa 256*\off+160(%rdi),%ymm9 -vmovdqa 256*\off+192(%rdi),%ymm10 -vmovdqa 256*\off+224(%rdi),%ymm11 - -/* level 0 */ -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-8)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-8)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 4,5,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-40)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-40)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 6,7,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-72)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-72)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 8,9,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+296-8*\off-104)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+296-8*\off-104)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 10,11,1,3,2,15 - -/* level 1 */ -vpermq $0x1B,(_ZETAS_QINV+168-8*\off-8)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+168-8*\off-8)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 4,6,1,3,2,15 -butterfly 5,7,1,3,2,15 - -vpermq $0x1B,(_ZETAS_QINV+168-8*\off-40)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+168-8*\off-40)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 8,10,1,3,2,15 -butterfly 9,11,1,3,2,15 - -/* level 2 */ -vpermq $0x1B,(_ZETAS_QINV+104-8*\off-8)*4(%rsi),%ymm3 -vpermq $0x1B,(_ZETAS+104-8*\off-8)*4(%rsi),%ymm15 -vmovshdup %ymm3,%ymm1 -vmovshdup %ymm15,%ymm2 -butterfly 4,8,1,3,2,15 -butterfly 5,9,1,3,2,15 -butterfly 6,10,1,3,2,15 -butterfly 7,11,1,3,2,15 - -/* level 3 */ -shuffle2 4,5,3,5 -shuffle2 6,7,4,7 -shuffle2 8,9,6,9 -shuffle2 10,11,8,11 - -vpermq $0x1B,(_ZETAS_QINV+72-8*\off-8)*4(%rsi),%ymm1 -vpermq $0x1B,(_ZETAS+72-8*\off-8)*4(%rsi),%ymm2 -butterfly 3,5 -butterfly 4,7 -butterfly 6,9 -butterfly 8,11 - -/* level 4 */ -shuffle4 3,4,10,4 -shuffle4 6,8,3,8 -shuffle4 5,7,6,7 -shuffle4 9,11,5,11 - -vpermq $0x1B,(_ZETAS_QINV+40-8*\off-8)*4(%rsi),%ymm1 -vpermq $0x1B,(_ZETAS+40-8*\off-8)*4(%rsi),%ymm2 -butterfly 10,4 -butterfly 3,8 -butterfly 6,7 -butterfly 5,11 - -/* level 5 */ -shuffle8 10,3,9,3 -shuffle8 6,5,10,5 -shuffle8 4,8,6,8 -shuffle8 7,11,4,11 - -vpbroadcastd (_ZETAS_QINV+7-\off)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+7-\off)*4(%rsi),%ymm2 -butterfly 9,3 -butterfly 10,5 -butterfly 6,8 -butterfly 4,11 - -vmovdqa %ymm9,256*\off+ 0(%rdi) -vmovdqa %ymm10,256*\off+ 32(%rdi) -vmovdqa %ymm6,256*\off+ 64(%rdi) -vmovdqa %ymm4,256*\off+ 96(%rdi) -vmovdqa %ymm3,256*\off+128(%rdi) -vmovdqa %ymm5,256*\off+160(%rdi) -vmovdqa %ymm8,256*\off+192(%rdi) -vmovdqa %ymm11,256*\off+224(%rdi) -.endm - -.macro levels6t7 off -vmovdqa 0+32*\off(%rdi),%ymm4 -vmovdqa 128+32*\off(%rdi),%ymm5 -vmovdqa 256+32*\off(%rdi),%ymm6 -vmovdqa 384+32*\off(%rdi),%ymm7 -vmovdqa 512+32*\off(%rdi),%ymm8 -vmovdqa 640+32*\off(%rdi),%ymm9 -vmovdqa 768+32*\off(%rdi),%ymm10 -vmovdqa 896+32*\off(%rdi),%ymm11 - -/* level 6 */ -vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2 -butterfly 4,6 -butterfly 5,7 - -vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2 -butterfly 8,10 -butterfly 9,11 - -/* level 7 */ -vpbroadcastd (_ZETAS_QINV+0)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+0)*4(%rsi),%ymm2 - -butterfly 4,8 -butterfly 5,9 -butterfly 6,10 -butterfly 7,11 - -vmovdqa %ymm8,512+32*\off(%rdi) -vmovdqa %ymm9,640+32*\off(%rdi) -vmovdqa %ymm10,768+32*\off(%rdi) -vmovdqa %ymm11,896+32*\off(%rdi) - -vmovdqa (_8XDIV_QINV)*4(%rsi),%ymm1 -vmovdqa (_8XDIV)*4(%rsi),%ymm2 -vpmuldq %ymm1,%ymm4,%ymm12 -vpmuldq %ymm1,%ymm5,%ymm13 -vmovshdup %ymm4,%ymm8 -vmovshdup %ymm5,%ymm9 -vpmuldq %ymm1,%ymm8,%ymm14 -vpmuldq %ymm1,%ymm9,%ymm15 -vpmuldq %ymm2,%ymm4,%ymm4 -vpmuldq %ymm2,%ymm5,%ymm5 -vpmuldq %ymm2,%ymm8,%ymm8 -vpmuldq %ymm2,%ymm9,%ymm9 -vpmuldq %ymm0,%ymm12,%ymm12 -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 -vpmuldq %ymm0,%ymm15,%ymm15 -vpsubd %ymm12,%ymm4,%ymm4 -vpsubd %ymm13,%ymm5,%ymm5 -vpsubd %ymm14,%ymm8,%ymm8 -vpsubd %ymm15,%ymm9,%ymm9 -vmovshdup %ymm4,%ymm4 -vmovshdup %ymm5,%ymm5 -vpblendd $0xAA,%ymm8,%ymm4,%ymm4 -vpblendd $0xAA,%ymm9,%ymm5,%ymm5 - -vpmuldq %ymm1,%ymm6,%ymm12 -vpmuldq %ymm1,%ymm7,%ymm13 -vmovshdup %ymm6,%ymm8 -vmovshdup %ymm7,%ymm9 -vpmuldq %ymm1,%ymm8,%ymm14 -vpmuldq %ymm1,%ymm9,%ymm15 -vpmuldq %ymm2,%ymm6,%ymm6 -vpmuldq %ymm2,%ymm7,%ymm7 -vpmuldq %ymm2,%ymm8,%ymm8 -vpmuldq %ymm2,%ymm9,%ymm9 -vpmuldq %ymm0,%ymm12,%ymm12 -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 -vpmuldq %ymm0,%ymm15,%ymm15 -vpsubd %ymm12,%ymm6,%ymm6 -vpsubd %ymm13,%ymm7,%ymm7 -vpsubd %ymm14,%ymm8,%ymm8 -vpsubd %ymm15,%ymm9,%ymm9 -vmovshdup %ymm6,%ymm6 -vmovshdup %ymm7,%ymm7 -vpblendd $0xAA,%ymm8,%ymm6,%ymm6 -vpblendd $0xAA,%ymm9,%ymm7,%ymm7 - -vmovdqa %ymm4, 0+32*\off(%rdi) -vmovdqa %ymm5,128+32*\off(%rdi) -vmovdqa %ymm6,256+32*\off(%rdi) -vmovdqa %ymm7,384+32*\off(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_DILITHIUM5AES_AVX2_invntt_avx) -.global _cdecl(PQCLEAN_DILITHIUM5AES_AVX2_invntt_avx) -cdecl(PQCLEAN_DILITHIUM5AES_AVX2_invntt_avx): -_cdecl(PQCLEAN_DILITHIUM5AES_AVX2_invntt_avx): -vmovdqa _8XQ*4(%rsi),%ymm0 - -levels0t5 0 -levels0t5 1 -levels0t5 2 -levels0t5 3 - -levels6t7 0 -levels6t7 1 -levels6t7 2 -levels6t7 3 - -ret diff --git a/crypto_sign/dilithium5aes/avx2/ntt.S b/crypto_sign/dilithium5aes/avx2/ntt.S deleted file mode 100644 index c3cc06d6..00000000 --- a/crypto_sign/dilithium5aes/avx2/ntt.S +++ /dev/null @@ -1,199 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2 -vpmuldq %ymm\zl0,%ymm\h,%ymm13 -vmovshdup %ymm\h,%ymm12 -vpmuldq %ymm\zl1,%ymm12,%ymm14 - -vpmuldq %ymm\zh0,%ymm\h,%ymm\h -vpmuldq %ymm\zh1,%ymm12,%ymm12 - -vpmuldq %ymm0,%ymm13,%ymm13 -vpmuldq %ymm0,%ymm14,%ymm14 - -vmovshdup %ymm\h,%ymm\h -vpblendd $0xAA,%ymm12,%ymm\h,%ymm\h - -vpsubd %ymm\h,%ymm\l,%ymm12 -vpaddd %ymm\h,%ymm\l,%ymm\l - -vmovshdup %ymm13,%ymm13 -vpblendd $0xAA,%ymm14,%ymm13,%ymm13 - -vpaddd %ymm13,%ymm12,%ymm\h -vpsubd %ymm13,%ymm\l,%ymm\l -.endm - -.macro levels0t1 off -/* level 0 */ -vpbroadcastd (_ZETAS_QINV+1)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+1)*4(%rsi),%ymm2 - -vmovdqa 0+32*\off(%rdi),%ymm4 -vmovdqa 128+32*\off(%rdi),%ymm5 -vmovdqa 256+32*\off(%rdi),%ymm6 -vmovdqa 384+32*\off(%rdi),%ymm7 -vmovdqa 512+32*\off(%rdi),%ymm8 -vmovdqa 640+32*\off(%rdi),%ymm9 -vmovdqa 768+32*\off(%rdi),%ymm10 -vmovdqa 896+32*\off(%rdi),%ymm11 - -butterfly 4,8 -butterfly 5,9 -butterfly 6,10 -butterfly 7,11 - -/* level 1 */ -vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2 -butterfly 4,6 -butterfly 5,7 - -vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2 -butterfly 8,10 -butterfly 9,11 - -vmovdqa %ymm4, 0+32*\off(%rdi) -vmovdqa %ymm5,128+32*\off(%rdi) -vmovdqa %ymm6,256+32*\off(%rdi) -vmovdqa %ymm7,384+32*\off(%rdi) -vmovdqa %ymm8,512+32*\off(%rdi) -vmovdqa %ymm9,640+32*\off(%rdi) -vmovdqa %ymm10,768+32*\off(%rdi) -vmovdqa %ymm11,896+32*\off(%rdi) -.endm - -.macro levels2t7 off -/* level 2 */ -vmovdqa 256*\off+ 0(%rdi),%ymm4 -vmovdqa 256*\off+ 32(%rdi),%ymm5 -vmovdqa 256*\off+ 64(%rdi),%ymm6 -vmovdqa 256*\off+ 96(%rdi),%ymm7 -vmovdqa 256*\off+128(%rdi),%ymm8 -vmovdqa 256*\off+160(%rdi),%ymm9 -vmovdqa 256*\off+192(%rdi),%ymm10 -vmovdqa 256*\off+224(%rdi),%ymm11 - -vpbroadcastd (_ZETAS_QINV+4+\off)*4(%rsi),%ymm1 -vpbroadcastd (_ZETAS+4+\off)*4(%rsi),%ymm2 - -butterfly 4,8 -butterfly 5,9 -butterfly 6,10 -butterfly 7,11 - -shuffle8 4,8,3,8 -shuffle8 5,9,4,9 -shuffle8 6,10,5,10 -shuffle8 7,11,6,11 - -/* level 3 */ -vmovdqa (_ZETAS_QINV+8+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+8+8*\off)*4(%rsi),%ymm2 - -butterfly 3,5 -butterfly 8,10 -butterfly 4,6 -butterfly 9,11 - -shuffle4 3,5,7,5 -shuffle4 8,10,3,10 -shuffle4 4,6,8,6 -shuffle4 9,11,4,11 - -/* level 4 */ -vmovdqa (_ZETAS_QINV+40+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+40+8*\off)*4(%rsi),%ymm2 - -butterfly 7,8 -butterfly 5,6 -butterfly 3,4 -butterfly 10,11 - -shuffle2 7,8,9,8 -shuffle2 5,6,7,6 -shuffle2 3,4,5,4 -shuffle2 10,11,3,11 - -/* level 5 */ -vmovdqa (_ZETAS_QINV+72+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+72+8*\off)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 - -butterfly 9,5,1,10,2,15 -butterfly 8,4,1,10,2,15 -butterfly 7,3,1,10,2,15 -butterfly 6,11,1,10,2,15 - -/* level 6 */ -vmovdqa (_ZETAS_QINV+104+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+104+8*\off)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 9,7,1,10,2,15 -butterfly 8,6,1,10,2,15 - -vmovdqa (_ZETAS_QINV+104+8*\off+32)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+104+8*\off+32)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 5,3,1,10,2,15 -butterfly 4,11,1,10,2,15 - -/* level 7 */ -vmovdqa (_ZETAS_QINV+168+8*\off)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 9,8,1,10,2,15 - -vmovdqa (_ZETAS_QINV+168+8*\off+32)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off+32)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 7,6,1,10,2,15 - -vmovdqa (_ZETAS_QINV+168+8*\off+64)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off+64)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 5,4,1,10,2,15 - -vmovdqa (_ZETAS_QINV+168+8*\off+96)*4(%rsi),%ymm1 -vmovdqa (_ZETAS+168+8*\off+96)*4(%rsi),%ymm2 -vpsrlq $32,%ymm1,%ymm10 -vmovshdup %ymm2,%ymm15 -butterfly 3,11,1,10,2,15 - -vmovdqa %ymm9,256*\off+ 0(%rdi) -vmovdqa %ymm8,256*\off+ 32(%rdi) -vmovdqa %ymm7,256*\off+ 64(%rdi) -vmovdqa %ymm6,256*\off+ 96(%rdi) -vmovdqa %ymm5,256*\off+128(%rdi) -vmovdqa %ymm4,256*\off+160(%rdi) -vmovdqa %ymm3,256*\off+192(%rdi) -vmovdqa %ymm11,256*\off+224(%rdi) -.endm - -.text -.global cdecl(PQCLEAN_DILITHIUM5AES_AVX2_ntt_avx) -.global _cdecl(PQCLEAN_DILITHIUM5AES_AVX2_ntt_avx) -cdecl(PQCLEAN_DILITHIUM5AES_AVX2_ntt_avx): -_cdecl(PQCLEAN_DILITHIUM5AES_AVX2_ntt_avx): -vmovdqa _8XQ*4(%rsi),%ymm0 - -levels0t1 0 -levels0t1 1 -levels0t1 2 -levels0t1 3 - -levels2t7 0 -levels2t7 1 -levels2t7 2 -levels2t7 3 - -ret - diff --git a/crypto_sign/dilithium5aes/avx2/ntt.h b/crypto_sign/dilithium5aes/avx2/ntt.h deleted file mode 100644 index 7c233186..00000000 --- a/crypto_sign/dilithium5aes/avx2/ntt.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_NTT_H -#define PQCLEAN_DILITHIUM5AES_AVX2_NTT_H - -#include - -void PQCLEAN_DILITHIUM5AES_AVX2_ntt_avx(__m256i *a, const __m256i *PQCLEAN_DILITHIUM5AES_AVX2_qdata); -void PQCLEAN_DILITHIUM5AES_AVX2_invntt_avx(__m256i *a, const __m256i *PQCLEAN_DILITHIUM5AES_AVX2_qdata); - -void PQCLEAN_DILITHIUM5AES_AVX2_nttunpack_avx(__m256i *a); - -void PQCLEAN_DILITHIUM5AES_AVX2_pointwise_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *PQCLEAN_DILITHIUM5AES_AVX2_qdata); -void PQCLEAN_DILITHIUM5AES_AVX2_pointwise_acc_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *PQCLEAN_DILITHIUM5AES_AVX2_qdata); - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/packing.c b/crypto_sign/dilithium5aes/avx2/packing.c deleted file mode 100644 index b40af6d4..00000000 --- a/crypto_sign/dilithium5aes/avx2/packing.c +++ /dev/null @@ -1,261 +0,0 @@ -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" - - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_pack_pk -* -* Description: Bit-pack public key pk = (rho, t1). -* -* Arguments: - uint8_t pk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const polyveck *t1: pointer to vector t1 -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES], - const uint8_t rho[SEEDBYTES], - const polyveck *t1) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - pk[i] = rho[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_unpack_pk -* -* Description: Unpack public key pk = (rho, t1). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const polyveck *t1: pointer to output vector t1 -* - uint8_t pk[]: byte array containing bit-packed pk -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t pk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = pk[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_pack_sk -* -* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - uint8_t sk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const uint8_t tr[]: byte array containing tr -* - const uint8_t key[]: byte array containing key -* - const polyveck *t0: pointer to vector t0 -* - const polyvecl *s1: pointer to vector s1 -* - const polyveck *s2: pointer to vector s2 -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = rho[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = key[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - sk[i] = tr[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_unpack_sk -* -* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const uint8_t tr[]: output byte array for tr -* - const uint8_t key[]: output byte array for key -* - const polyveck *t0: pointer to output vector t0 -* - const polyvecl *s1: pointer to output vector s1 -* - const polyveck *s2: pointer to output vector s2 -* - uint8_t sk[]: byte array containing bit-packed sk -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - key[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - tr[i] = sk[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_pack_sig -* -* Description: Bit-pack signature sig = (c, z, h). -* -* Arguments: - uint8_t sig[]: output byte array -* - const uint8_t *c: pointer to PQCLEAN_DILITHIUM5AES_AVX2_challenge hash length SEEDBYTES -* - const polyvecl *z: pointer to vector z -* - const polyveck *h: pointer to hint vector h -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES], - const uint8_t c[SEEDBYTES], - const polyvecl *z, - const polyveck *h) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - sig[i] = c[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Encode h */ - for (i = 0; i < OMEGA + K; ++i) { - sig[i] = 0; - } - - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - if (h->vec[i].coeffs[j] != 0) { - sig[k++] = (uint8_t) j; - } - } - - sig[OMEGA + i] = (uint8_t) k; - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_unpack_sig -* -* Description: Unpack signature sig = (c, z, h). -* -* Arguments: - uint8_t *c: pointer to output PQCLEAN_DILITHIUM5AES_AVX2_challenge hash -* - polyvecl *z: pointer to output vector z -* - polyveck *h: pointer to output hint vector h -* - const uint8_t sig[]: byte array containing -* bit-packed signature -* -* Returns 1 in case of malformed signature; otherwise 0. -**************************************************/ -int PQCLEAN_DILITHIUM5AES_AVX2_unpack_sig(uint8_t c[SEEDBYTES], - polyvecl *z, - polyveck *h, - const uint8_t sig[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES]) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - c[i] = sig[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Decode h */ - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - h->vec[i].coeffs[j] = 0; - } - - if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) { - return 1; - } - - for (j = k; j < sig[OMEGA + i]; ++j) { - /* Coefficients are ordered for strong unforgeability */ - if (j > k && sig[j] <= sig[j - 1]) { - return 1; - } - h->vec[i].coeffs[sig[j]] = 1; - } - - k = sig[OMEGA + i]; - } - - /* Extra indices are zero for strong unforgeability */ - for (j = k; j < OMEGA; ++j) { - if (sig[j]) { - return 1; - } - } - - return 0; -} diff --git a/crypto_sign/dilithium5aes/avx2/packing.h b/crypto_sign/dilithium5aes/avx2/packing.h deleted file mode 100644 index 6c707af7..00000000 --- a/crypto_sign/dilithium5aes/avx2/packing.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_PACKING_H -#define PQCLEAN_DILITHIUM5AES_AVX2_PACKING_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_DILITHIUM5AES_AVX2_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1); - -void PQCLEAN_DILITHIUM5AES_AVX2_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2); - -void PQCLEAN_DILITHIUM5AES_AVX2_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h); - -void PQCLEAN_DILITHIUM5AES_AVX2_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES]); - -void PQCLEAN_DILITHIUM5AES_AVX2_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES]); - -int PQCLEAN_DILITHIUM5AES_AVX2_unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES]); - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/params.h b/crypto_sign/dilithium5aes/avx2/params.h deleted file mode 100644 index 52a5dd43..00000000 --- a/crypto_sign/dilithium5aes/avx2/params.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_PARAMS_H -#define PQCLEAN_DILITHIUM5AES_AVX2_PARAMS_H - - - -#define SEEDBYTES 32 -#define CRHBYTES 48 -#define N 256 -#define Q 8380417 -#define D 13 -#define ROOT_OF_UNITY 1753 - -#define K 8 -#define L 7 -#define ETA 2 -#define TAU 60 -#define BETA 120 -#define GAMMA1 (1 << 19) -#define GAMMA2 ((Q-1)/32) -#define OMEGA 75 -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_ALGNAME "Dilithium5-AES" - - -#define POLYT1_PACKEDBYTES 320 -#define POLYT0_PACKEDBYTES 416 -#define POLYVECH_PACKEDBYTES (OMEGA + K) - -#define POLYZ_PACKEDBYTES 640 - -#define POLYW1_PACKEDBYTES 128 - -#define POLYETA_PACKEDBYTES 96 - -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ - + L*POLYETA_PACKEDBYTES \ - + K*POLYETA_PACKEDBYTES \ - + K*POLYT0_PACKEDBYTES) -#define PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES) - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/pointwise.S b/crypto_sign/dilithium5aes/avx2/pointwise.S deleted file mode 100644 index c22d80d6..00000000 --- a/crypto_sign/dilithium5aes/avx2/pointwise.S +++ /dev/null @@ -1,205 +0,0 @@ -#include "params.h" -#include "cdecl.h" - -.text -.global cdecl(PQCLEAN_DILITHIUM5AES_AVX2_pointwise_avx) -.global _cdecl(PQCLEAN_DILITHIUM5AES_AVX2_pointwise_avx) -cdecl(PQCLEAN_DILITHIUM5AES_AVX2_pointwise_avx): -_cdecl(PQCLEAN_DILITHIUM5AES_AVX2_pointwise_avx): -#consts -vmovdqa _8XQINV*4(%rcx),%ymm0 -vmovdqa _8XQ*4(%rcx),%ymm1 - -xor %eax,%eax -_looptop1: -#load -vmovdqa (%rsi),%ymm2 -vmovdqa 32(%rsi),%ymm4 -vmovdqa 64(%rsi),%ymm6 -vmovdqa (%rdx),%ymm10 -vmovdqa 32(%rdx),%ymm12 -vmovdqa 64(%rdx),%ymm14 -vpsrlq $32,%ymm2,%ymm3 -vpsrlq $32,%ymm4,%ymm5 -vmovshdup %ymm6,%ymm7 -vpsrlq $32,%ymm10,%ymm11 -vpsrlq $32,%ymm12,%ymm13 -vmovshdup %ymm14,%ymm15 - -#mul -vpmuldq %ymm2,%ymm10,%ymm2 -vpmuldq %ymm3,%ymm11,%ymm3 -vpmuldq %ymm4,%ymm12,%ymm4 -vpmuldq %ymm5,%ymm13,%ymm5 -vpmuldq %ymm6,%ymm14,%ymm6 -vpmuldq %ymm7,%ymm15,%ymm7 - -#reduce -vpmuldq %ymm0,%ymm2,%ymm10 -vpmuldq %ymm0,%ymm3,%ymm11 -vpmuldq %ymm0,%ymm4,%ymm12 -vpmuldq %ymm0,%ymm5,%ymm13 -vpmuldq %ymm0,%ymm6,%ymm14 -vpmuldq %ymm0,%ymm7,%ymm15 -vpmuldq %ymm1,%ymm10,%ymm10 -vpmuldq %ymm1,%ymm11,%ymm11 -vpmuldq %ymm1,%ymm12,%ymm12 -vpmuldq %ymm1,%ymm13,%ymm13 -vpmuldq %ymm1,%ymm14,%ymm14 -vpmuldq %ymm1,%ymm15,%ymm15 -vpsubq %ymm10,%ymm2,%ymm2 -vpsubq %ymm11,%ymm3,%ymm3 -vpsubq %ymm12,%ymm4,%ymm4 -vpsubq %ymm13,%ymm5,%ymm5 -vpsubq %ymm14,%ymm6,%ymm6 -vpsubq %ymm15,%ymm7,%ymm7 -vpsrlq $32,%ymm2,%ymm2 -vpsrlq $32,%ymm4,%ymm4 -vmovshdup %ymm6,%ymm6 - -#store -vpblendd $0xAA,%ymm3,%ymm2,%ymm2 -vpblendd $0xAA,%ymm5,%ymm4,%ymm4 -vpblendd $0xAA,%ymm7,%ymm6,%ymm6 -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm4,32(%rdi) -vmovdqa %ymm6,64(%rdi) - -add $96,%rdi -add $96,%rsi -add $96,%rdx -add $1,%eax -cmp $10,%eax -jb _looptop1 - -vmovdqa (%rsi),%ymm2 -vmovdqa 32(%rsi),%ymm4 -vmovdqa (%rdx),%ymm10 -vmovdqa 32(%rdx),%ymm12 -vpsrlq $32,%ymm2,%ymm3 -vpsrlq $32,%ymm4,%ymm5 -vmovshdup %ymm10,%ymm11 -vmovshdup %ymm12,%ymm13 - -#mul -vpmuldq %ymm2,%ymm10,%ymm2 -vpmuldq %ymm3,%ymm11,%ymm3 -vpmuldq %ymm4,%ymm12,%ymm4 -vpmuldq %ymm5,%ymm13,%ymm5 - -#reduce -vpmuldq %ymm0,%ymm2,%ymm10 -vpmuldq %ymm0,%ymm3,%ymm11 -vpmuldq %ymm0,%ymm4,%ymm12 -vpmuldq %ymm0,%ymm5,%ymm13 -vpmuldq %ymm1,%ymm10,%ymm10 -vpmuldq %ymm1,%ymm11,%ymm11 -vpmuldq %ymm1,%ymm12,%ymm12 -vpmuldq %ymm1,%ymm13,%ymm13 -vpsubq %ymm10,%ymm2,%ymm2 -vpsubq %ymm11,%ymm3,%ymm3 -vpsubq %ymm12,%ymm4,%ymm4 -vpsubq %ymm13,%ymm5,%ymm5 -vpsrlq $32,%ymm2,%ymm2 -vmovshdup %ymm4,%ymm4 - -#store -vpblendd $0x55,%ymm2,%ymm3,%ymm2 -vpblendd $0x55,%ymm4,%ymm5,%ymm4 -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm4,32(%rdi) - -ret - -.macro pointwise off -#load -vmovdqa \off(%rsi),%ymm6 -vmovdqa \off+32(%rsi),%ymm8 -vmovdqa \off(%rdx),%ymm10 -vmovdqa \off+32(%rdx),%ymm12 -vpsrlq $32,%ymm6,%ymm7 -vpsrlq $32,%ymm8,%ymm9 -vmovshdup %ymm10,%ymm11 -vmovshdup %ymm12,%ymm13 - -#mul -vpmuldq %ymm6,%ymm10,%ymm6 -vpmuldq %ymm7,%ymm11,%ymm7 -vpmuldq %ymm8,%ymm12,%ymm8 -vpmuldq %ymm9,%ymm13,%ymm9 -.endm - -.macro acc -vpaddq %ymm6,%ymm2,%ymm2 -vpaddq %ymm7,%ymm3,%ymm3 -vpaddq %ymm8,%ymm4,%ymm4 -vpaddq %ymm9,%ymm5,%ymm5 -.endm - -.global cdecl(PQCLEAN_DILITHIUM5AES_AVX2_pointwise_acc_avx) -.global _cdecl(PQCLEAN_DILITHIUM5AES_AVX2_pointwise_acc_avx) -cdecl(PQCLEAN_DILITHIUM5AES_AVX2_pointwise_acc_avx): -_cdecl(PQCLEAN_DILITHIUM5AES_AVX2_pointwise_acc_avx): -#consts -vmovdqa _8XQINV*4(%rcx),%ymm0 -vmovdqa _8XQ*4(%rcx),%ymm1 - -xor %eax,%eax -_looptop2: -pointwise 0 - -#mov -vmovdqa %ymm6,%ymm2 -vmovdqa %ymm7,%ymm3 -vmovdqa %ymm8,%ymm4 -vmovdqa %ymm9,%ymm5 - -pointwise 1024 -acc - -pointwise 2048 -acc - -pointwise 3072 -acc - -pointwise 4096 -acc - -pointwise 5120 -acc - -pointwise 6144 -acc - -#reduce -vpmuldq %ymm0,%ymm2,%ymm6 -vpmuldq %ymm0,%ymm3,%ymm7 -vpmuldq %ymm0,%ymm4,%ymm8 -vpmuldq %ymm0,%ymm5,%ymm9 -vpmuldq %ymm1,%ymm6,%ymm6 -vpmuldq %ymm1,%ymm7,%ymm7 -vpmuldq %ymm1,%ymm8,%ymm8 -vpmuldq %ymm1,%ymm9,%ymm9 -vpsubq %ymm6,%ymm2,%ymm2 -vpsubq %ymm7,%ymm3,%ymm3 -vpsubq %ymm8,%ymm4,%ymm4 -vpsubq %ymm9,%ymm5,%ymm5 -vpsrlq $32,%ymm2,%ymm2 -vmovshdup %ymm4,%ymm4 - -#store -vpblendd $0xAA,%ymm3,%ymm2,%ymm2 -vpblendd $0xAA,%ymm5,%ymm4,%ymm4 - -vmovdqa %ymm2,(%rdi) -vmovdqa %ymm4,32(%rdi) - -add $64,%rsi -add $64,%rdx -add $64,%rdi -add $1,%eax -cmp $16,%eax -jb _looptop2 - -ret diff --git a/crypto_sign/dilithium5aes/avx2/poly.c b/crypto_sign/dilithium5aes/avx2/poly.c deleted file mode 100644 index 34884f7b..00000000 --- a/crypto_sign/dilithium5aes/avx2/poly.c +++ /dev/null @@ -1,886 +0,0 @@ -#include "align.h" -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "rejsample.h" -#include "rounding.h" -#include "symmetric.h" -#include -#include -#include - -#define DBENCH_START() -#define DBENCH_STOP(t) - -#define _mm256_blendv_epi32(a,b,mask) \ - _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \ - _mm256_castsi256_ps(b), \ - _mm256_castsi256_ps(mask))) - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce -* -* Description: Inplace reduction of all coefficients of polynomial to -* representative in [-6283009,6283007]. Assumes input -* coefficients to be at most 2^31 - 2^22 - 1 in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(poly *a) { - unsigned int i; - __m256i f, g; - const __m256i q = _mm256_load_si256(&PQCLEAN_DILITHIUM5AES_AVX2_qdata.vec[_8XQ / 8]); - const __m256i off = _mm256_set1_epi32(1 << 22); - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_add_epi32(f, off); - g = _mm256_srai_epi32(g, 23); - g = _mm256_mullo_epi32(g, q); - f = _mm256_sub_epi32(f, g); - _mm256_store_si256(&a->vec[i], f); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: poly_addq -* -* Description: For all coefficients of in/out polynomial add Q if -* coefficient is negative. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_caddq(poly *a) { - unsigned int i; - __m256i f, g; - const __m256i q = _mm256_load_si256(&PQCLEAN_DILITHIUM5AES_AVX2_qdata.vec[_8XQ / 8]); - const __m256i zero = _mm256_setzero_si256(); - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_blendv_epi32(zero, q, f); - f = _mm256_add_epi32(f, g); - _mm256_store_si256(&a->vec[i], f); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_freeze -* -* Description: Inplace reduction of all coefficients of polynomial to -* positive standard representatives. Assumes input -* coefficients to be at most 2^31 - 2^22 + 1 in -* absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_freeze(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(a); - PQCLEAN_DILITHIUM5AES_AVX2_poly_caddq(a); - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_add -* -* Description: Add polynomials. No modular reduction is performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first summand -* - const poly *b: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_add(poly *c, const poly *a, const poly *b) { - unsigned int i; - __m256i f, g; - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_load_si256(&b->vec[i]); - f = _mm256_add_epi32(f, g); - _mm256_store_si256(&c->vec[i], f); - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_sub -* -* Description: Subtract polynomials. No modular reduction is -* performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial to be -* subtraced from first input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_sub(poly *c, const poly *a, const poly *b) { - unsigned int i; - __m256i f, g; - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - g = _mm256_load_si256(&b->vec[i]); - f = _mm256_sub_epi32(f, g); - _mm256_store_si256(&c->vec[i], f); - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_shiftl -* -* Description: Multiply polynomial by 2^D without modular reduction. Assumes -* input coefficients to be less than 2^{31-D} in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_shiftl(poly *a) { - unsigned int i; - __m256i f; - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - f = _mm256_slli_epi32(f, D); - _mm256_store_si256(&a->vec[i], f); - } - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_ntt -* -* Description: Inplace forward NTT. Coefficients can grow by up to -* 8*Q in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_ntt(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_AVX2_ntt_avx(a->vec, PQCLEAN_DILITHIUM5AES_AVX2_qdata.vec); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont -* -* Description: Inplace inverse NTT and multiplication by 2^{32}. -* Input coefficients need to be less than Q in absolute -* value and output coefficients are again bounded by Q. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_AVX2_invntt_avx(a->vec, PQCLEAN_DILITHIUM5AES_AVX2_qdata.vec); - - DBENCH_STOP(*tmul); -} - -void PQCLEAN_DILITHIUM5AES_AVX2_poly_nttunpack(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_AVX2_nttunpack_avx(a->vec); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_pointwise_montgomery -* -* Description: Pointwise multiplication of polynomials in NTT domain -* representation and multiplication of resulting polynomial -* by 2^{-32}. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_AVX2_pointwise_avx(c->vec, a->vec, b->vec, PQCLEAN_DILITHIUM5AES_AVX2_qdata.vec); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_power2round -* -* Description: For all coefficients c of the input polynomial, -* compute c0, c1 such that c mod^+ Q = c1*2^D + c0 -* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be -* positive standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_power2round(poly *a1, poly *a0, const poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_AVX2_power2round_avx(a1->vec, a0->vec, a->vec); - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_decompose -* -* Description: For all coefficients c of the input polynomial, -* compute high and low bits c0, c1 such c mod^+ Q = c1*ALPHA + c0 -* with -ALPHA/2 < c0 <= ALPHA/2 except if c1 = (Q-1)/ALPHA where we -* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0. -* Assumes coefficients to be positive standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_decompose(poly *a1, poly *a0, const poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_AVX2_decompose_avx(a1->vec, a0->vec, a->vec); - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_make_hint -* -* Description: Compute hint array. The coefficients of which are the -* indices of the coefficients of the input polynomial -* whose low bits overflow into the high bits. -* -* Arguments: - uint8_t *h: pointer to output hint array (preallocated of length N) -* - const poly *a0: pointer to low part of input polynomial -* - const poly *a1: pointer to high part of input polynomial -* -* Returns number of hints, i.e. length of hint array. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1) { - unsigned int r; - DBENCH_START(); - - r = PQCLEAN_DILITHIUM5AES_AVX2_make_hint_avx(hint, a0->vec, a1->vec); - - DBENCH_STOP(*tround); - return r; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_use_hint -* -* Description: Use hint polynomial to correct the high bits of a polynomial. -* -* Arguments: - poly *b: pointer to output polynomial with corrected high bits -* - const poly *a: pointer to input polynomial -* - const poly *h: pointer to input hint polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_AVX2_use_hint_avx(b->vec, a->vec, h->vec); - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_chknorm -* -* Description: Check infinity norm of polynomial against given bound. -* Assumes input polynomial to be reduced by PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(). -* -* Arguments: - const poly *a: pointer to polynomial -* - int32_t B: norm bound -* -* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM5AES_AVX2_poly_chknorm(const poly *a, int32_t B) { - unsigned int i; - int r; - __m256i f, t; - const __m256i bound = _mm256_set1_epi32(B - 1); - DBENCH_START(); - - if (B > (Q - 1) / 8) { - return 1; - } - - t = _mm256_setzero_si256(); - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a->vec[i]); - f = _mm256_abs_epi32(f); - f = _mm256_cmpgt_epi32(f, bound); - t = _mm256_or_si256(t, f); - } - - r = 1 - _mm256_testz_si256(t, t); - DBENCH_STOP(*tsample); - return r; -} - -/************************************************* -* Name: rej_uniform -* -* Description: Sample uniformly random coefficients in [0, Q-1] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_uniform(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - t = buf[pos++]; - t |= (uint32_t)buf[pos++] << 8; - t |= (uint32_t)buf[pos++] << 16; - t &= 0x7FFFFF; - - if (t < Q) { - a[ctr++] = t; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform -* -* Description: Sample polynomial with uniformly random coefficients -* in [0,Q-1] by performing rejection sampling on the -* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state) { - unsigned int ctr; - /* PQCLEAN_DILITHIUM5AES_AVX2_rej_uniform_avx reads up to 8 additional bytes */ - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN + 8) buf; - - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_NBLOCKS, state); - ctr = PQCLEAN_DILITHIUM5AES_AVX2_rej_uniform_avx(a->coeffs, buf.coeffs); - - while (ctr < N) { - /* length of buf is always divisible by 3; hence, no bytes left */ - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); - } -} - -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_preinit(a, &state); - stream128_release(&state); -} - - -/************************************************* -* Name: rej_eta -* -* Description: Sample uniformly random coefficients in [-ETA, ETA] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_eta(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t0, t1; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos < buflen) { - t0 = buf[pos] & 0x0F; - t1 = buf[pos++] >> 4; - - if (t0 < 15) { - t0 = t0 - (205 * t0 >> 10) * 5; - a[ctr++] = 2 - t0; - } - if (t1 < 15 && ctr < len) { - t1 = t1 - (205 * t1 >> 10) * 5; - a[ctr++] = 2 - t1; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta -* -* Description: Sample polynomial with uniformly random coefficients -* in [-ETA,ETA] by performing rejection sampling using the -* output stream of SHAKE256(seed|nonce) -* or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state) { - unsigned int ctr; - ALIGNED_UINT8(REJ_UNIFORM_BUFLEN * STREAM128_BLOCKBYTES) buf; - - stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state); - ctr = PQCLEAN_DILITHIUM5AES_AVX2_rej_eta_avx(a->coeffs, buf.coeffs); - - while (ctr < N) { - stream128_squeezeblocks(buf.coeffs, 1, state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES); - } -} - -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - stream128_state state; - stream128_init(&state, seed, nonce); - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(a, &state); - stream128_release(&state); -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1 -* -* Description: Sample polynomial with uniformly random coefficients -* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream -* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length CRHBYTES -* - uint16_t nonce: 16-bit nonce -**************************************************/ -#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES) -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state) { - /* PQCLEAN_DILITHIUM5AES_AVX2_polyz_unpack reads 14 additional bytes */ - ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES + 14) buf; - stream256_squeezeblocks(buf.coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, state); - PQCLEAN_DILITHIUM5AES_AVX2_polyz_unpack(a, buf.coeffs); -} - -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce) { - stream256_state state; - stream256_init(&state, seed, nonce); - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1_preinit(a, &state); - stream256_release(&state); -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_challenge -* -* Description: Implementation of H. Samples polynomial with TAU nonzero -* coefficients in {-1,1} using the output stream of -* SHAKE256(seed). -* -* Arguments: - poly *c: pointer to output polynomial -* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_poly_challenge(poly *restrict c, const uint8_t seed[SEEDBYTES]) { - unsigned int i, b, pos; - uint64_t signs; - ALIGNED_UINT8(SHAKE256_RATE) buf; - shake256incctx state; - - shake256_inc_init(&state); - shake256_inc_absorb(&state, seed, SEEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state); - - memcpy(&signs, buf.coeffs, 8); - pos = 8; - - memset(c->vec, 0, sizeof(poly)); - for (i = N - TAU; i < N; ++i) { - do { - if (pos >= SHAKE256_RATE) { - shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state); - pos = 0; - } - - b = buf.coeffs[pos++]; - } while (b > i); - - c->coeffs[i] = c->coeffs[b]; - c->coeffs[b] = 1 - 2 * (signs & 1); - signs >>= 1; - } - shake256_inc_ctx_release(&state); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack -* -* Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYETA_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - uint8_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = ETA - a->coeffs[8 * i + 0]; - t[1] = ETA - a->coeffs[8 * i + 1]; - t[2] = ETA - a->coeffs[8 * i + 2]; - t[3] = ETA - a->coeffs[8 * i + 3]; - t[4] = ETA - a->coeffs[8 * i + 4]; - t[5] = ETA - a->coeffs[8 * i + 5]; - t[6] = ETA - a->coeffs[8 * i + 6]; - t[7] = ETA - a->coeffs[8 * i + 7]; - - r[3 * i + 0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6); - r[3 * i + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7); - r[3 * i + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyeta_unpack -* -* Description: Unpack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyeta_unpack(poly *restrict r, const uint8_t a[POLYETA_PACKEDBYTES]) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = (a[3 * i + 0] >> 0) & 7; - r->coeffs[8 * i + 1] = (a[3 * i + 0] >> 3) & 7; - r->coeffs[8 * i + 2] = ((a[3 * i + 0] >> 6) | (a[3 * i + 1] << 2)) & 7; - r->coeffs[8 * i + 3] = (a[3 * i + 1] >> 1) & 7; - r->coeffs[8 * i + 4] = (a[3 * i + 1] >> 4) & 7; - r->coeffs[8 * i + 5] = ((a[3 * i + 1] >> 7) | (a[3 * i + 2] << 1)) & 7; - r->coeffs[8 * i + 6] = (a[3 * i + 2] >> 2) & 7; - r->coeffs[8 * i + 7] = (a[3 * i + 2] >> 5) & 7; - - r->coeffs[8 * i + 0] = ETA - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = ETA - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = ETA - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = ETA - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = ETA - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = ETA - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = ETA - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = ETA - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyt1_pack -* -* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. -* Input coefficients are assumed to be positive standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r[5 * i + 0] = (a->coeffs[4 * i + 0] >> 0); - r[5 * i + 1] = (a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2); - r[5 * i + 2] = (a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4); - r[5 * i + 3] = (a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6); - r[5 * i + 4] = (a->coeffs[4 * i + 3] >> 2); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyt1_unpack -* -* Description: Unpack polynomial t1 with 10-bit coefficients. -* Output coefficients are positive standard representatives. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyt1_unpack(poly *restrict r, const uint8_t a[POLYT1_PACKEDBYTES]) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r->coeffs[4 * i + 0] = ((a[5 * i + 0] >> 0) | ((uint32_t)a[5 * i + 1] << 8)) & 0x3FF; - r->coeffs[4 * i + 1] = ((a[5 * i + 1] >> 2) | ((uint32_t)a[5 * i + 2] << 6)) & 0x3FF; - r->coeffs[4 * i + 2] = ((a[5 * i + 2] >> 4) | ((uint32_t)a[5 * i + 3] << 4)) & 0x3FF; - r->coeffs[4 * i + 3] = ((a[5 * i + 3] >> 6) | ((uint32_t)a[5 * i + 4] << 2)) & 0x3FF; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyt0_pack -* -* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT0_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - uint32_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = (1 << (D - 1)) - a->coeffs[8 * i + 0]; - t[1] = (1 << (D - 1)) - a->coeffs[8 * i + 1]; - t[2] = (1 << (D - 1)) - a->coeffs[8 * i + 2]; - t[3] = (1 << (D - 1)) - a->coeffs[8 * i + 3]; - t[4] = (1 << (D - 1)) - a->coeffs[8 * i + 4]; - t[5] = (1 << (D - 1)) - a->coeffs[8 * i + 5]; - t[6] = (1 << (D - 1)) - a->coeffs[8 * i + 6]; - t[7] = (1 << (D - 1)) - a->coeffs[8 * i + 7]; - - r[13 * i + 0] = t[0]; - r[13 * i + 1] = t[0] >> 8; - r[13 * i + 1] |= t[1] << 5; - r[13 * i + 2] = t[1] >> 3; - r[13 * i + 3] = t[1] >> 11; - r[13 * i + 3] |= t[2] << 2; - r[13 * i + 4] = t[2] >> 6; - r[13 * i + 4] |= t[3] << 7; - r[13 * i + 5] = t[3] >> 1; - r[13 * i + 6] = t[3] >> 9; - r[13 * i + 6] |= t[4] << 4; - r[13 * i + 7] = t[4] >> 4; - r[13 * i + 8] = t[4] >> 12; - r[13 * i + 8] |= t[5] << 1; - r[13 * i + 9] = t[5] >> 7; - r[13 * i + 9] |= t[6] << 6; - r[13 * i + 10] = t[6] >> 2; - r[13 * i + 11] = t[6] >> 10; - r[13 * i + 11] |= t[7] << 3; - r[13 * i + 12] = t[7] >> 5; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyt0_unpack -* -* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyt0_unpack(poly *restrict r, const uint8_t a[POLYT0_PACKEDBYTES]) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = a[13 * i + 0]; - r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8; - r->coeffs[8 * i + 0] &= 0x1FFF; - - r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11; - r->coeffs[8 * i + 1] &= 0x1FFF; - - r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2; - r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6; - r->coeffs[8 * i + 2] &= 0x1FFF; - - r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9; - r->coeffs[8 * i + 3] &= 0x1FFF; - - r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12; - r->coeffs[8 * i + 4] &= 0x1FFF; - - r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1; - r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7; - r->coeffs[8 * i + 5] &= 0x1FFF; - - r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10; - r->coeffs[8 * i + 6] &= 0x1FFF; - - r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3; - r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5; - r->coeffs[8 * i + 7] &= 0x1FFF; - - r->coeffs[8 * i + 0] = (1 << (D - 1)) - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = (1 << (D - 1)) - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = (1 << (D - 1)) - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = (1 << (D - 1)) - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = (1 << (D - 1)) - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = (1 << (D - 1)) - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = (1 << (D - 1)) - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = (1 << (D - 1)) - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyz_pack -* -* Description: Bit-pack polynomial with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYZ_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - uint32_t t[4]; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - t[0] = GAMMA1 - a->coeffs[2 * i + 0]; - t[1] = GAMMA1 - a->coeffs[2 * i + 1]; - - r[5 * i + 0] = t[0]; - r[5 * i + 1] = t[0] >> 8; - r[5 * i + 2] = t[0] >> 16; - r[5 * i + 2] |= t[1] << 4; - r[5 * i + 3] = t[1] >> 4; - r[5 * i + 4] = t[1] >> 12; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyz_unpack -* -* Description: Unpack polynomial z with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyz_unpack(poly *restrict r, const uint8_t a[POLYZ_PACKEDBYTES + 12]) { - unsigned int i; - __m256i f; - const __m256i shufbidx = _mm256_set_epi8(-1, 11, 10, 9, -1, 9, 8, 7, -1, 6, 5, 4, -1, 4, 3, 2, - -1, 9, 8, 7, -1, 7, 6, 5, -1, 4, 3, 2, -1, 2, 1, 0); - const __m256i srlvdidx = _mm256_set1_epi64x((uint64_t)4 << 32); - const __m256i mask = _mm256_set1_epi32(0xFFFFF); - const __m256i gamma1 = _mm256_set1_epi32(GAMMA1); - DBENCH_START(); - - for (i = 0; i < N / 8; i++) { - f = _mm256_loadu_si256((__m256i *)&a[20 * i]); - f = _mm256_permute4x64_epi64(f, 0x94); - f = _mm256_shuffle_epi8(f, shufbidx); - f = _mm256_srlv_epi32(f, srlvdidx); - f = _mm256_and_si256(f, mask); - f = _mm256_sub_epi32(gamma1, f); - _mm256_store_si256(&r->vec[i], f); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyw1_pack -* -* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. -* Input coefficients are assumed to be positive standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYW1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyw1_pack(uint8_t r[POLYW1_PACKEDBYTES], const poly *restrict a) { - unsigned int i; - __m256i f0, f1, f2, f3, f4, f5, f6, f7; - const __m256i shift = _mm256_set1_epi16((16 << 8) + 1); - const __m256i shufbidx = _mm256_set_epi8(15, 14, 7, 6, 13, 12, 5, 4, 11, 10, 3, 2, 9, 8, 1, 0, - 15, 14, 7, 6, 13, 12, 5, 4, 11, 10, 3, 2, 9, 8, 1, 0); - DBENCH_START(); - - for (i = 0; i < N / 64; ++i) { - f0 = _mm256_load_si256(&a->vec[8 * i + 0]); - f1 = _mm256_load_si256(&a->vec[8 * i + 1]); - f2 = _mm256_load_si256(&a->vec[8 * i + 2]); - f3 = _mm256_load_si256(&a->vec[8 * i + 3]); - f4 = _mm256_load_si256(&a->vec[8 * i + 4]); - f5 = _mm256_load_si256(&a->vec[8 * i + 5]); - f6 = _mm256_load_si256(&a->vec[8 * i + 6]); - f7 = _mm256_load_si256(&a->vec[8 * i + 7]); - f0 = _mm256_packus_epi32(f0, f1); - f1 = _mm256_packus_epi32(f2, f3); - f2 = _mm256_packus_epi32(f4, f5); - f3 = _mm256_packus_epi32(f6, f7); - f0 = _mm256_packus_epi16(f0, f1); - f1 = _mm256_packus_epi16(f2, f3); - f0 = _mm256_maddubs_epi16(f0, shift); - f1 = _mm256_maddubs_epi16(f1, shift); - f0 = _mm256_packus_epi16(f0, f1); - f0 = _mm256_permute4x64_epi64(f0, 0xD8); - f0 = _mm256_shuffle_epi8(f0, shufbidx); - _mm256_storeu_si256((__m256i *)&r[32 * i], f0); - } - - DBENCH_STOP(*tpack); -} diff --git a/crypto_sign/dilithium5aes/avx2/poly.h b/crypto_sign/dilithium5aes/avx2/poly.h deleted file mode 100644 index ca298325..00000000 --- a/crypto_sign/dilithium5aes/avx2/poly.h +++ /dev/null @@ -1,52 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_POLY_H -#define PQCLEAN_DILITHIUM5AES_AVX2_POLY_H -#include "align.h" -#include "params.h" -#include "symmetric.h" -#include - -typedef ALIGNED_INT32(N) poly; - -void PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_caddq(poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_freeze(poly *a); - -void PQCLEAN_DILITHIUM5AES_AVX2_poly_add(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_sub(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_shiftl(poly *a); - -void PQCLEAN_DILITHIUM5AES_AVX2_poly_ntt(poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont(poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_nttunpack(poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); - -void PQCLEAN_DILITHIUM5AES_AVX2_poly_power2round(poly *a1, poly *a0, const poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_decompose(poly *a1, poly *a0, const poly *a); -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_use_hint(poly *b, const poly *a, const poly *h); - -int PQCLEAN_DILITHIUM5AES_AVX2_poly_chknorm(const poly *a, int32_t B); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(poly *a, stream128_state *state); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1_preinit(poly *a, stream256_state *state); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce); -void PQCLEAN_DILITHIUM5AES_AVX2_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - - -void PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_polyeta_unpack(poly *r, const uint8_t a[POLYETA_PACKEDBYTES]); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_polyt1_unpack(poly *r, const uint8_t a[POLYT1_PACKEDBYTES]); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_polyt0_unpack(poly *r, const uint8_t a[POLYT0_PACKEDBYTES]); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly *a); -void PQCLEAN_DILITHIUM5AES_AVX2_polyz_unpack(poly *r, const uint8_t a[POLYZ_PACKEDBYTES + 14]); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyw1_pack(uint8_t r[POLYW1_PACKEDBYTES + 8], const poly *a); - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/polyvec.c b/crypto_sign/dilithium5aes/avx2/polyvec.c deleted file mode 100644 index bfae22cb..00000000 --- a/crypto_sign/dilithium5aes/avx2/polyvec.c +++ /dev/null @@ -1,449 +0,0 @@ -#include "aes256ctr.h" -#include "consts.h" -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include - -#define UNUSED(x) (void)x - -/************************************************* -* Name: expand_mat -* -* Description: Implementation of ExpandA. Generates matrix A with uniformly -* random coefficients a_{i,j} by performing rejection -* sampling on the output stream of SHAKE128(rho|j|i) -* or AES256CTR(rho,j|i). -* -* Arguments: - polyvecl mat[K]: output matrix -* - const uint8_t rho[]: byte array containing seed rho -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) { - unsigned int i, j; - uint64_t nonce; - aes256ctr_ctx state; - - PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(&state, rho, 0); - - for (i = 0; i < K; i++) { - for (j = 0; j < L; j++) { - nonce = (i << 8) + j; - state.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_preinit(&mat[i].vec[j], &state); - PQCLEAN_DILITHIUM5AES_AVX2_poly_nttunpack(&mat[i].vec[j]); - } - } -} - - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v); - } -} - -/**************************************************************/ -/************ Vectors of polynomials of length L **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1(&v->vec[i], seed, L * nonce + i); - } -} - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_reduce(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_freeze -* -* Description: Reduce coefficients of polynomials in vector of length L -* to standard representatives. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_freeze(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_add -* -* Description: Add vectors of polynomials of length L. -* No modular reduction is performed. -* -* Arguments: - polyvecl *w: pointer to output vector -* - const polyvecl *u: pointer to first summand -* - const polyvecl *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_ntt -* -* Description: Forward NTT of all polynomials in vector of length L. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_ntt(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_ntt(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_invntt_tomont(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_pointwise_acc_montgomery -* -* Description: Pointwise multiply vectors of polynomials of length L, multiply -* resulting vector by 2^{-32} and add (accumulate) polynomials -* in it. Input/output vectors are in NTT domain representation. -* -* Arguments: - poly *w: output polynomial -* - const polyvecl *u: pointer to first input vector -* - const polyvecl *v: pointer to second input vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_pointwise_acc_montgomery(poly *w, const polyvecl *u, const polyvecl *v) { - PQCLEAN_DILITHIUM5AES_AVX2_pointwise_acc_avx(w->vec, u->vec->vec, v->vec->vec, PQCLEAN_DILITHIUM5AES_AVX2_qdata.vec); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_chknorm -* -* Description: Check infinity norm of polynomials in vector of length L. -* Assumes input polyvecl to be reduced by PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_reduce(). -* -* Arguments: - const polyvecl *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < L; ++i) { - if (PQCLEAN_DILITHIUM5AES_AVX2_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/**************************************************************/ -/************ Vectors of polynomials of length K **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_reduce -* -* Description: Reduce coefficients of polynomials in vector of length K -* to representatives in [-6283009,6283007]. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_reduce(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_caddq -* -* Description: For all coefficients of polynomials in vector of length K -* add Q if coefficient is negative. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_caddq(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_caddq(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_freeze -* -* Description: Reduce coefficients of polynomials in vector of length K -* to standard representatives. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_freeze(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_add -* -* Description: Add vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first summand -* - const polyveck *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_sub -* -* Description: Subtract vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first input vector -* - const polyveck *v: pointer to second input vector to be -* subtracted from first input vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_shiftl -* -* Description: Multiply vector of polynomials of Length K by 2^D without modular -* reduction. Assumes input coefficients to be less than 2^{31-D}. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_shiftl(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_shiftl(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_ntt -* -* Description: Forward NTT of all polynomials in vector of length K. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_ntt(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_ntt(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_invntt_tomont -* -* Description: Inverse NTT and multiplication by 2^{32} of polynomials -* in vector of length K. Input coefficients need to be less -* than 2*Q. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_invntt_tomont(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_chknorm -* -* Description: Check infinity norm of polynomials in vector of length K. -* Assumes input polyveck to be reduced by PQCLEAN_DILITHIUM5AES_AVX2_polyveck_reduce(). -* -* Arguments: - const polyveck *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM5AES_AVX2_polyveck_chknorm(const polyveck *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < K; ++i) { - if (PQCLEAN_DILITHIUM5AES_AVX2_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_power2round -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute a0, a1 such that a mod^+ Q = a1*2^D + a0 -* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_decompose -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 -* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we -* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_make_hint -* -* Description: Compute hint vector. -* -* Arguments: - uint8_t *hint: pointer to output hint array -* - const polyveck *v0: pointer to low part of input vector -* - const polyveck *v1: pointer to high part of input vector -* -* Returns number of 1 bits. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1) { - unsigned int i, n = 0; - - for (i = 0; i < K; ++i) { - n += PQCLEAN_DILITHIUM5AES_AVX2_poly_make_hint(&hint[n], &v0->vec[i], &v1->vec[i]); - } - - return n; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_polyveck_use_hint -* -* Description: Use hint vector to correct the high bits of input vector. -* -* Arguments: - polyveck *w: pointer to output vector of polynomials with -* corrected high bits -* - const polyveck *u: pointer to input vector -* - const polyveck *h: pointer to input hint vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]); - } -} - -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_AVX2_polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]); - } -} diff --git a/crypto_sign/dilithium5aes/avx2/polyvec.h b/crypto_sign/dilithium5aes/avx2/polyvec.h deleted file mode 100644 index abd2277e..00000000 --- a/crypto_sign/dilithium5aes/avx2/polyvec.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_POLYVEC_H -#define PQCLEAN_DILITHIUM5AES_AVX2_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -/* Vectors of polynomials of length L */ -typedef struct { - poly vec[L]; -} polyvecl; - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_reduce(polyvecl *v); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_freeze(polyvecl *v); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_ntt(polyvecl *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_invntt_tomont(polyvecl *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_pointwise_acc_montgomery(poly *w, - const polyvecl *u, - const polyvecl *v); - -int PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_chknorm(const polyvecl *v, int32_t B); - -/* Vectors of polynomials of length K */ -typedef struct { - poly vec[K]; -} polyveck; - -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_reduce(polyveck *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_caddq(polyveck *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_freeze(polyveck *v); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_shiftl(polyveck *v); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_ntt(polyveck *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_invntt_tomont(polyveck *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v); - -int PQCLEAN_DILITHIUM5AES_AVX2_polyveck_chknorm(const polyveck *v, int32_t B); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v); -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v); -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1); -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1); - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]); - - -void PQCLEAN_DILITHIUM5AES_AVX2_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v); - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/rejsample.c b/crypto_sign/dilithium5aes/avx2/rejsample.c deleted file mode 100644 index ec73790d..00000000 --- a/crypto_sign/dilithium5aes/avx2/rejsample.c +++ /dev/null @@ -1,394 +0,0 @@ -#include "params.h" -#include "rejsample.h" -#include "symmetric.h" -#include -#include - -const uint8_t PQCLEAN_DILITHIUM5AES_AVX2_idxlut[256][8] = { - { 0, 0, 0, 0, 0, 0, 0, 0}, - { 0, 0, 0, 0, 0, 0, 0, 0}, - { 1, 0, 0, 0, 0, 0, 0, 0}, - { 0, 1, 0, 0, 0, 0, 0, 0}, - { 2, 0, 0, 0, 0, 0, 0, 0}, - { 0, 2, 0, 0, 0, 0, 0, 0}, - { 1, 2, 0, 0, 0, 0, 0, 0}, - { 0, 1, 2, 0, 0, 0, 0, 0}, - { 3, 0, 0, 0, 0, 0, 0, 0}, - { 0, 3, 0, 0, 0, 0, 0, 0}, - { 1, 3, 0, 0, 0, 0, 0, 0}, - { 0, 1, 3, 0, 0, 0, 0, 0}, - { 2, 3, 0, 0, 0, 0, 0, 0}, - { 0, 2, 3, 0, 0, 0, 0, 0}, - { 1, 2, 3, 0, 0, 0, 0, 0}, - { 0, 1, 2, 3, 0, 0, 0, 0}, - { 4, 0, 0, 0, 0, 0, 0, 0}, - { 0, 4, 0, 0, 0, 0, 0, 0}, - { 1, 4, 0, 0, 0, 0, 0, 0}, - { 0, 1, 4, 0, 0, 0, 0, 0}, - { 2, 4, 0, 0, 0, 0, 0, 0}, - { 0, 2, 4, 0, 0, 0, 0, 0}, - { 1, 2, 4, 0, 0, 0, 0, 0}, - { 0, 1, 2, 4, 0, 0, 0, 0}, - { 3, 4, 0, 0, 0, 0, 0, 0}, - { 0, 3, 4, 0, 0, 0, 0, 0}, - { 1, 3, 4, 0, 0, 0, 0, 0}, - { 0, 1, 3, 4, 0, 0, 0, 0}, - { 2, 3, 4, 0, 0, 0, 0, 0}, - { 0, 2, 3, 4, 0, 0, 0, 0}, - { 1, 2, 3, 4, 0, 0, 0, 0}, - { 0, 1, 2, 3, 4, 0, 0, 0}, - { 5, 0, 0, 0, 0, 0, 0, 0}, - { 0, 5, 0, 0, 0, 0, 0, 0}, - { 1, 5, 0, 0, 0, 0, 0, 0}, - { 0, 1, 5, 0, 0, 0, 0, 0}, - { 2, 5, 0, 0, 0, 0, 0, 0}, - { 0, 2, 5, 0, 0, 0, 0, 0}, - { 1, 2, 5, 0, 0, 0, 0, 0}, - { 0, 1, 2, 5, 0, 0, 0, 0}, - { 3, 5, 0, 0, 0, 0, 0, 0}, - { 0, 3, 5, 0, 0, 0, 0, 0}, - { 1, 3, 5, 0, 0, 0, 0, 0}, - { 0, 1, 3, 5, 0, 0, 0, 0}, - { 2, 3, 5, 0, 0, 0, 0, 0}, - { 0, 2, 3, 5, 0, 0, 0, 0}, - { 1, 2, 3, 5, 0, 0, 0, 0}, - { 0, 1, 2, 3, 5, 0, 0, 0}, - { 4, 5, 0, 0, 0, 0, 0, 0}, - { 0, 4, 5, 0, 0, 0, 0, 0}, - { 1, 4, 5, 0, 0, 0, 0, 0}, - { 0, 1, 4, 5, 0, 0, 0, 0}, - { 2, 4, 5, 0, 0, 0, 0, 0}, - { 0, 2, 4, 5, 0, 0, 0, 0}, - { 1, 2, 4, 5, 0, 0, 0, 0}, - { 0, 1, 2, 4, 5, 0, 0, 0}, - { 3, 4, 5, 0, 0, 0, 0, 0}, - { 0, 3, 4, 5, 0, 0, 0, 0}, - { 1, 3, 4, 5, 0, 0, 0, 0}, - { 0, 1, 3, 4, 5, 0, 0, 0}, - { 2, 3, 4, 5, 0, 0, 0, 0}, - { 0, 2, 3, 4, 5, 0, 0, 0}, - { 1, 2, 3, 4, 5, 0, 0, 0}, - { 0, 1, 2, 3, 4, 5, 0, 0}, - { 6, 0, 0, 0, 0, 0, 0, 0}, - { 0, 6, 0, 0, 0, 0, 0, 0}, - { 1, 6, 0, 0, 0, 0, 0, 0}, - { 0, 1, 6, 0, 0, 0, 0, 0}, - { 2, 6, 0, 0, 0, 0, 0, 0}, - { 0, 2, 6, 0, 0, 0, 0, 0}, - { 1, 2, 6, 0, 0, 0, 0, 0}, - { 0, 1, 2, 6, 0, 0, 0, 0}, - { 3, 6, 0, 0, 0, 0, 0, 0}, - { 0, 3, 6, 0, 0, 0, 0, 0}, - { 1, 3, 6, 0, 0, 0, 0, 0}, - { 0, 1, 3, 6, 0, 0, 0, 0}, - { 2, 3, 6, 0, 0, 0, 0, 0}, - { 0, 2, 3, 6, 0, 0, 0, 0}, - { 1, 2, 3, 6, 0, 0, 0, 0}, - { 0, 1, 2, 3, 6, 0, 0, 0}, - { 4, 6, 0, 0, 0, 0, 0, 0}, - { 0, 4, 6, 0, 0, 0, 0, 0}, - { 1, 4, 6, 0, 0, 0, 0, 0}, - { 0, 1, 4, 6, 0, 0, 0, 0}, - { 2, 4, 6, 0, 0, 0, 0, 0}, - { 0, 2, 4, 6, 0, 0, 0, 0}, - { 1, 2, 4, 6, 0, 0, 0, 0}, - { 0, 1, 2, 4, 6, 0, 0, 0}, - { 3, 4, 6, 0, 0, 0, 0, 0}, - { 0, 3, 4, 6, 0, 0, 0, 0}, - { 1, 3, 4, 6, 0, 0, 0, 0}, - { 0, 1, 3, 4, 6, 0, 0, 0}, - { 2, 3, 4, 6, 0, 0, 0, 0}, - { 0, 2, 3, 4, 6, 0, 0, 0}, - { 1, 2, 3, 4, 6, 0, 0, 0}, - { 0, 1, 2, 3, 4, 6, 0, 0}, - { 5, 6, 0, 0, 0, 0, 0, 0}, - { 0, 5, 6, 0, 0, 0, 0, 0}, - { 1, 5, 6, 0, 0, 0, 0, 0}, - { 0, 1, 5, 6, 0, 0, 0, 0}, - { 2, 5, 6, 0, 0, 0, 0, 0}, - { 0, 2, 5, 6, 0, 0, 0, 0}, - { 1, 2, 5, 6, 0, 0, 0, 0}, - { 0, 1, 2, 5, 6, 0, 0, 0}, - { 3, 5, 6, 0, 0, 0, 0, 0}, - { 0, 3, 5, 6, 0, 0, 0, 0}, - { 1, 3, 5, 6, 0, 0, 0, 0}, - { 0, 1, 3, 5, 6, 0, 0, 0}, - { 2, 3, 5, 6, 0, 0, 0, 0}, - { 0, 2, 3, 5, 6, 0, 0, 0}, - { 1, 2, 3, 5, 6, 0, 0, 0}, - { 0, 1, 2, 3, 5, 6, 0, 0}, - { 4, 5, 6, 0, 0, 0, 0, 0}, - { 0, 4, 5, 6, 0, 0, 0, 0}, - { 1, 4, 5, 6, 0, 0, 0, 0}, - { 0, 1, 4, 5, 6, 0, 0, 0}, - { 2, 4, 5, 6, 0, 0, 0, 0}, - { 0, 2, 4, 5, 6, 0, 0, 0}, - { 1, 2, 4, 5, 6, 0, 0, 0}, - { 0, 1, 2, 4, 5, 6, 0, 0}, - { 3, 4, 5, 6, 0, 0, 0, 0}, - { 0, 3, 4, 5, 6, 0, 0, 0}, - { 1, 3, 4, 5, 6, 0, 0, 0}, - { 0, 1, 3, 4, 5, 6, 0, 0}, - { 2, 3, 4, 5, 6, 0, 0, 0}, - { 0, 2, 3, 4, 5, 6, 0, 0}, - { 1, 2, 3, 4, 5, 6, 0, 0}, - { 0, 1, 2, 3, 4, 5, 6, 0}, - { 7, 0, 0, 0, 0, 0, 0, 0}, - { 0, 7, 0, 0, 0, 0, 0, 0}, - { 1, 7, 0, 0, 0, 0, 0, 0}, - { 0, 1, 7, 0, 0, 0, 0, 0}, - { 2, 7, 0, 0, 0, 0, 0, 0}, - { 0, 2, 7, 0, 0, 0, 0, 0}, - { 1, 2, 7, 0, 0, 0, 0, 0}, - { 0, 1, 2, 7, 0, 0, 0, 0}, - { 3, 7, 0, 0, 0, 0, 0, 0}, - { 0, 3, 7, 0, 0, 0, 0, 0}, - { 1, 3, 7, 0, 0, 0, 0, 0}, - { 0, 1, 3, 7, 0, 0, 0, 0}, - { 2, 3, 7, 0, 0, 0, 0, 0}, - { 0, 2, 3, 7, 0, 0, 0, 0}, - { 1, 2, 3, 7, 0, 0, 0, 0}, - { 0, 1, 2, 3, 7, 0, 0, 0}, - { 4, 7, 0, 0, 0, 0, 0, 0}, - { 0, 4, 7, 0, 0, 0, 0, 0}, - { 1, 4, 7, 0, 0, 0, 0, 0}, - { 0, 1, 4, 7, 0, 0, 0, 0}, - { 2, 4, 7, 0, 0, 0, 0, 0}, - { 0, 2, 4, 7, 0, 0, 0, 0}, - { 1, 2, 4, 7, 0, 0, 0, 0}, - { 0, 1, 2, 4, 7, 0, 0, 0}, - { 3, 4, 7, 0, 0, 0, 0, 0}, - { 0, 3, 4, 7, 0, 0, 0, 0}, - { 1, 3, 4, 7, 0, 0, 0, 0}, - { 0, 1, 3, 4, 7, 0, 0, 0}, - { 2, 3, 4, 7, 0, 0, 0, 0}, - { 0, 2, 3, 4, 7, 0, 0, 0}, - { 1, 2, 3, 4, 7, 0, 0, 0}, - { 0, 1, 2, 3, 4, 7, 0, 0}, - { 5, 7, 0, 0, 0, 0, 0, 0}, - { 0, 5, 7, 0, 0, 0, 0, 0}, - { 1, 5, 7, 0, 0, 0, 0, 0}, - { 0, 1, 5, 7, 0, 0, 0, 0}, - { 2, 5, 7, 0, 0, 0, 0, 0}, - { 0, 2, 5, 7, 0, 0, 0, 0}, - { 1, 2, 5, 7, 0, 0, 0, 0}, - { 0, 1, 2, 5, 7, 0, 0, 0}, - { 3, 5, 7, 0, 0, 0, 0, 0}, - { 0, 3, 5, 7, 0, 0, 0, 0}, - { 1, 3, 5, 7, 0, 0, 0, 0}, - { 0, 1, 3, 5, 7, 0, 0, 0}, - { 2, 3, 5, 7, 0, 0, 0, 0}, - { 0, 2, 3, 5, 7, 0, 0, 0}, - { 1, 2, 3, 5, 7, 0, 0, 0}, - { 0, 1, 2, 3, 5, 7, 0, 0}, - { 4, 5, 7, 0, 0, 0, 0, 0}, - { 0, 4, 5, 7, 0, 0, 0, 0}, - { 1, 4, 5, 7, 0, 0, 0, 0}, - { 0, 1, 4, 5, 7, 0, 0, 0}, - { 2, 4, 5, 7, 0, 0, 0, 0}, - { 0, 2, 4, 5, 7, 0, 0, 0}, - { 1, 2, 4, 5, 7, 0, 0, 0}, - { 0, 1, 2, 4, 5, 7, 0, 0}, - { 3, 4, 5, 7, 0, 0, 0, 0}, - { 0, 3, 4, 5, 7, 0, 0, 0}, - { 1, 3, 4, 5, 7, 0, 0, 0}, - { 0, 1, 3, 4, 5, 7, 0, 0}, - { 2, 3, 4, 5, 7, 0, 0, 0}, - { 0, 2, 3, 4, 5, 7, 0, 0}, - { 1, 2, 3, 4, 5, 7, 0, 0}, - { 0, 1, 2, 3, 4, 5, 7, 0}, - { 6, 7, 0, 0, 0, 0, 0, 0}, - { 0, 6, 7, 0, 0, 0, 0, 0}, - { 1, 6, 7, 0, 0, 0, 0, 0}, - { 0, 1, 6, 7, 0, 0, 0, 0}, - { 2, 6, 7, 0, 0, 0, 0, 0}, - { 0, 2, 6, 7, 0, 0, 0, 0}, - { 1, 2, 6, 7, 0, 0, 0, 0}, - { 0, 1, 2, 6, 7, 0, 0, 0}, - { 3, 6, 7, 0, 0, 0, 0, 0}, - { 0, 3, 6, 7, 0, 0, 0, 0}, - { 1, 3, 6, 7, 0, 0, 0, 0}, - { 0, 1, 3, 6, 7, 0, 0, 0}, - { 2, 3, 6, 7, 0, 0, 0, 0}, - { 0, 2, 3, 6, 7, 0, 0, 0}, - { 1, 2, 3, 6, 7, 0, 0, 0}, - { 0, 1, 2, 3, 6, 7, 0, 0}, - { 4, 6, 7, 0, 0, 0, 0, 0}, - { 0, 4, 6, 7, 0, 0, 0, 0}, - { 1, 4, 6, 7, 0, 0, 0, 0}, - { 0, 1, 4, 6, 7, 0, 0, 0}, - { 2, 4, 6, 7, 0, 0, 0, 0}, - { 0, 2, 4, 6, 7, 0, 0, 0}, - { 1, 2, 4, 6, 7, 0, 0, 0}, - { 0, 1, 2, 4, 6, 7, 0, 0}, - { 3, 4, 6, 7, 0, 0, 0, 0}, - { 0, 3, 4, 6, 7, 0, 0, 0}, - { 1, 3, 4, 6, 7, 0, 0, 0}, - { 0, 1, 3, 4, 6, 7, 0, 0}, - { 2, 3, 4, 6, 7, 0, 0, 0}, - { 0, 2, 3, 4, 6, 7, 0, 0}, - { 1, 2, 3, 4, 6, 7, 0, 0}, - { 0, 1, 2, 3, 4, 6, 7, 0}, - { 5, 6, 7, 0, 0, 0, 0, 0}, - { 0, 5, 6, 7, 0, 0, 0, 0}, - { 1, 5, 6, 7, 0, 0, 0, 0}, - { 0, 1, 5, 6, 7, 0, 0, 0}, - { 2, 5, 6, 7, 0, 0, 0, 0}, - { 0, 2, 5, 6, 7, 0, 0, 0}, - { 1, 2, 5, 6, 7, 0, 0, 0}, - { 0, 1, 2, 5, 6, 7, 0, 0}, - { 3, 5, 6, 7, 0, 0, 0, 0}, - { 0, 3, 5, 6, 7, 0, 0, 0}, - { 1, 3, 5, 6, 7, 0, 0, 0}, - { 0, 1, 3, 5, 6, 7, 0, 0}, - { 2, 3, 5, 6, 7, 0, 0, 0}, - { 0, 2, 3, 5, 6, 7, 0, 0}, - { 1, 2, 3, 5, 6, 7, 0, 0}, - { 0, 1, 2, 3, 5, 6, 7, 0}, - { 4, 5, 6, 7, 0, 0, 0, 0}, - { 0, 4, 5, 6, 7, 0, 0, 0}, - { 1, 4, 5, 6, 7, 0, 0, 0}, - { 0, 1, 4, 5, 6, 7, 0, 0}, - { 2, 4, 5, 6, 7, 0, 0, 0}, - { 0, 2, 4, 5, 6, 7, 0, 0}, - { 1, 2, 4, 5, 6, 7, 0, 0}, - { 0, 1, 2, 4, 5, 6, 7, 0}, - { 3, 4, 5, 6, 7, 0, 0, 0}, - { 0, 3, 4, 5, 6, 7, 0, 0}, - { 1, 3, 4, 5, 6, 7, 0, 0}, - { 0, 1, 3, 4, 5, 6, 7, 0}, - { 2, 3, 4, 5, 6, 7, 0, 0}, - { 0, 2, 3, 4, 5, 6, 7, 0}, - { 1, 2, 3, 4, 5, 6, 7, 0}, - { 0, 1, 2, 3, 4, 5, 6, 7} -}; - -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_rej_uniform_avx(int32_t *restrict r, const uint8_t buf[REJ_UNIFORM_BUFLEN + 8]) { - unsigned int ctr, pos; - uint32_t good; - __m256i d, tmp; - const __m256i bound = _mm256_set1_epi32(Q); - const __m256i mask = _mm256_set1_epi32(0x7FFFFF); - const __m256i idx8 = _mm256_set_epi8(-1, 15, 14, 13, -1, 12, 11, 10, - -1, 9, 8, 7, -1, 6, 5, 4, - -1, 11, 10, 9, -1, 8, 7, 6, - -1, 5, 4, 3, -1, 2, 1, 0); - - ctr = pos = 0; - while (pos <= REJ_UNIFORM_BUFLEN - 24) { - d = _mm256_loadu_si256((__m256i *)&buf[pos]); - d = _mm256_permute4x64_epi64(d, 0x94); - d = _mm256_shuffle_epi8(d, idx8); - d = _mm256_and_si256(d, mask); - pos += 24; - - tmp = _mm256_sub_epi32(d, bound); - good = _mm256_movemask_ps((__m256)tmp); - tmp = _mm256_cvtepu8_epi32(_mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM5AES_AVX2_idxlut[good])); - d = _mm256_permutevar8x32_epi32(d, tmp); - - _mm256_storeu_si256((__m256i *)&r[ctr], d); - ctr += _mm_popcnt_u32(good); - - } - - - return ctr; -} - -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_rej_eta_avx(int32_t *restrict r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]) { - unsigned int ctr, pos; - uint32_t good; - __m256i f0, f1, f2; - __m128i g0, g1; - const __m256i mask = _mm256_set1_epi8(15); - const __m256i eta = _mm256_set1_epi8(ETA); - const __m256i bound = mask; - const __m256i v = _mm256_set1_epi32(-6560); - const __m256i p = _mm256_set1_epi32(5); - - ctr = pos = 0; - while (ctr <= N - 8 && pos <= REJ_UNIFORM_ETA_BUFLEN - 16) { - f0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *)&buf[pos])); - f1 = _mm256_slli_epi16(f0, 4); - f0 = _mm256_or_si256(f0, f1); - f0 = _mm256_and_si256(f0, mask); - - f1 = _mm256_sub_epi8(f0, bound); - f0 = _mm256_sub_epi8(eta, f0); - good = _mm256_movemask_epi8(f1); - - g0 = _mm256_castsi256_si128(f0); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM5AES_AVX2_idxlut[good & 0xFF]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - f2 = _mm256_mulhrs_epi16(f1, v); - f2 = _mm256_mullo_epi16(f2, p); - f1 = _mm256_add_epi32(f1, f2); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good & 0xFF); - good >>= 8; - pos += 4; - - if (ctr > N - 8) { - break; - } - g0 = _mm_bsrli_si128(g0, 8); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM5AES_AVX2_idxlut[good & 0xFF]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - f2 = _mm256_mulhrs_epi16(f1, v); - f2 = _mm256_mullo_epi16(f2, p); - f1 = _mm256_add_epi32(f1, f2); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good & 0xFF); - good >>= 8; - pos += 4; - - if (ctr > N - 8) { - break; - } - g0 = _mm256_extracti128_si256(f0, 1); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM5AES_AVX2_idxlut[good & 0xFF]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - f2 = _mm256_mulhrs_epi16(f1, v); - f2 = _mm256_mullo_epi16(f2, p); - f1 = _mm256_add_epi32(f1, f2); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good & 0xFF); - good >>= 8; - pos += 4; - - if (ctr > N - 8) { - break; - } - g0 = _mm_bsrli_si128(g0, 8); - g1 = _mm_loadl_epi64((__m128i *)&PQCLEAN_DILITHIUM5AES_AVX2_idxlut[good]); - g1 = _mm_shuffle_epi8(g0, g1); - f1 = _mm256_cvtepi8_epi32(g1); - f2 = _mm256_mulhrs_epi16(f1, v); - f2 = _mm256_mullo_epi16(f2, p); - f1 = _mm256_add_epi32(f1, f2); - _mm256_storeu_si256((__m256i *)&r[ctr], f1); - ctr += _mm_popcnt_u32(good); - pos += 4; - } - - uint32_t t0, t1; - while (ctr < N && pos < REJ_UNIFORM_ETA_BUFLEN) { - t0 = buf[pos] & 0x0F; - t1 = buf[pos++] >> 4; - - if (t0 < 15) { - t0 = t0 - (205 * t0 >> 10) * 5; - r[ctr++] = 2 - t0; - } - if (t1 < 15 && ctr < N) { - t1 = t1 - (205 * t1 >> 10) * 5; - r[ctr++] = 2 - t1; - } - } - - return ctr; -} diff --git a/crypto_sign/dilithium5aes/avx2/rejsample.h b/crypto_sign/dilithium5aes/avx2/rejsample.h deleted file mode 100644 index c493eaf1..00000000 --- a/crypto_sign/dilithium5aes/avx2/rejsample.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_REJSAMPLE_H -#define PQCLEAN_DILITHIUM5AES_AVX2_REJSAMPLE_H -#include "params.h" -#include "symmetric.h" -#include - -#define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES) - -#define REJ_UNIFORM_ETA_NBLOCKS ((137+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES) -#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM128_BLOCKBYTES) - -extern const uint8_t PQCLEAN_DILITHIUM5AES_AVX2_idxlut[256][8]; - -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_rej_uniform_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_BUFLEN + 8]); - -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_rej_eta_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_BUFLEN]); - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/rounding.c b/crypto_sign/dilithium5aes/avx2/rounding.c deleted file mode 100644 index 1ce05aa0..00000000 --- a/crypto_sign/dilithium5aes/avx2/rounding.c +++ /dev/null @@ -1,154 +0,0 @@ -#include "consts.h" -#include "params.h" -#include "rejsample.h" -#include "rounding.h" -#include -#include -#include - -#define _mm256_blendv_epi32(a,b,mask) \ - _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \ - _mm256_castsi256_ps(b), \ - _mm256_castsi256_ps(mask))) - -/************************************************* -* Name: power2round -* -* Description: For finite field elements a, compute a0, a1 such that -* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}. -* Assumes a to be positive standard representative. -* -* Arguments: - __m256i *a1: output array of length N/8 with high bits -* - __m256i *a0: output array of length N/8 with low bits a0 -* - const __m256i *a: input array of length N/8 -* -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a) { - unsigned int i; - __m256i f, f0, f1; - const __m256i mask = _mm256_set1_epi32(-(1 << D)); - const __m256i half = _mm256_set1_epi32((1 << (D - 1)) - 1); - - for (i = 0; i < N / 8; ++i) { - f = _mm256_load_si256(&a[i]); - f1 = _mm256_add_epi32(f, half); - f0 = _mm256_and_si256(f1, mask); - f1 = _mm256_srli_epi32(f1, D); - f0 = _mm256_sub_epi32(f, f0); - _mm256_store_si256(&a1[i], f1); - _mm256_store_si256(&a0[i], f0); - } -} - -/************************************************* -* Name: decompose -* -* Description: For finite field element a, compute high and low parts a0, a1 such -* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except -* if a1 = (Q-1)/ALPHA where we set a1 = 0 and -* -ALPHA/2 <= a0 = a mod Q - Q < 0. Assumes a to be positive standard -* representative. -* -* Arguments: - __m256i *a1: output array of length N/8 with high parts -* - __m256i *a0: output array of length N/8 with low parts a0 -* - const __m256i *a: input array of length N/8 -* -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a) { - unsigned int i; - __m256i f, f0, f1; - const __m256i q = _mm256_load_si256(&PQCLEAN_DILITHIUM5AES_AVX2_qdata.vec[_8XQ / 8]); - const __m256i hq = _mm256_srli_epi32(q, 1); - const __m256i v = _mm256_set1_epi32(1025); - const __m256i alpha = _mm256_set1_epi32(2 * GAMMA2); - const __m256i off = _mm256_set1_epi32(127); - const __m256i shift = _mm256_set1_epi32(512); - const __m256i mask = _mm256_set1_epi32(15); - - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a[i]); - f1 = _mm256_add_epi32(f, off); - f1 = _mm256_srli_epi32(f1, 7); - f1 = _mm256_mulhi_epu16(f1, v); - f1 = _mm256_mulhrs_epi16(f1, shift); - f1 = _mm256_and_si256(f1, mask); - f0 = _mm256_mullo_epi32(f1, alpha); - f0 = _mm256_sub_epi32(f, f0); - f = _mm256_cmpgt_epi32(f0, hq); - f = _mm256_and_si256(f, q); - f0 = _mm256_sub_epi32(f0, f); - _mm256_store_si256(&a1[i], f1); - _mm256_store_si256(&a0[i], f0); - } -} - - -/************************************************* -* Name: make_hint -* -* Description: Compute indices of polynomial coefficients whose low bits -* overflow into the high bits. -* -* Arguments: - uint8_t *hint: hint array -* - const __m256i *a0: low bits of input elements -* - const __m256i *a1: high bits of input elements -* -* Returns number of overflowing low bits -**************************************************/ -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_make_hint_avx(uint8_t hint[N], const __m256i *restrict a0, const __m256i *restrict a1) { - unsigned int i, n = 0; - __m256i f0, f1, g0, g1; - uint32_t bad; - uint64_t idx; - const __m256i low = _mm256_set1_epi32(-GAMMA2); - const __m256i high = _mm256_set1_epi32(GAMMA2); - - for (i = 0; i < N / 8; ++i) { - f0 = _mm256_load_si256(&a0[i]); - f1 = _mm256_load_si256(&a1[i]); - g0 = _mm256_abs_epi32(f0); - g0 = _mm256_cmpgt_epi32(g0, high); - g1 = _mm256_cmpeq_epi32(f0, low); - g1 = _mm256_sign_epi32(g1, f1); - g0 = _mm256_or_si256(g0, g1); - - bad = _mm256_movemask_ps((__m256)g0); - memcpy(&idx, PQCLEAN_DILITHIUM5AES_AVX2_idxlut[bad], 8); - idx += (uint64_t)0x0808080808080808 * i; - memcpy(&hint[n], &idx, 8); - n += _mm_popcnt_u32(bad); - } - - return n; -} - -/************************************************* -* Name: use_hint -* -* Description: Correct high parts according to hint. -* -* Arguments: - __m256i *b: output array of length N/8 with corrected high parts -* - const __m256i *a: input array of length N/8 -* - const __m256i *a: input array of length N/8 with hint bits -* -**************************************************/ -void PQCLEAN_DILITHIUM5AES_AVX2_use_hint_avx(__m256i *b, const __m256i *a, const __m256i *restrict hint) { - unsigned int i; - __m256i a0[N / 8]; - __m256i f, g, h, t; - const __m256i zero = _mm256_setzero_si256(); - const __m256i mask = _mm256_set1_epi32(15); - - PQCLEAN_DILITHIUM5AES_AVX2_decompose_avx(b, a0, a); - for (i = 0; i < N / 8; i++) { - f = _mm256_load_si256(&a0[i]); - g = _mm256_load_si256(&b[i]); - h = _mm256_load_si256(&hint[i]); - t = _mm256_blendv_epi32(zero, h, f); - t = _mm256_slli_epi32(t, 1); - h = _mm256_sub_epi32(h, t); - g = _mm256_add_epi32(g, h); - g = _mm256_and_si256(g, mask); - _mm256_store_si256(&b[i], g); - } -} diff --git a/crypto_sign/dilithium5aes/avx2/rounding.h b/crypto_sign/dilithium5aes/avx2/rounding.h deleted file mode 100644 index c367a125..00000000 --- a/crypto_sign/dilithium5aes/avx2/rounding.h +++ /dev/null @@ -1,12 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_ROUNDING_H -#define PQCLEAN_DILITHIUM5AES_AVX2_ROUNDING_H -#include "params.h" -#include -#include - -void PQCLEAN_DILITHIUM5AES_AVX2_power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a); -void PQCLEAN_DILITHIUM5AES_AVX2_decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a); -unsigned int PQCLEAN_DILITHIUM5AES_AVX2_make_hint_avx(uint8_t hint[N], const __m256i *a0, const __m256i *a1); -void PQCLEAN_DILITHIUM5AES_AVX2_use_hint_avx(__m256i *b, const __m256i *a, const __m256i *hint); - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/shuffle.S b/crypto_sign/dilithium5aes/avx2/shuffle.S deleted file mode 100644 index 48f2891e..00000000 --- a/crypto_sign/dilithium5aes/avx2/shuffle.S +++ /dev/null @@ -1,54 +0,0 @@ -#include "cdecl.h" -.include "shuffle.inc" - -.text -nttunpack128_avx: -#load -vmovdqa (%rdi),%ymm4 -vmovdqa 32(%rdi),%ymm5 -vmovdqa 64(%rdi),%ymm6 -vmovdqa 96(%rdi),%ymm7 -vmovdqa 128(%rdi),%ymm8 -vmovdqa 160(%rdi),%ymm9 -vmovdqa 192(%rdi),%ymm10 -vmovdqa 224(%rdi),%ymm11 - -shuffle8 4,8,3,8 -shuffle8 5,9,4,9 -shuffle8 6,10,5,10 -shuffle8 7,11,6,11 - -shuffle4 3,5,7,5 -shuffle4 8,10,3,10 -shuffle4 4,6,8,6 -shuffle4 9,11,4,11 - -shuffle2 7,8,9,8 -shuffle2 5,6,7,6 -shuffle2 3,4,5,4 -shuffle2 10,11,3,11 - -#store -vmovdqa %ymm9,(%rdi) -vmovdqa %ymm8,32(%rdi) -vmovdqa %ymm7,64(%rdi) -vmovdqa %ymm6,96(%rdi) -vmovdqa %ymm5,128(%rdi) -vmovdqa %ymm4,160(%rdi) -vmovdqa %ymm3,192(%rdi) -vmovdqa %ymm11,224(%rdi) - -ret - -.global cdecl(PQCLEAN_DILITHIUM5AES_AVX2_nttunpack_avx) -.global _cdecl(PQCLEAN_DILITHIUM5AES_AVX2_nttunpack_avx) -cdecl(PQCLEAN_DILITHIUM5AES_AVX2_nttunpack_avx): -_cdecl(PQCLEAN_DILITHIUM5AES_AVX2_nttunpack_avx): -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -add $256,%rdi -call nttunpack128_avx -ret diff --git a/crypto_sign/dilithium5aes/avx2/shuffle.inc b/crypto_sign/dilithium5aes/avx2/shuffle.inc deleted file mode 100644 index 73e9ffe0..00000000 --- a/crypto_sign/dilithium5aes/avx2/shuffle.inc +++ /dev/null @@ -1,25 +0,0 @@ -.macro shuffle8 r0,r1,r2,r3 -vperm2i128 $0x20,%ymm\r1,%ymm\r0,%ymm\r2 -vperm2i128 $0x31,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle4 r0,r1,r2,r3 -vpunpcklqdq %ymm\r1,%ymm\r0,%ymm\r2 -vpunpckhqdq %ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle2 r0,r1,r2,r3 -#vpsllq $32,%ymm\r1,%ymm\r2 -vmovsldup %ymm\r1,%ymm\r2 -vpblendd $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrlq $32,%ymm\r0,%ymm\r0 -#vmovshdup %ymm\r0,%ymm\r0 -vpblendd $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm - -.macro shuffle1 r0,r1,r2,r3 -vpslld $16,%ymm\r1,%ymm\r2 -vpblendw $0xAA,%ymm\r2,%ymm\r0,%ymm\r2 -vpsrld $16,%ymm\r0,%ymm\r0 -vpblendw $0xAA,%ymm\r1,%ymm\r0,%ymm\r3 -.endm diff --git a/crypto_sign/dilithium5aes/avx2/sign.c b/crypto_sign/dilithium5aes/avx2/sign.c deleted file mode 100644 index 0977b975..00000000 --- a/crypto_sign/dilithium5aes/avx2/sign.c +++ /dev/null @@ -1,425 +0,0 @@ -#include "aes256ctr.h" -#include "align.h" -#include "fips202.h" -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "sign.h" -#include "symmetric.h" -#include -#include - - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_keypair -* -* Description: Generates public and private key. -* -* Arguments: - uint8_t *pk: pointer to output public key (allocated -* array of PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (allocated -* array of PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - unsigned int i; - uint8_t seedbuf[3 * SEEDBYTES]; - const uint8_t *rho, *rhoprime, *key; - uint64_t nonce; - aes256ctr_ctx aesctx; - polyvecl rowbuf[1]; - polyvecl s1, *row = rowbuf; - polyveck s2; - poly t1, t0; - - /* Get randomness for rho, rhoprime and key */ - randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); - rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; - - /* Store rho, key */ - memcpy(pk, rho, SEEDBYTES); - memcpy(sk, rho, SEEDBYTES); - memcpy(sk + SEEDBYTES, key, SEEDBYTES); - - /* Sample short vectors s1 and s2 */ - PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(&aesctx, rhoprime, 0); - for (i = 0; i < L; ++i) { - nonce = i; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(&s1.vec[i], &aesctx); - } - for (i = 0; i < K; ++i) { - nonce = L + i; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_eta_preinit(&s2.vec[i], &aesctx); - } - - /* Pack secret vectors */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + i * POLYETA_PACKEDBYTES, &s1.vec[i]); - } - for (i = 0; i < K; i++) { - PQCLEAN_DILITHIUM5AES_AVX2_polyeta_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]); - } - - /* Transform s1 */ - PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_ntt(&s1); - - PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(&aesctx, rho, 0); - - for (i = 0; i < K; i++) { - /* Expand matrix row */ - for (unsigned int j = 0; j < L; j++) { - nonce = (i << 8) + j; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_preinit(&row->vec[j], &aesctx); - PQCLEAN_DILITHIUM5AES_AVX2_poly_nttunpack(&row->vec[j]); - } - - /* Compute inner-product */ - PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_pointwise_acc_montgomery(&t1, row, &s1); - PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont(&t1); - - /* Add error polynomial */ - PQCLEAN_DILITHIUM5AES_AVX2_poly_add(&t1, &t1, &s2.vec[i]); - - /* Round t and pack t1, t0 */ - PQCLEAN_DILITHIUM5AES_AVX2_poly_caddq(&t1); - PQCLEAN_DILITHIUM5AES_AVX2_poly_power2round(&t1, &t0, &t1); - PQCLEAN_DILITHIUM5AES_AVX2_polyt1_pack(pk + SEEDBYTES + i * POLYT1_PACKEDBYTES, &t1); - PQCLEAN_DILITHIUM5AES_AVX2_polyt0_pack(sk + 2 * SEEDBYTES + CRHBYTES + (L + K)*POLYETA_PACKEDBYTES + i * POLYT0_PACKEDBYTES, &t0); - } - - /* Compute CRH(rho, t1) and store in secret key */ - crh(sk + 2 * SEEDBYTES, pk, PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES); - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_signature -* -* Description: Computes signature. -* -* Arguments: - uint8_t *sig: pointer to output signature (of length PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES) -* - size_t *siglen: pointer to output length of signature -* - uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) { - unsigned int i, n, pos; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; - uint8_t *rho, *tr, *key, *mu, *rhoprime; - uint8_t hintbuf[N]; - uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; - uint64_t nonce = 0; - polyvecl mat[K], s1, z; - polyveck t0, s2, w1; - poly c, tmp; - union { - polyvecl y; - polyveck w0; - } tmpv; - shake256incctx state; - - rho = seedbuf; - tr = rho + SEEDBYTES; - key = tr + CRHBYTES; - mu = key + SEEDBYTES; - rhoprime = mu + CRHBYTES; - PQCLEAN_DILITHIUM5AES_AVX2_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); - - /* Compute CRH(tr, msg) */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - crh(rhoprime, key, SEEDBYTES + CRHBYTES); - - /* Expand matrix and transform vectors */ - PQCLEAN_DILITHIUM5AES_AVX2_polyvec_matrix_expand(mat, rho); - PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_ntt(&s1); - PQCLEAN_DILITHIUM5AES_AVX2_polyveck_ntt(&s2); - PQCLEAN_DILITHIUM5AES_AVX2_polyveck_ntt(&t0); - - aes256ctr_ctx aesctx; - PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(&aesctx, rhoprime, 0); - -rej: - /* Sample intermediate vector y */ - for (i = 0; i < L; ++i) { - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - nonce++; - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_gamma1_preinit(&z.vec[i], &aesctx); - } - - /* Matrix-vector product */ - tmpv.y = z; - PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_ntt(&tmpv.y); - PQCLEAN_DILITHIUM5AES_AVX2_polyvec_matrix_pointwise_montgomery(&w1, mat, &tmpv.y); - PQCLEAN_DILITHIUM5AES_AVX2_polyveck_invntt_tomont(&w1); - - /* Decompose w and call the random oracle */ - PQCLEAN_DILITHIUM5AES_AVX2_polyveck_caddq(&w1); - PQCLEAN_DILITHIUM5AES_AVX2_polyveck_decompose(&w1, &tmpv.w0, &w1); - PQCLEAN_DILITHIUM5AES_AVX2_polyveck_pack_w1(sig, &w1); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, sig, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - PQCLEAN_DILITHIUM5AES_AVX2_poly_challenge(&c, sig); - PQCLEAN_DILITHIUM5AES_AVX2_poly_ntt(&c); - - /* Compute z, reject if it reveals secret */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM5AES_AVX2_poly_pointwise_montgomery(&tmp, &c, &s1.vec[i]); - PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont(&tmp); - PQCLEAN_DILITHIUM5AES_AVX2_poly_add(&z.vec[i], &z.vec[i], &tmp); - PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(&z.vec[i]); - if (PQCLEAN_DILITHIUM5AES_AVX2_poly_chknorm(&z.vec[i], GAMMA1 - BETA)) { - goto rej; - } - } - - /* Zero hint vector in signature */ - pos = 0; - memset(hint, 0, OMEGA); - - for (i = 0; i < K; i++) { - /* Check that subtracting cs2 does not change high bits of w and low bits - * do not reveal secret information */ - PQCLEAN_DILITHIUM5AES_AVX2_poly_pointwise_montgomery(&tmp, &c, &s2.vec[i]); - PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont(&tmp); - PQCLEAN_DILITHIUM5AES_AVX2_poly_sub(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp); - PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(&tmpv.w0.vec[i]); - if (PQCLEAN_DILITHIUM5AES_AVX2_poly_chknorm(&tmpv.w0.vec[i], GAMMA2 - BETA)) { - goto rej; - } - - /* Compute hints */ - PQCLEAN_DILITHIUM5AES_AVX2_poly_pointwise_montgomery(&tmp, &c, &t0.vec[i]); - PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont(&tmp); - PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(&tmp); - if (PQCLEAN_DILITHIUM5AES_AVX2_poly_chknorm(&tmp, GAMMA2)) { - goto rej; - } - - PQCLEAN_DILITHIUM5AES_AVX2_poly_add(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp); - n = PQCLEAN_DILITHIUM5AES_AVX2_poly_make_hint(hintbuf, &tmpv.w0.vec[i], &w1.vec[i]); - if (pos + n > OMEGA) { - goto rej; - } - - /* Store hints in signature */ - memcpy(&hint[pos], hintbuf, n); - hint[OMEGA + i] = pos = pos + n; - } - - /* Pack z into signature */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM5AES_AVX2_polyz_pack(sig + SEEDBYTES + i * POLYZ_PACKEDBYTES, &z.vec[i]); - } - - *siglen = PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign -* -* Description: Compute signed message. -* -* Arguments: - uint8_t *sm: pointer to output signed message (allocated -* array with PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES + mlen bytes), -* can be equal to m -* - size_t *smlen: pointer to output length of signed -* message -* - const uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - const uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t i; - - for (i = 0; i < mlen; ++i) { - sm[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i]; - } - PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_signature(sm, smlen, sm + PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES, mlen, sk); - *smlen += mlen; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_verify -* -* Description: Verifies signature. -* -* Arguments: - uint8_t *m: pointer to input signature -* - size_t siglen: length of signature -* - const uint8_t *m: pointer to message -* - size_t mlen: length of message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signature could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) { - unsigned int i, j, pos = 0; - /* PQCLEAN_DILITHIUM5AES_AVX2_polyw1_pack writes additional 14 bytes */ - ALIGNED_UINT8(K * POLYW1_PACKEDBYTES + 14) buf; - uint8_t mu[CRHBYTES]; - const uint8_t *hint = sig + SEEDBYTES + L * POLYZ_PACKEDBYTES; - uint64_t nonce; - aes256ctr_ctx aesctx; - polyvecl rowbuf[1]; - polyvecl *row = rowbuf; - polyvecl z; - poly c, w1, h; - shake256incctx state; - - if (siglen != PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES) { - return -1; - } - - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_PUBLICKEYBYTES); - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - /* Expand PQCLEAN_DILITHIUM5AES_AVX2_challenge */ - PQCLEAN_DILITHIUM5AES_AVX2_poly_challenge(&c, sig); - PQCLEAN_DILITHIUM5AES_AVX2_poly_ntt(&c); - - /* Unpack z; shortness follows from unpacking */ - for (i = 0; i < L; i++) { - PQCLEAN_DILITHIUM5AES_AVX2_polyz_unpack(&z.vec[i], sig + SEEDBYTES + i * POLYZ_PACKEDBYTES); - PQCLEAN_DILITHIUM5AES_AVX2_poly_ntt(&z.vec[i]); - } - - PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(&aesctx, pk, 0); - - for (i = 0; i < K; i++) { - /* Expand matrix row */ - for (j = 0; j < L; j++) { - nonce = (i << 8) + j; - aesctx.n = _mm_loadl_epi64((__m128i *)&nonce); - PQCLEAN_DILITHIUM5AES_AVX2_poly_uniform_preinit(&row->vec[j], &aesctx); - PQCLEAN_DILITHIUM5AES_AVX2_poly_nttunpack(&row->vec[j]); - } - - /* Compute i-th row of Az - c2^Dt1 */ - PQCLEAN_DILITHIUM5AES_AVX2_polyvecl_pointwise_acc_montgomery(&w1, row, &z); - - PQCLEAN_DILITHIUM5AES_AVX2_polyt1_unpack(&h, pk + SEEDBYTES + i * POLYT1_PACKEDBYTES); - PQCLEAN_DILITHIUM5AES_AVX2_poly_shiftl(&h); - PQCLEAN_DILITHIUM5AES_AVX2_poly_ntt(&h); - PQCLEAN_DILITHIUM5AES_AVX2_poly_pointwise_montgomery(&h, &c, &h); - - PQCLEAN_DILITHIUM5AES_AVX2_poly_sub(&w1, &w1, &h); - PQCLEAN_DILITHIUM5AES_AVX2_poly_reduce(&w1); - PQCLEAN_DILITHIUM5AES_AVX2_poly_invntt_tomont(&w1); - - /* Get hint polynomial and reconstruct w1 */ - memset(h.vec, 0, sizeof(poly)); - if (hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) { - return -1; - } - - for (j = pos; j < hint[OMEGA + i]; ++j) { - /* Coefficients are ordered for strong unforgeability */ - if (j > pos && hint[j] <= hint[j - 1]) { - return -1; - } - h.coeffs[hint[j]] = 1; - } - pos = hint[OMEGA + i]; - - PQCLEAN_DILITHIUM5AES_AVX2_poly_caddq(&w1); - PQCLEAN_DILITHIUM5AES_AVX2_poly_use_hint(&w1, &w1, &h); - PQCLEAN_DILITHIUM5AES_AVX2_polyw1_pack(buf.coeffs + i * POLYW1_PACKEDBYTES, &w1); - } - - /* Extra indices are zero for strong unforgeability */ - for (j = pos; j < OMEGA; ++j) { - if (hint[j]) { - return -1; - } - } - - /* Call random oracle and verify PQCLEAN_DILITHIUM5AES_AVX2_challenge */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, buf.coeffs, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - for (i = 0; i < SEEDBYTES; ++i) { - if (buf.coeffs[i] != sig[i]) { - return -1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_open -* -* Description: Verify signed message. -* -* Arguments: - uint8_t *m: pointer to output message (allocated -* array with smlen bytes), can be equal to sm -* - size_t *mlen: pointer to output length of message -* - const uint8_t *sm: pointer to signed message -* - size_t smlen: length of signed message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signed message could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) { - size_t i; - - if (smlen < PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES) { - goto badsig; - } - - *mlen = smlen - PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES; - if (PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_verify(sm, PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES, sm + PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES, *mlen, pk)) { - goto badsig; - } else { - /* All good, copy msg, return 0 */ - for (i = 0; i < *mlen; ++i) { - m[i] = sm[PQCLEAN_DILITHIUM5AES_AVX2_CRYPTO_BYTES + i]; - } - return 0; - } - -badsig: - /* Signature verification failed */ - *mlen = -1; - for (i = 0; i < smlen; ++i) { - m[i] = 0; - } - - return -1; -} diff --git a/crypto_sign/dilithium5aes/avx2/sign.h b/crypto_sign/dilithium5aes/avx2/sign.h deleted file mode 100644 index c7d60321..00000000 --- a/crypto_sign/dilithium5aes/avx2/sign.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_SIGN_H -#define PQCLEAN_DILITHIUM5AES_AVX2_SIGN_H -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include -#include - -void PQCLEAN_DILITHIUM5AES_AVX2_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -int PQCLEAN_DILITHIUM5AES_AVX2_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium5aes/avx2/symmetric.h b/crypto_sign/dilithium5aes/avx2/symmetric.h deleted file mode 100644 index 4de47619..00000000 --- a/crypto_sign/dilithium5aes/avx2/symmetric.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_AVX2_SYMMETRIC_H -#define PQCLEAN_DILITHIUM5AES_AVX2_SYMMETRIC_H -#include "aes256ctr.h" -#include "fips202.h" -#include "params.h" -#include - - - -typedef aes256ctr_ctx stream128_state; -typedef aes256ctr_ctx stream256_state; - -#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES -#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) -#define stream128_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(STATE, SEED, NONCE) -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream128_release(STATE) -#define stream256_init(STATE, SEED, NONCE) PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_init(STATE, SEED, NONCE) -#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) PQCLEAN_DILITHIUM5AES_AVX2_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream256_release(STATE) - - -#endif diff --git a/crypto_sign/dilithium5aes/clean/LICENSE b/crypto_sign/dilithium5aes/clean/LICENSE deleted file mode 100644 index 08473af7..00000000 --- a/crypto_sign/dilithium5aes/clean/LICENSE +++ /dev/null @@ -1,5 +0,0 @@ -Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/) - -For Keccak and AES we are using public-domain -code from sources and by authors listed in -comments on top of the respective files. diff --git a/crypto_sign/dilithium5aes/clean/Makefile.Microsoft_nmake b/crypto_sign/dilithium5aes/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 9fc93357..00000000 --- a/crypto_sign/dilithium5aes/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libdilithium5aes_clean.lib -OBJECTS=aes256ctr.obj ntt.obj packing.obj poly.obj polyvec.obj reduce.obj rounding.obj sign.obj symmetric-aes.obj - -# Warning C4146 is raised when a unary minus operator is applied to an -# unsigned type; this has nonetheless been standard and portable for as -# long as there has been a C standard, and we need it for constant-time -# computations. Thus, we disable that spurious warning. -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/dilithium5aes/clean/aes256ctr.c b/crypto_sign/dilithium5aes/clean/aes256ctr.c deleted file mode 100644 index 445ef4fc..00000000 --- a/crypto_sign/dilithium5aes/clean/aes256ctr.c +++ /dev/null @@ -1,564 +0,0 @@ -#include "aes256ctr.h" -#include -#include -/* - * Copyright (c) 2016 Thomas Pornin - * - * Permission is hereby granted, free of charge, to any person obtaining - * a copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - - -static inline uint32_t br_dec32le(const uint8_t *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const uint8_t *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline uint32_t br_swap32(uint32_t x) { - x = ((x & (uint32_t)0x00FF00FF) << 8) - | ((x >> 8) & (uint32_t)0x00FF00FF); - return (x << 16) | (x >> 16); -} - -static inline void br_enc32le(uint8_t *dst, uint32_t x) { - dst[0] = (uint8_t)x; - dst[1] = (uint8_t)(x >> 8); - dst[2] = (uint8_t)(x >> 16); - dst[3] = (uint8_t)(x >> 24); -} - -static void br_range_enc32le(uint8_t *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static const uint8_t Rcon[] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36 -}; - -static uint32_t sub_word(uint32_t x) { - uint64_t q[8]; - - memset(q, 0, sizeof q); - q[0] = x; - br_aes_ct64_ortho(q); - br_aes_ct64_bitslice_Sbox(q); - br_aes_ct64_ortho(q); - return (uint32_t)q[0]; -} - -static void br_aes_ct64_keysched(uint64_t *comp_skey, const uint8_t *key) { - int i, j, k, nk, nkf; - uint32_t tmp; - uint32_t skey[60]; - - int key_len = 32; - - nk = (int)(key_len >> 2); - nkf = (int)((14 + 1) << 2); - br_range_dec32le(skey, (key_len >> 2), key); - tmp = skey[(key_len >> 2) - 1]; - for (i = nk, j = 0, k = 0; i < nkf; i ++) { - if (j == 0) { - tmp = (tmp << 24) | (tmp >> 8); - tmp = sub_word(tmp) ^ Rcon[k]; - } else if (nk > 6 && j == 4) { - tmp = sub_word(tmp); - } - tmp ^= skey[i - nk]; - skey[i] = tmp; - if (++ j == nk) { - j = 0; - k ++; - } - } - - for (i = 0, j = 0; i < nkf; i += 4, j += 2) { - uint64_t q[8]; - - br_aes_ct64_interleave_in(&q[0], &q[4], skey + i); - q[1] = q[0]; - q[2] = q[0]; - q[3] = q[0]; - q[5] = q[4]; - q[6] = q[4]; - q[7] = q[4]; - br_aes_ct64_ortho(q); - comp_skey[j + 0] = - (q[0] & (uint64_t)0x1111111111111111) - | (q[1] & (uint64_t)0x2222222222222222) - | (q[2] & (uint64_t)0x4444444444444444) - | (q[3] & (uint64_t)0x8888888888888888); - comp_skey[j + 1] = - (q[4] & (uint64_t)0x1111111111111111) - | (q[5] & (uint64_t)0x2222222222222222) - | (q[6] & (uint64_t)0x4444444444444444) - | (q[7] & (uint64_t)0x8888888888888888); - } -} - -static void br_aes_ct64_skey_expand(uint64_t *skey, const uint64_t *comp_skey) { - unsigned u, v, n; - - n = (14 + 1) << 1; - for (u = 0, v = 0; u < n; u ++, v += 4) { - uint64_t x0, x1, x2, x3; - - x0 = x1 = x2 = x3 = comp_skey[u]; - x0 &= (uint64_t)0x1111111111111111; - x1 &= (uint64_t)0x2222222222222222; - x2 &= (uint64_t)0x4444444444444444; - x3 &= (uint64_t)0x8888888888888888; - x1 >>= 1; - x2 >>= 2; - x3 >>= 3; - skey[v + 0] = (x0 << 4) - x0; - skey[v + 1] = (x1 << 4) - x1; - skey[v + 2] = (x2 << 4) - x2; - skey[v + 3] = (x3 << 4) - x3; - } -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i ++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void inc4_be(uint32_t *x) { - *x = br_swap32(*x) + 4; - *x = br_swap32(*x); -} - -static void aes_ctr4x(uint8_t out[64], uint32_t ivw[16], uint64_t sk_exp[64]) { - uint32_t w[16]; - uint64_t q[8]; - int i; - - memcpy(w, ivw, sizeof(w)); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - add_round_key(q, sk_exp); - for (i = 1; i < 14; i++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, sk_exp + (i << 3)); - } - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - add_round_key(q, sk_exp + 112); - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); - - /* Increase counter for next 4 blocks */ - inc4_be(ivw + 3); - inc4_be(ivw + 7); - inc4_be(ivw + 11); - inc4_be(ivw + 15); -} - -static void br_aes_ct64_ctr_init(uint64_t sk_exp[120], const uint8_t *key) { - uint64_t skey[30]; - - br_aes_ct64_keysched(skey, key); - br_aes_ct64_skey_expand(sk_exp, skey); -} - -static void br_aes_ct64_ctr_run(uint64_t sk_exp[120], const uint8_t *iv, uint32_t cc, uint8_t *data, size_t len) { - uint32_t ivw[16]; - size_t i; - - br_range_dec32le(ivw, 3, iv); - memcpy(ivw + 4, ivw, 3 * sizeof(uint32_t)); - memcpy(ivw + 8, ivw, 3 * sizeof(uint32_t)); - memcpy(ivw + 12, ivw, 3 * sizeof(uint32_t)); - ivw[ 3] = br_swap32(cc); - ivw[ 7] = br_swap32(cc + 1); - ivw[11] = br_swap32(cc + 2); - ivw[15] = br_swap32(cc + 3); - - while (len > 64) { - aes_ctr4x(data, ivw, sk_exp); - data += 64; - len -= 64; - } - if (len > 0) { - uint8_t tmp[64]; - aes_ctr4x(tmp, ivw, sk_exp); - for (i = 0; i < len; i++) { - data[i] = tmp[i]; - } - } -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_aes256ctr_prf(uint8_t *out, size_t outlen, const uint8_t *key, const uint8_t *nonce) { - uint64_t sk_exp[120]; - - br_aes_ct64_ctr_init(sk_exp, key); - br_aes_ct64_ctr_run(sk_exp, nonce, 0, out, outlen); -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_aes256ctr_init(aes256ctr_ctx *s, const uint8_t *key, const uint8_t *nonce) { - br_aes_ct64_ctr_init(s->sk_exp, key); - - br_range_dec32le(s->ivw, 3, nonce); - memcpy(s->ivw + 4, s->ivw, 3 * sizeof(uint32_t)); - memcpy(s->ivw + 8, s->ivw, 3 * sizeof(uint32_t)); - memcpy(s->ivw + 12, s->ivw, 3 * sizeof(uint32_t)); - s->ivw[ 3] = br_swap32(0); - s->ivw[ 7] = br_swap32(1); - s->ivw[11] = br_swap32(2); - s->ivw[15] = br_swap32(3); -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_aes256ctr_squeezeblocks(uint8_t *out, size_t nblocks, aes256ctr_ctx *s) { - while (nblocks > 0) { - aes_ctr4x(out, s->ivw, s->sk_exp); - out += 64; - nblocks--; - } -} diff --git a/crypto_sign/dilithium5aes/clean/aes256ctr.h b/crypto_sign/dilithium5aes/clean/aes256ctr.h deleted file mode 100644 index 3d4261f0..00000000 --- a/crypto_sign/dilithium5aes/clean/aes256ctr.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_AES256CTR_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_AES256CTR_H - -#include -#include - -#define AES256CTR_BLOCKBYTES 64 - - -typedef struct { - uint64_t sk_exp[120]; - uint32_t ivw[16]; -} aes256ctr_ctx; - -void PQCLEAN_DILITHIUM5AES_CLEAN_aes256ctr_prf(uint8_t *out, - size_t outlen, - const uint8_t key[32], - const uint8_t nonce[12]); - -void PQCLEAN_DILITHIUM5AES_CLEAN_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - const uint8_t nonce[12]); - -void PQCLEAN_DILITHIUM5AES_CLEAN_aes256ctr_squeezeblocks(uint8_t *out, - size_t nblocks, - aes256ctr_ctx *state); - -#endif diff --git a/crypto_sign/dilithium5aes/clean/api.h b/crypto_sign/dilithium5aes/clean/api.h deleted file mode 100644 index fe7baff2..00000000 --- a/crypto_sign/dilithium5aes/clean/api.h +++ /dev/null @@ -1,30 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_API_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_API_H - -#include -#include - -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES 2592 -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES 4880 -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES 4595 -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_ALGNAME "Dilithium5-AES" - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium5aes/clean/ntt.c b/crypto_sign/dilithium5aes/clean/ntt.c deleted file mode 100644 index a2d46318..00000000 --- a/crypto_sign/dilithium5aes/clean/ntt.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "reduce.h" -#include - -static const int32_t zetas[N] = { - 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, - 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 3111497, 2680103, - 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549, - -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, 280005, - 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, - -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, - -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596, - 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779, - -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, 2176455, -1585221, - -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922, - 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, - -671102, -1228525, -22981, -1308169, -381987, 1349076, 1852771, -1430430, - -3343383, 264944, 508951, 3097992, 44288, -1100098, 904516, 3958618, - -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856, - 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, - 1285669, -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, - 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462, - 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378, - 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500, - -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, - 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, - 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974, - -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970, - -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642, - -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, - -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, - -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385, - -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, - -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078, - -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, - -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, - -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782 -}; - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_ntt -* -* Description: Forward NTT, in-place. No modular reduction is performed after -* additions or subtractions. Output vector is in bitreversed order. -* -* Arguments: - uint32_t p[N]: input/output coefficient array -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_ntt(int32_t a[N]) { - unsigned int len, start, j, k; - int32_t zeta, t; - - k = 0; - for (len = 128; len > 0; len >>= 1) { - for (start = 0; start < N; start = j + len) { - zeta = zetas[++k]; - for (j = start; j < start + len; ++j) { - t = PQCLEAN_DILITHIUM5AES_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]); - a[j + len] = a[j] - t; - a[j] = a[j] + t; - } - } - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_invntt_tomont -* -* Description: Inverse NTT and multiplication by Montgomery factor 2^32. -* In-place. No modular reductions after additions or -* subtractions; input coefficients need to be smaller than -* Q in absolute value. Output coefficient are smaller than Q in -* absolute value. -* -* Arguments: - uint32_t p[N]: input/output coefficient array -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_invntt_tomont(int32_t a[N]) { - unsigned int start, len, j, k; - int32_t t, zeta; - const int32_t f = 41978; // mont^2/256 - - k = 256; - for (len = 1; len < N; len <<= 1) { - for (start = 0; start < N; start = j + len) { - zeta = -zetas[--k]; - for (j = start; j < start + len; ++j) { - t = a[j]; - a[j] = t + a[j + len]; - a[j + len] = t - a[j + len]; - a[j + len] = PQCLEAN_DILITHIUM5AES_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]); - } - } - } - - for (j = 0; j < N; ++j) { - a[j] = PQCLEAN_DILITHIUM5AES_CLEAN_montgomery_reduce((int64_t)f * a[j]); - } -} diff --git a/crypto_sign/dilithium5aes/clean/ntt.h b/crypto_sign/dilithium5aes/clean/ntt.h deleted file mode 100644 index a5b67e7b..00000000 --- a/crypto_sign/dilithium5aes/clean/ntt.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_NTT_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_NTT_H -#include "params.h" -#include - -void PQCLEAN_DILITHIUM5AES_CLEAN_ntt(int32_t a[N]); - -void PQCLEAN_DILITHIUM5AES_CLEAN_invntt_tomont(int32_t a[N]); - -#endif diff --git a/crypto_sign/dilithium5aes/clean/packing.c b/crypto_sign/dilithium5aes/clean/packing.c deleted file mode 100644 index a3b2ffa3..00000000 --- a/crypto_sign/dilithium5aes/clean/packing.c +++ /dev/null @@ -1,261 +0,0 @@ -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" - - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_pack_pk -* -* Description: Bit-pack public key pk = (rho, t1). -* -* Arguments: - uint8_t pk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const polyveck *t1: pointer to vector t1 -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES], - const uint8_t rho[SEEDBYTES], - const polyveck *t1) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - pk[i] = rho[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_unpack_pk -* -* Description: Unpack public key pk = (rho, t1). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const polyveck *t1: pointer to output vector t1 -* - uint8_t pk[]: byte array containing bit-packed pk -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], - polyveck *t1, - const uint8_t pk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = pk[i]; - } - pk += SEEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_pack_sk -* -* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - uint8_t sk[]: output byte array -* - const uint8_t rho[]: byte array containing rho -* - const uint8_t tr[]: byte array containing tr -* - const uint8_t key[]: byte array containing key -* - const polyveck *t0: pointer to vector t0 -* - const polyvecl *s1: pointer to vector s1 -* - const polyveck *s2: pointer to vector s2 -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = rho[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - sk[i] = key[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - sk[i] = tr[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sk -* -* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2). -* -* Arguments: - const uint8_t rho[]: output byte array for rho -* - const uint8_t tr[]: output byte array for tr -* - const uint8_t key[]: output byte array for key -* - const polyveck *t0: pointer to output vector t0 -* - const polyvecl *s1: pointer to output vector s1 -* - const polyveck *s2: pointer to output vector s2 -* - uint8_t sk[]: byte array containing bit-packed sk -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES]) { - unsigned int i; - - for (i = 0; i < SEEDBYTES; ++i) { - rho[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < SEEDBYTES; ++i) { - key[i] = sk[i]; - } - sk += SEEDBYTES; - - for (i = 0; i < CRHBYTES; ++i) { - tr[i] = sk[i]; - } - sk += CRHBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += L * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES); - } - sk += K * POLYETA_PACKEDBYTES; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_pack_sig -* -* Description: Bit-pack signature sig = (c, z, h). -* -* Arguments: - uint8_t sig[]: output byte array -* - const uint8_t *c: pointer to PQCLEAN_DILITHIUM5AES_CLEAN_challenge hash length SEEDBYTES -* - const polyvecl *z: pointer to vector z -* - const polyveck *h: pointer to hint vector h -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES], - const uint8_t c[SEEDBYTES], - const polyvecl *z, - const polyveck *h) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - sig[i] = c[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Encode h */ - for (i = 0; i < OMEGA + K; ++i) { - sig[i] = 0; - } - - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - if (h->vec[i].coeffs[j] != 0) { - sig[k++] = (uint8_t) j; - } - } - - sig[OMEGA + i] = (uint8_t) k; - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sig -* -* Description: Unpack signature sig = (c, z, h). -* -* Arguments: - uint8_t *c: pointer to output PQCLEAN_DILITHIUM5AES_CLEAN_challenge hash -* - polyvecl *z: pointer to output vector z -* - polyveck *h: pointer to output hint vector h -* - const uint8_t sig[]: byte array containing -* bit-packed signature -* -* Returns 1 in case of malformed signature; otherwise 0. -**************************************************/ -int PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sig(uint8_t c[SEEDBYTES], - polyvecl *z, - polyveck *h, - const uint8_t sig[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES]) { - unsigned int i, j, k; - - for (i = 0; i < SEEDBYTES; ++i) { - c[i] = sig[i]; - } - sig += SEEDBYTES; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES); - } - sig += L * POLYZ_PACKEDBYTES; - - /* Decode h */ - k = 0; - for (i = 0; i < K; ++i) { - for (j = 0; j < N; ++j) { - h->vec[i].coeffs[j] = 0; - } - - if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) { - return 1; - } - - for (j = k; j < sig[OMEGA + i]; ++j) { - /* Coefficients are ordered for strong unforgeability */ - if (j > k && sig[j] <= sig[j - 1]) { - return 1; - } - h->vec[i].coeffs[sig[j]] = 1; - } - - k = sig[OMEGA + i]; - } - - /* Extra indices are zero for strong unforgeability */ - for (j = k; j < OMEGA; ++j) { - if (sig[j]) { - return 1; - } - } - - return 0; -} diff --git a/crypto_sign/dilithium5aes/clean/packing.h b/crypto_sign/dilithium5aes/clean/packing.h deleted file mode 100644 index 4bca683f..00000000 --- a/crypto_sign/dilithium5aes/clean/packing.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_PACKING_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_PACKING_H -#include "params.h" -#include "polyvec.h" -#include - -void PQCLEAN_DILITHIUM5AES_CLEAN_pack_pk(uint8_t pk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1); - -void PQCLEAN_DILITHIUM5AES_CLEAN_pack_sk(uint8_t sk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES], - const uint8_t rho[SEEDBYTES], - const uint8_t tr[CRHBYTES], - const uint8_t key[SEEDBYTES], - const polyveck *t0, - const polyvecl *s1, - const polyveck *s2); - -void PQCLEAN_DILITHIUM5AES_CLEAN_pack_sig(uint8_t sig[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h); - -void PQCLEAN_DILITHIUM5AES_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES]); - -void PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES], - uint8_t tr[CRHBYTES], - uint8_t key[SEEDBYTES], - polyveck *t0, - polyvecl *s1, - polyveck *s2, - const uint8_t sk[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES]); - -int PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES]); - -#endif diff --git a/crypto_sign/dilithium5aes/clean/params.h b/crypto_sign/dilithium5aes/clean/params.h deleted file mode 100644 index b8f9630e..00000000 --- a/crypto_sign/dilithium5aes/clean/params.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_PARAMS_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_PARAMS_H - - - -#define SEEDBYTES 32 -#define CRHBYTES 48 -#define N 256 -#define Q 8380417 -#define D 13 -#define ROOT_OF_UNITY 1753 - -#define K 8 -#define L 7 -#define ETA 2 -#define TAU 60 -#define BETA 120 -#define GAMMA1 (1 << 19) -#define GAMMA2 ((Q-1)/32) -#define OMEGA 75 -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_ALGNAME "Dilithium5-AES" - - -#define POLYT1_PACKEDBYTES 320 -#define POLYT0_PACKEDBYTES 416 -#define POLYVECH_PACKEDBYTES (OMEGA + K) - -#define POLYZ_PACKEDBYTES 640 - -#define POLYW1_PACKEDBYTES 128 - -#define POLYETA_PACKEDBYTES 96 - -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES) -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES + CRHBYTES \ - + L*POLYETA_PACKEDBYTES \ - + K*POLYETA_PACKEDBYTES \ - + K*POLYT0_PACKEDBYTES) -#define PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES) - -#endif diff --git a/crypto_sign/dilithium5aes/clean/poly.c b/crypto_sign/dilithium5aes/clean/poly.c deleted file mode 100644 index ce01b21c..00000000 --- a/crypto_sign/dilithium5aes/clean/poly.c +++ /dev/null @@ -1,842 +0,0 @@ -#include "ntt.h" -#include "params.h" -#include "poly.h" -#include "reduce.h" -#include "rounding.h" -#include "symmetric.h" -#include - -#define DBENCH_START() -#define DBENCH_STOP(t) - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_reduce -* -* Description: Inplace reduction of all coefficients of polynomial to -* representative in [-6283009,6283007]. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_reduce(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] = PQCLEAN_DILITHIUM5AES_CLEAN_reduce32(a->coeffs[i]); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_caddq -* -* Description: For all coefficients of in/out polynomial add Q if -* coefficient is negative. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_caddq(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] = PQCLEAN_DILITHIUM5AES_CLEAN_caddq(a->coeffs[i]); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_freeze -* -* Description: Inplace reduction of all coefficients of polynomial to -* standard representatives. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_freeze(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] = PQCLEAN_DILITHIUM5AES_CLEAN_freeze(a->coeffs[i]); - } - - DBENCH_STOP(*tred); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_add -* -* Description: Add polynomials. No modular reduction is performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first summand -* - const poly *b: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_add(poly *c, const poly *a, const poly *b) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - c->coeffs[i] = a->coeffs[i] + b->coeffs[i]; - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_sub -* -* Description: Subtract polynomials. No modular reduction is -* performed. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial to be -* subtraced from first input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_sub(poly *c, const poly *a, const poly *b) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - c->coeffs[i] = a->coeffs[i] - b->coeffs[i]; - } - - DBENCH_STOP(*tadd); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_shiftl -* -* Description: Multiply polynomial by 2^D without modular reduction. Assumes -* input coefficients to be less than 2^{31-D} in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_shiftl(poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a->coeffs[i] <<= D; - } - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_ntt -* -* Description: Inplace forward NTT. Coefficients can grow by -* 8*Q in absolute value. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_ntt(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_CLEAN_ntt(a->coeffs); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_invntt_tomont -* -* Description: Inplace inverse NTT and multiplication by 2^{32}. -* Input coefficients need to be less than Q in absolute -* value and output coefficients are again bounded by Q. -* -* Arguments: - poly *a: pointer to input/output polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_invntt_tomont(poly *a) { - DBENCH_START(); - - PQCLEAN_DILITHIUM5AES_CLEAN_invntt_tomont(a->coeffs); - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_pointwise_montgomery -* -* Description: Pointwise multiplication of polynomials in NTT domain -* representation and multiplication of resulting polynomial -* by 2^{-32}. -* -* Arguments: - poly *c: pointer to output polynomial -* - const poly *a: pointer to first input polynomial -* - const poly *b: pointer to second input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - c->coeffs[i] = PQCLEAN_DILITHIUM5AES_CLEAN_montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]); - } - - DBENCH_STOP(*tmul); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_power2round -* -* Description: For all coefficients c of the input polynomial, -* compute c0, c1 such that c mod Q = c1*2^D + c0 -* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_power2round(poly *a1, poly *a0, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a1->coeffs[i] = PQCLEAN_DILITHIUM5AES_CLEAN_power2round(&a0->coeffs[i], a->coeffs[i]); - } - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_decompose -* -* Description: For all coefficients c of the input polynomial, -* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0 -* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we -* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - poly *a1: pointer to output polynomial with coefficients c1 -* - poly *a0: pointer to output polynomial with coefficients c0 -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_decompose(poly *a1, poly *a0, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - a1->coeffs[i] = PQCLEAN_DILITHIUM5AES_CLEAN_decompose(&a0->coeffs[i], a->coeffs[i]); - } - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_make_hint -* -* Description: Compute hint polynomial. The coefficients of which indicate -* whether the low bits of the corresponding coefficient of -* the input polynomial overflow into the high bits. -* -* Arguments: - poly *h: pointer to output hint polynomial -* - const poly *a0: pointer to low part of input polynomial -* - const poly *a1: pointer to high part of input polynomial -* -* Returns number of 1 bits. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM5AES_CLEAN_poly_make_hint(poly *h, const poly *a0, const poly *a1) { - unsigned int i, s = 0; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - h->coeffs[i] = PQCLEAN_DILITHIUM5AES_CLEAN_make_hint(a0->coeffs[i], a1->coeffs[i]); - s += h->coeffs[i]; - } - - DBENCH_STOP(*tround); - return s; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_use_hint -* -* Description: Use hint polynomial to correct the high bits of a polynomial. -* -* Arguments: - poly *b: pointer to output polynomial with corrected high bits -* - const poly *a: pointer to input polynomial -* - const poly *h: pointer to input hint polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_use_hint(poly *b, const poly *a, const poly *h) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N; ++i) { - b->coeffs[i] = PQCLEAN_DILITHIUM5AES_CLEAN_use_hint(a->coeffs[i], h->coeffs[i]); - } - - DBENCH_STOP(*tround); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_chknorm -* -* Description: Check infinity norm of polynomial against given bound. -* Assumes input coefficients were reduced by PQCLEAN_DILITHIUM5AES_CLEAN_reduce32(). -* -* Arguments: - const poly *a: pointer to polynomial -* - int32_t B: norm bound -* -* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM5AES_CLEAN_poly_chknorm(const poly *a, int32_t B) { - unsigned int i; - int32_t t; - DBENCH_START(); - - if (B > (Q - 1) / 8) { - return 1; - } - - /* It is ok to leak which coefficient violates the bound since - the probability for each coefficient is independent of secret - data but we must not leak the sign of the centralized representative. */ - for (i = 0; i < N; ++i) { - /* Absolute value */ - t = a->coeffs[i] >> 31; - t = a->coeffs[i] - (t & 2 * a->coeffs[i]); - - if (t >= B) { - DBENCH_STOP(*tsample); - return 1; - } - } - - DBENCH_STOP(*tsample); - return 0; -} - -/************************************************* -* Name: rej_uniform -* -* Description: Sample uniformly random coefficients in [0, Q-1] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_uniform(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos + 3 <= buflen) { - t = buf[pos++]; - t |= (uint32_t)buf[pos++] << 8; - t |= (uint32_t)buf[pos++] << 16; - t &= 0x7FFFFF; - - if (t < Q) { - a[ctr++] = t; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform -* -* Description: Sample polynomial with uniformly random coefficients -* in [0,Q-1] by performing rejection sampling on the -* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -#define POLY_UNIFORM_NBLOCKS ((768 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce) { - unsigned int i, ctr, off; - unsigned int buflen = POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2]; - stream128_state state; - - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state); - - ctr = rej_uniform(a->coeffs, N, buf, buflen); - - while (ctr < N) { - off = buflen % 3; - for (i = 0; i < off; ++i) { - buf[i] = buf[buflen - off + i]; - } - - stream128_squeezeblocks(buf + off, 1, &state); - buflen = STREAM128_BLOCKBYTES + off; - ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen); - } - stream128_release(&state); -} - -/************************************************* -* Name: rej_eta -* -* Description: Sample uniformly random coefficients in [-ETA, ETA] by -* performing rejection sampling on array of random bytes. -* -* Arguments: - int32_t *a: pointer to output array (allocated) -* - unsigned int len: number of coefficients to be sampled -* - const uint8_t *buf: array of random bytes -* - unsigned int buflen: length of array of random bytes -* -* Returns number of sampled coefficients. Can be smaller than len if not enough -* random bytes were given. -**************************************************/ -static unsigned int rej_eta(int32_t *a, - unsigned int len, - const uint8_t *buf, - unsigned int buflen) { - unsigned int ctr, pos; - uint32_t t0, t1; - DBENCH_START(); - - ctr = pos = 0; - while (ctr < len && pos < buflen) { - t0 = buf[pos] & 0x0F; - t1 = buf[pos++] >> 4; - - if (t0 < 15) { - t0 = t0 - (205 * t0 >> 10) * 5; - a[ctr++] = 2 - t0; - } - if (t1 < 15 && ctr < len) { - t1 = t1 - (205 * t1 >> 10) * 5; - a[ctr++] = 2 - t1; - } - } - - DBENCH_STOP(*tsample); - return ctr; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_eta -* -* Description: Sample polynomial with uniformly random coefficients -* in [-ETA,ETA] by performing rejection sampling on the -* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length SEEDBYTES -* - uint16_t nonce: 2-byte nonce -**************************************************/ -#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES) -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce) { - unsigned int ctr; - unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES; - uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM128_BLOCKBYTES]; - stream128_state state; - - stream128_init(&state, seed, nonce); - stream128_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state); - - ctr = rej_eta(a->coeffs, N, buf, buflen); - - while (ctr < N) { - stream128_squeezeblocks(buf, 1, &state); - ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM128_BLOCKBYTES); - } - stream128_release(&state); -} - -/************************************************* -* Name: poly_uniform_gamma1m1 -* -* Description: Sample polynomial with uniformly random coefficients -* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream -* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce). -* -* Arguments: - poly *a: pointer to output polynomial -* - const uint8_t seed[]: byte array with seed of length CRHBYTES -* - uint16_t nonce: 16-bit nonce -**************************************************/ -#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES) -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_gamma1(poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce) { - uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES]; - stream256_state state; - - stream256_init(&state, seed, nonce); - stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state); - stream256_release(&state); - PQCLEAN_DILITHIUM5AES_CLEAN_polyz_unpack(a, buf); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_challenge -* -* Description: Implementation of H. Samples polynomial with TAU nonzero -* coefficients in {-1,1} using the output stream of -* SHAKE256(seed). -* -* Arguments: - poly *c: pointer to output polynomial -* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) { - unsigned int i, b, pos; - uint64_t signs; - uint8_t buf[SHAKE256_RATE]; - shake256incctx state; - - shake256_inc_init(&state); - shake256_inc_absorb(&state, seed, SEEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(buf, sizeof buf, &state); - - signs = 0; - for (i = 0; i < 8; ++i) { - signs |= (uint64_t)buf[i] << 8 * i; - } - pos = 8; - - for (i = 0; i < N; ++i) { - c->coeffs[i] = 0; - } - for (i = N - TAU; i < N; ++i) { - do { - if (pos >= SHAKE256_RATE) { - shake256_inc_squeeze(buf, sizeof buf, &state); - pos = 0; - } - - b = buf[pos++]; - } while (b > i); - - c->coeffs[i] = c->coeffs[b]; - c->coeffs[b] = 1 - 2 * (signs & 1); - signs >>= 1; - } - shake256_inc_ctx_release(&state); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_pack -* -* Description: Bit-pack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYETA_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_pack(uint8_t *r, const poly *a) { - unsigned int i; - uint8_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = (uint8_t) (ETA - a->coeffs[8 * i + 0]); - t[1] = (uint8_t) (ETA - a->coeffs[8 * i + 1]); - t[2] = (uint8_t) (ETA - a->coeffs[8 * i + 2]); - t[3] = (uint8_t) (ETA - a->coeffs[8 * i + 3]); - t[4] = (uint8_t) (ETA - a->coeffs[8 * i + 4]); - t[5] = (uint8_t) (ETA - a->coeffs[8 * i + 5]); - t[6] = (uint8_t) (ETA - a->coeffs[8 * i + 6]); - t[7] = (uint8_t) (ETA - a->coeffs[8 * i + 7]); - - r[3 * i + 0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6); - r[3 * i + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7); - r[3 * i + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_unpack -* -* Description: Unpack polynomial with coefficients in [-ETA,ETA]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = (a[3 * i + 0] >> 0) & 7; - r->coeffs[8 * i + 1] = (a[3 * i + 0] >> 3) & 7; - r->coeffs[8 * i + 2] = ((a[3 * i + 0] >> 6) | (a[3 * i + 1] << 2)) & 7; - r->coeffs[8 * i + 3] = (a[3 * i + 1] >> 1) & 7; - r->coeffs[8 * i + 4] = (a[3 * i + 1] >> 4) & 7; - r->coeffs[8 * i + 5] = ((a[3 * i + 1] >> 7) | (a[3 * i + 2] << 1)) & 7; - r->coeffs[8 * i + 6] = (a[3 * i + 2] >> 2) & 7; - r->coeffs[8 * i + 7] = (a[3 * i + 2] >> 5) & 7; - - r->coeffs[8 * i + 0] = ETA - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = ETA - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = ETA - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = ETA - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = ETA - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = ETA - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = ETA - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = ETA - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyt1_pack -* -* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits. -* Input coefficients are assumed to be standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyt1_pack(uint8_t *r, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r[5 * i + 0] = (uint8_t) (a->coeffs[4 * i + 0] >> 0); - r[5 * i + 1] = (uint8_t) ((a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2)); - r[5 * i + 2] = (uint8_t) ((a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4)); - r[5 * i + 3] = (uint8_t) ((a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6)); - r[5 * i + 4] = (uint8_t) (a->coeffs[4 * i + 3] >> 2); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyt1_unpack -* -* Description: Unpack polynomial t1 with 10-bit coefficients. -* Output coefficients are standard representatives. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyt1_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 4; ++i) { - r->coeffs[4 * i + 0] = ((a[5 * i + 0] >> 0) | ((uint32_t)a[5 * i + 1] << 8)) & 0x3FF; - r->coeffs[4 * i + 1] = ((a[5 * i + 1] >> 2) | ((uint32_t)a[5 * i + 2] << 6)) & 0x3FF; - r->coeffs[4 * i + 2] = ((a[5 * i + 2] >> 4) | ((uint32_t)a[5 * i + 3] << 4)) & 0x3FF; - r->coeffs[4 * i + 3] = ((a[5 * i + 3] >> 6) | ((uint32_t)a[5 * i + 4] << 2)) & 0x3FF; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyt0_pack -* -* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYT0_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyt0_pack(uint8_t *r, const poly *a) { - unsigned int i; - uint32_t t[8]; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - t[0] = (1 << (D - 1)) - a->coeffs[8 * i + 0]; - t[1] = (1 << (D - 1)) - a->coeffs[8 * i + 1]; - t[2] = (1 << (D - 1)) - a->coeffs[8 * i + 2]; - t[3] = (1 << (D - 1)) - a->coeffs[8 * i + 3]; - t[4] = (1 << (D - 1)) - a->coeffs[8 * i + 4]; - t[5] = (1 << (D - 1)) - a->coeffs[8 * i + 5]; - t[6] = (1 << (D - 1)) - a->coeffs[8 * i + 6]; - t[7] = (1 << (D - 1)) - a->coeffs[8 * i + 7]; - - r[13 * i + 0] = (uint8_t) t[0]; - r[13 * i + 1] = (uint8_t) (t[0] >> 8); - r[13 * i + 1] |= (uint8_t) (t[1] << 5); - r[13 * i + 2] = (uint8_t) (t[1] >> 3); - r[13 * i + 3] = (uint8_t) (t[1] >> 11); - r[13 * i + 3] |= (uint8_t) (t[2] << 2); - r[13 * i + 4] = (uint8_t) (t[2] >> 6); - r[13 * i + 4] |= (uint8_t) (t[3] << 7); - r[13 * i + 5] = (uint8_t) (t[3] >> 1); - r[13 * i + 6] = (uint8_t) (t[3] >> 9); - r[13 * i + 6] |= (uint8_t) (t[4] << 4); - r[13 * i + 7] = (uint8_t) (t[4] >> 4); - r[13 * i + 8] = (uint8_t) (t[4] >> 12); - r[13 * i + 8] |= (uint8_t) (t[5] << 1); - r[13 * i + 9] = (uint8_t) (t[5] >> 7); - r[13 * i + 9] |= (uint8_t) (t[6] << 6); - r[13 * i + 10] = (uint8_t) (t[6] >> 2); - r[13 * i + 11] = (uint8_t) (t[6] >> 10); - r[13 * i + 11] |= (uint8_t) (t[7] << 3); - r[13 * i + 12] = (uint8_t) (t[7] >> 5); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyt0_unpack -* -* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyt0_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 8; ++i) { - r->coeffs[8 * i + 0] = a[13 * i + 0]; - r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8; - r->coeffs[8 * i + 0] &= 0x1FFF; - - r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3; - r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11; - r->coeffs[8 * i + 1] &= 0x1FFF; - - r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2; - r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6; - r->coeffs[8 * i + 2] &= 0x1FFF; - - r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1; - r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9; - r->coeffs[8 * i + 3] &= 0x1FFF; - - r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4; - r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12; - r->coeffs[8 * i + 4] &= 0x1FFF; - - r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1; - r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7; - r->coeffs[8 * i + 5] &= 0x1FFF; - - r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2; - r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10; - r->coeffs[8 * i + 6] &= 0x1FFF; - - r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3; - r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5; - r->coeffs[8 * i + 7] &= 0x1FFF; - - r->coeffs[8 * i + 0] = (1 << (D - 1)) - r->coeffs[8 * i + 0]; - r->coeffs[8 * i + 1] = (1 << (D - 1)) - r->coeffs[8 * i + 1]; - r->coeffs[8 * i + 2] = (1 << (D - 1)) - r->coeffs[8 * i + 2]; - r->coeffs[8 * i + 3] = (1 << (D - 1)) - r->coeffs[8 * i + 3]; - r->coeffs[8 * i + 4] = (1 << (D - 1)) - r->coeffs[8 * i + 4]; - r->coeffs[8 * i + 5] = (1 << (D - 1)) - r->coeffs[8 * i + 5]; - r->coeffs[8 * i + 6] = (1 << (D - 1)) - r->coeffs[8 * i + 6]; - r->coeffs[8 * i + 7] = (1 << (D - 1)) - r->coeffs[8 * i + 7]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyz_pack -* -* Description: Bit-pack polynomial with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYZ_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyz_pack(uint8_t *r, const poly *a) { - unsigned int i; - uint32_t t[4]; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - t[0] = GAMMA1 - a->coeffs[2 * i + 0]; - t[1] = GAMMA1 - a->coeffs[2 * i + 1]; - - r[5 * i + 0] = (uint8_t) t[0]; - r[5 * i + 1] = (uint8_t) (t[0] >> 8); - r[5 * i + 2] = (uint8_t) (t[0] >> 16); - r[5 * i + 2] |= (uint8_t) (t[1] << 4); - r[5 * i + 3] = (uint8_t) (t[1] >> 4); - r[5 * i + 4] = (uint8_t) (t[1] >> 12); - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyz_unpack -* -* Description: Unpack polynomial z with coefficients -* in [-(GAMMA1 - 1), GAMMA1]. -* -* Arguments: - poly *r: pointer to output polynomial -* - const uint8_t *a: byte array with bit-packed polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyz_unpack(poly *r, const uint8_t *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - r->coeffs[2 * i + 0] = a[5 * i + 0]; - r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 1] << 8; - r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 2] << 16; - r->coeffs[2 * i + 0] &= 0xFFFFF; - - r->coeffs[2 * i + 1] = a[5 * i + 2] >> 4; - r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 3] << 4; - r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 4] << 12; - r->coeffs[2 * i + 0] &= 0xFFFFF; - - r->coeffs[2 * i + 0] = GAMMA1 - r->coeffs[2 * i + 0]; - r->coeffs[2 * i + 1] = GAMMA1 - r->coeffs[2 * i + 1]; - } - - DBENCH_STOP(*tpack); -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyw1_pack -* -* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43]. -* Input coefficients are assumed to be standard representatives. -* -* Arguments: - uint8_t *r: pointer to output byte array with at least -* POLYW1_PACKEDBYTES bytes -* - const poly *a: pointer to input polynomial -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyw1_pack(uint8_t *r, const poly *a) { - unsigned int i; - DBENCH_START(); - - for (i = 0; i < N / 2; ++i) { - r[i] = (uint8_t) (a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4)); - } - - DBENCH_STOP(*tpack); -} diff --git a/crypto_sign/dilithium5aes/clean/poly.h b/crypto_sign/dilithium5aes/clean/poly.h deleted file mode 100644 index e3055748..00000000 --- a/crypto_sign/dilithium5aes/clean/poly.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_POLY_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_POLY_H -#include "params.h" -#include - -typedef struct { - int32_t coeffs[N]; -} poly; - -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_reduce(poly *a); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_caddq(poly *a); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_freeze(poly *a); - -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_add(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_sub(poly *c, const poly *a, const poly *b); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_shiftl(poly *a); - -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_ntt(poly *a); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_invntt_tomont(poly *a); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b); - -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_power2round(poly *a1, poly *a0, const poly *a); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_decompose(poly *a1, poly *a0, const poly *a); -unsigned int PQCLEAN_DILITHIUM5AES_CLEAN_poly_make_hint(poly *h, const poly *a0, const poly *a1); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_use_hint(poly *b, const poly *a, const poly *h); - -int PQCLEAN_DILITHIUM5AES_CLEAN_poly_chknorm(const poly *a, int32_t B); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_eta(poly *a, - const uint8_t seed[SEEDBYTES], - uint16_t nonce); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_gamma1(poly *a, - const uint8_t seed[CRHBYTES], - uint16_t nonce); -void PQCLEAN_DILITHIUM5AES_CLEAN_poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyeta_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyt1_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyt1_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyt0_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyt0_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyz_pack(uint8_t *r, const poly *a); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyz_unpack(poly *r, const uint8_t *a); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyw1_pack(uint8_t *r, const poly *a); - -#endif diff --git a/crypto_sign/dilithium5aes/clean/polyvec.c b/crypto_sign/dilithium5aes/clean/polyvec.c deleted file mode 100644 index 06609473..00000000 --- a/crypto_sign/dilithium5aes/clean/polyvec.c +++ /dev/null @@ -1,448 +0,0 @@ -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include - -/************************************************* -* Name: expand_mat -* -* Description: Implementation of ExpandA. Generates matrix A with uniformly -* random coefficients a_{i,j} by performing rejection -* sampling on the output stream of SHAKE128(rho|j|i) -* or AES256CTR(rho,j|i). -* -* Arguments: - polyvecl mat[K]: output matrix -* - const uint8_t rho[]: byte array containing seed rho -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) { - unsigned int i, j; - - for (i = 0; i < K; ++i) { - for (j = 0; j < L; ++j) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform(&mat[i].vec[j], rho, (uint16_t) ((i << 8) + j)); - } - } -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v); - } -} - -/**************************************************************/ -/************ Vectors of polynomials of length L **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_gamma1(&v->vec[i], seed, (uint16_t) (L * nonce + i)); - } -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_reduce(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_freeze -* -* Description: Reduce coefficients of polynomials in vector of length L -* to standard representatives. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_freeze(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_add -* -* Description: Add vectors of polynomials of length L. -* No modular reduction is performed. -* -* Arguments: - polyvecl *w: pointer to output vector -* - const polyvecl *u: pointer to first summand -* - const polyvecl *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_ntt -* -* Description: Forward NTT of all polynomials in vector of length L. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyvecl *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_ntt(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_ntt(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_invntt_tomont(polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) { - unsigned int i; - - for (i = 0; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_pointwise_acc_montgomery -* -* Description: Pointwise multiply vectors of polynomials of length L, multiply -* resulting vector by 2^{-32} and add (accumulate) polynomials -* in it. Input/output vectors are in NTT domain representation. -* -* Arguments: - poly *w: output polynomial -* - const polyvecl *u: pointer to first input vector -* - const polyvecl *v: pointer to second input vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_pointwise_acc_montgomery(poly *w, - const polyvecl *u, - const polyvecl *v) { - unsigned int i; - poly t; - - PQCLEAN_DILITHIUM5AES_CLEAN_poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]); - for (i = 1; i < L; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]); - PQCLEAN_DILITHIUM5AES_CLEAN_poly_add(w, w, &t); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_chknorm -* -* Description: Check infinity norm of polynomials in vector of length L. -* Assumes input polyvecl to be reduced by PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_reduce(). -* -* Arguments: - const polyvecl *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < L; ++i) { - if (PQCLEAN_DILITHIUM5AES_CLEAN_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/**************************************************************/ -/************ Vectors of polynomials of length K **************/ -/**************************************************************/ - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_uniform_eta(&v->vec[i], seed, nonce++); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce -* -* Description: Reduce coefficients of polynomials in vector of length K -* to representatives in [-6283009,6283007]. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_reduce(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_caddq -* -* Description: For all coefficients of polynomials in vector of length K -* add Q if coefficient is negative. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_caddq(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_caddq(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_freeze -* -* Description: Reduce coefficients of polynomials in vector of length K -* to standard representatives. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_freeze(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_freeze(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_add -* -* Description: Add vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first summand -* - const polyveck *v: pointer to second summand -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_sub -* -* Description: Subtract vectors of polynomials of length K. -* No modular reduction is performed. -* -* Arguments: - polyveck *w: pointer to output vector -* - const polyveck *u: pointer to first input vector -* - const polyveck *v: pointer to second input vector to be -* subtracted from first input vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_shiftl -* -* Description: Multiply vector of polynomials of Length K by 2^D without modular -* reduction. Assumes input coefficients to be less than 2^{31-D}. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_shiftl(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_shiftl(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_ntt -* -* Description: Forward NTT of all polynomials in vector of length K. Output -* coefficients can be up to 16*Q larger than input coefficients. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_ntt(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_ntt(&v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_invntt_tomont -* -* Description: Inverse NTT and multiplication by 2^{32} of polynomials -* in vector of length K. Input coefficients need to be less -* than 2*Q. -* -* Arguments: - polyveck *v: pointer to input/output vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_invntt_tomont(polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_invntt_tomont(&v->vec[i]); - } -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]); - } -} - - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_chknorm -* -* Description: Check infinity norm of polynomials in vector of length K. -* Assumes input polyveck to be reduced by PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce(). -* -* Arguments: - const polyveck *v: pointer to vector -* - int32_t B: norm bound -* -* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8 -* and 1 otherwise. -**************************************************/ -int PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_chknorm(const polyveck *v, int32_t bound) { - unsigned int i; - - for (i = 0; i < K; ++i) { - if (PQCLEAN_DILITHIUM5AES_CLEAN_poly_chknorm(&v->vec[i], bound)) { - return 1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_power2round -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute a0, a1 such that a mod^+ Q = a1*2^D + a0 -* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be -* standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_decompose -* -* Description: For all coefficients a of polynomials in vector of length K, -* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0 -* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we -* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0. -* Assumes coefficients to be standard representatives. -* -* Arguments: - polyveck *v1: pointer to output vector of polynomials with -* coefficients a1 -* - polyveck *v0: pointer to output vector of polynomials with -* coefficients a0 -* - const polyveck *v: pointer to input vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]); - } -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_make_hint -* -* Description: Compute hint vector. -* -* Arguments: - polyveck *h: pointer to output vector -* - const polyveck *v0: pointer to low part of input vector -* - const polyveck *v1: pointer to high part of input vector -* -* Returns number of 1 bits. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_make_hint(polyveck *h, - const polyveck *v0, - const polyveck *v1) { - unsigned int i, s = 0; - - for (i = 0; i < K; ++i) { - s += PQCLEAN_DILITHIUM5AES_CLEAN_poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]); - } - - return s; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_use_hint -* -* Description: Use hint vector to correct the high bits of input vector. -* -* Arguments: - polyveck *w: pointer to output vector of polynomials with -* corrected high bits -* - const polyveck *u: pointer to input vector -* - const polyveck *h: pointer to input hint vector -**************************************************/ -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]); - } -} - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) { - unsigned int i; - - for (i = 0; i < K; ++i) { - PQCLEAN_DILITHIUM5AES_CLEAN_polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]); - } -} diff --git a/crypto_sign/dilithium5aes/clean/polyvec.h b/crypto_sign/dilithium5aes/clean/polyvec.h deleted file mode 100644 index 139a99ca..00000000 --- a/crypto_sign/dilithium5aes/clean/polyvec.h +++ /dev/null @@ -1,68 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_POLYVEC_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_POLYVEC_H -#include "params.h" -#include "poly.h" -#include - -/* Vectors of polynomials of length L */ -typedef struct { - poly vec[L]; -} polyvecl; - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_reduce(polyvecl *v); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_freeze(polyvecl *v); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_ntt(polyvecl *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_invntt_tomont(polyvecl *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_pointwise_acc_montgomery(poly *w, - const polyvecl *u, - const polyvecl *v); - - -int PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t B); - - - -/* Vectors of polynomials of length K */ -typedef struct { - poly vec[K]; -} polyveck; - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[SEEDBYTES], uint16_t nonce); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce(polyveck *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_caddq(polyveck *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_freeze(polyveck *v); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_shiftl(polyveck *v); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_ntt(polyveck *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_invntt_tomont(polyveck *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v); - -int PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_chknorm(const polyveck *v, int32_t B); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v); -unsigned int PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_make_hint(polyveck *h, - const polyveck *v0, - const polyveck *v1); -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]); - -void PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v); - -#endif diff --git a/crypto_sign/dilithium5aes/clean/reduce.c b/crypto_sign/dilithium5aes/clean/reduce.c deleted file mode 100644 index a98bdb6c..00000000 --- a/crypto_sign/dilithium5aes/clean/reduce.c +++ /dev/null @@ -1,69 +0,0 @@ -#include "params.h" -#include "reduce.h" -#include - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_montgomery_reduce -* -* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31, -* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q. -* -* Arguments: - int64_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_montgomery_reduce(int64_t a) { - int32_t t; - - t = (int32_t)((uint64_t)a * (uint64_t)QINV); - t = (a - (int64_t)t * Q) >> 32; - return t; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_reduce32 -* -* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1, -* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_reduce32(int32_t a) { - int32_t t; - - t = (a + (1 << 22)) >> 23; - t = a - t * Q; - return t; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_caddq -* -* Description: Add Q if input coefficient is negative. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_caddq(int32_t a) { - a += (a >> 31) & Q; - return a; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_freeze -* -* Description: For finite field element a, compute standard -* representative r = a mod^+ Q. -* -* Arguments: - int32_t: finite field element a -* -* Returns r. -**************************************************/ -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_freeze(int32_t a) { - a = PQCLEAN_DILITHIUM5AES_CLEAN_reduce32(a); - a = PQCLEAN_DILITHIUM5AES_CLEAN_caddq(a); - return a; -} diff --git a/crypto_sign/dilithium5aes/clean/reduce.h b/crypto_sign/dilithium5aes/clean/reduce.h deleted file mode 100644 index b52d4e9b..00000000 --- a/crypto_sign/dilithium5aes/clean/reduce.h +++ /dev/null @@ -1,17 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_REDUCE_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_REDUCE_H -#include "params.h" -#include - -#define MONT (-4186625) // 2^32 % Q -#define QINV 58728449 // q^(-1) mod 2^32 - -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_montgomery_reduce(int64_t a); - -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_reduce32(int32_t a); - -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_caddq(int32_t a); - -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_freeze(int32_t a); - -#endif diff --git a/crypto_sign/dilithium5aes/clean/rounding.c b/crypto_sign/dilithium5aes/clean/rounding.c deleted file mode 100644 index ee8a6cb1..00000000 --- a/crypto_sign/dilithium5aes/clean/rounding.c +++ /dev/null @@ -1,92 +0,0 @@ -#include "params.h" -#include "rounding.h" -#include - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_power2round -* -* Description: For finite field element a, compute a0, a1 such that -* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}. -* Assumes a to be standard representative. -* -* Arguments: - int32_t a: input element -* - int32_t *a0: pointer to output element a0 -* -* Returns a1. -**************************************************/ -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_power2round(int32_t *a0, int32_t a) { - int32_t a1; - - a1 = (a + (1 << (D - 1)) - 1) >> D; - *a0 = a - (a1 << D); - return a1; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_decompose -* -* Description: For finite field element a, compute high and low bits a0, a1 such -* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except -* if a1 = (Q-1)/ALPHA where we set a1 = 0 and -* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard -* representative. -* -* Arguments: - int32_t a: input element -* - int32_t *a0: pointer to output element a0 -* -* Returns a1. -**************************************************/ -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_decompose(int32_t *a0, int32_t a) { - int32_t a1; - - a1 = (a + 127) >> 7; - a1 = (a1 * 1025 + (1 << 21)) >> 22; - a1 &= 15; - - *a0 = a - a1 * 2 * GAMMA2; - *a0 -= (((Q - 1) / 2 - *a0) >> 31) & Q; - return a1; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_make_hint -* -* Description: Compute hint bit indicating whether the low bits of the -* input element overflow into the high bits. -* -* Arguments: - int32_t a0: low bits of input element -* - int32_t a1: high bits of input element -* -* Returns 1 if overflow. -**************************************************/ -unsigned int PQCLEAN_DILITHIUM5AES_CLEAN_make_hint(int32_t a0, int32_t a1) { - if (a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0)) { - return 1; - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_use_hint -* -* Description: Correct high bits according to hint. -* -* Arguments: - int32_t a: input element -* - unsigned int hint: hint bit -* -* Returns corrected high bits. -**************************************************/ -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_use_hint(int32_t a, unsigned int hint) { - int32_t a0, a1; - - a1 = PQCLEAN_DILITHIUM5AES_CLEAN_decompose(&a0, a); - if (hint == 0) { - return a1; - } - - if (a0 > 0) { - return (a1 + 1) & 15; - } - return (a1 - 1) & 15; -} diff --git a/crypto_sign/dilithium5aes/clean/rounding.h b/crypto_sign/dilithium5aes/clean/rounding.h deleted file mode 100644 index 5ddebe00..00000000 --- a/crypto_sign/dilithium5aes/clean/rounding.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_ROUNDING_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_ROUNDING_H -#include "params.h" -#include - -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_power2round(int32_t *a0, int32_t a); - -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_decompose(int32_t *a0, int32_t a); - -unsigned int PQCLEAN_DILITHIUM5AES_CLEAN_make_hint(int32_t a0, int32_t a1); - -int32_t PQCLEAN_DILITHIUM5AES_CLEAN_use_hint(int32_t a, unsigned int hint); - -#endif diff --git a/crypto_sign/dilithium5aes/clean/sign.c b/crypto_sign/dilithium5aes/clean/sign.c deleted file mode 100644 index 3ce07c18..00000000 --- a/crypto_sign/dilithium5aes/clean/sign.c +++ /dev/null @@ -1,343 +0,0 @@ -#include "fips202.h" -#include "packing.h" -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include "randombytes.h" -#include "sign.h" -#include "symmetric.h" -#include - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_keypair -* -* Description: Generates public and private key. -* -* Arguments: - uint8_t *pk: pointer to output public key (allocated -* array of PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES bytes) -* - uint8_t *sk: pointer to output private key (allocated -* array of PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_SECRETKEYBYTES bytes) -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk) { - uint8_t seedbuf[3 * SEEDBYTES]; - uint8_t tr[CRHBYTES]; - const uint8_t *rho, *rhoprime, *key; - polyvecl mat[K]; - polyvecl s1, s1hat; - polyveck s2, t1, t0; - - /* Get randomness for rho, rhoprime and key */ - randombytes(seedbuf, SEEDBYTES); - shake256(seedbuf, 3 * SEEDBYTES, seedbuf, SEEDBYTES); - rho = seedbuf; - rhoprime = seedbuf + SEEDBYTES; - key = seedbuf + 2 * SEEDBYTES; - - /* Expand matrix */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_expand(mat, rho); - - /* Sample short vectors s1 and s2 */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_eta(&s1, rhoprime, 0); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_uniform_eta(&s2, rhoprime, L); - - /* Matrix-vector multiplication */ - s1hat = s1; - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_ntt(&s1hat); - PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_pointwise_montgomery(&t1, mat, &s1hat); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce(&t1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_invntt_tomont(&t1); - - /* Add error vector s2 */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_add(&t1, &t1, &s2); - - /* Extract t1 and write public key */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_caddq(&t1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_power2round(&t1, &t0, &t1); - PQCLEAN_DILITHIUM5AES_CLEAN_pack_pk(pk, rho, &t1); - - /* Compute CRH(rho, t1) and write secret key */ - crh(tr, pk, PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES); - PQCLEAN_DILITHIUM5AES_CLEAN_pack_sk(sk, rho, tr, key, &t0, &s1, &s2); - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_signature -* -* Description: Computes signature. -* -* Arguments: - uint8_t *sig: pointer to output signature (of length PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES) -* - size_t *siglen: pointer to output length of signature -* - uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_signature(uint8_t *sig, - size_t *siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *sk) { - unsigned int n; - uint8_t seedbuf[2 * SEEDBYTES + 3 * CRHBYTES]; - uint8_t *rho, *tr, *key, *mu, *rhoprime; - uint16_t nonce = 0; - polyvecl mat[K], s1, y, z; - polyveck t0, s2, w1, w0, h; - poly cp; - shake256incctx state; - - rho = seedbuf; - tr = rho + SEEDBYTES; - key = tr + CRHBYTES; - mu = key + SEEDBYTES; - rhoprime = mu + CRHBYTES; - PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sk(rho, tr, key, &t0, &s1, &s2, sk); - - /* Compute CRH(tr, msg) */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, tr, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - crh(rhoprime, key, SEEDBYTES + CRHBYTES); - - /* Expand matrix and transform vectors */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_expand(mat, rho); - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_ntt(&s1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_ntt(&s2); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_ntt(&t0); - -rej: - /* Sample intermediate vector y */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_uniform_gamma1(&y, rhoprime, nonce++); - - /* Matrix-vector multiplication */ - z = y; - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_ntt(&z); - PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce(&w1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_invntt_tomont(&w1); - - /* Decompose w and call the random oracle */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_caddq(&w1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_decompose(&w1, &w0, &w1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_pack_w1(sig, &w1); - - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, sig, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(sig, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - PQCLEAN_DILITHIUM5AES_CLEAN_poly_challenge(&cp, sig); - PQCLEAN_DILITHIUM5AES_CLEAN_poly_ntt(&cp); - - /* Compute z, reject if it reveals secret */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_pointwise_poly_montgomery(&z, &cp, &s1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_invntt_tomont(&z); - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_add(&z, &z, &y); - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_reduce(&z); - if (PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) { - goto rej; - } - - /* Check that subtracting cs2 does not change high bits of w and low bits - * do not reveal secret information */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &s2); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_invntt_tomont(&h); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_sub(&w0, &w0, &h); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce(&w0); - if (PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_chknorm(&w0, GAMMA2 - BETA)) { - goto rej; - } - - /* Compute hints for w1 */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &t0); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_invntt_tomont(&h); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce(&h); - if (PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_chknorm(&h, GAMMA2)) { - goto rej; - } - - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_add(&w0, &w0, &h); - n = PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_make_hint(&h, &w0, &w1); - if (n > OMEGA) { - goto rej; - } - - /* Write signature */ - PQCLEAN_DILITHIUM5AES_CLEAN_pack_sig(sig, sig, &z, &h); - *siglen = PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign -* -* Description: Compute signed message. -* -* Arguments: - uint8_t *sm: pointer to output signed message (allocated -* array with PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES + mlen bytes), -* can be equal to m -* - size_t *smlen: pointer to output length of signed -* message -* - const uint8_t *m: pointer to message to be signed -* - size_t mlen: length of message -* - const uint8_t *sk: pointer to bit-packed secret key -* -* Returns 0 (success) -**************************************************/ -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign(uint8_t *sm, - size_t *smlen, - const uint8_t *m, - size_t mlen, - const uint8_t *sk) { - size_t i; - - for (i = 0; i < mlen; ++i) { - sm[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i]; - } - PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_signature(sm, smlen, sm + PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES, mlen, sk); - *smlen += mlen; - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_verify -* -* Description: Verifies signature. -* -* Arguments: - uint8_t *m: pointer to input signature -* - size_t siglen: length of signature -* - const uint8_t *m: pointer to message -* - size_t mlen: length of message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signature could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_verify(const uint8_t *sig, - size_t siglen, - const uint8_t *m, - size_t mlen, - const uint8_t *pk) { - unsigned int i; - uint8_t buf[K * POLYW1_PACKEDBYTES]; - uint8_t rho[SEEDBYTES]; - uint8_t mu[CRHBYTES]; - uint8_t c[SEEDBYTES]; - uint8_t c2[SEEDBYTES]; - poly cp; - polyvecl mat[K], z; - polyveck t1, w1, h; - shake256incctx state; - - if (siglen != PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES) { - return -1; - } - - PQCLEAN_DILITHIUM5AES_CLEAN_unpack_pk(rho, &t1, pk); - if (PQCLEAN_DILITHIUM5AES_CLEAN_unpack_sig(c, &z, &h, sig)) { - return -1; - } - if (PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) { - return -1; - } - - /* Compute CRH(CRH(rho, t1), msg) */ - crh(mu, pk, PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_PUBLICKEYBYTES); - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, m, mlen); - shake256_inc_finalize(&state); - shake256_inc_squeeze(mu, CRHBYTES, &state); - shake256_inc_ctx_release(&state); - - /* Matrix-vector multiplication; compute Az - c2^dt1 */ - PQCLEAN_DILITHIUM5AES_CLEAN_poly_challenge(&cp, c); - PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_expand(mat, rho); - - PQCLEAN_DILITHIUM5AES_CLEAN_polyvecl_ntt(&z); - PQCLEAN_DILITHIUM5AES_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z); - - PQCLEAN_DILITHIUM5AES_CLEAN_poly_ntt(&cp); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_shiftl(&t1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_ntt(&t1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_pointwise_poly_montgomery(&t1, &cp, &t1); - - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_sub(&w1, &w1, &t1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_reduce(&w1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_invntt_tomont(&w1); - - /* Reconstruct w1 */ - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_caddq(&w1); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_use_hint(&w1, &w1, &h); - PQCLEAN_DILITHIUM5AES_CLEAN_polyveck_pack_w1(buf, &w1); - - /* Call random oracle and verify PQCLEAN_DILITHIUM5AES_CLEAN_challenge */ - shake256_inc_init(&state); - shake256_inc_absorb(&state, mu, CRHBYTES); - shake256_inc_absorb(&state, buf, K * POLYW1_PACKEDBYTES); - shake256_inc_finalize(&state); - shake256_inc_squeeze(c2, SEEDBYTES, &state); - shake256_inc_ctx_release(&state); - for (i = 0; i < SEEDBYTES; ++i) { - if (c[i] != c2[i]) { - return -1; - } - } - - return 0; -} - -/************************************************* -* Name: PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_open -* -* Description: Verify signed message. -* -* Arguments: - uint8_t *m: pointer to output message (allocated -* array with smlen bytes), can be equal to sm -* - size_t *mlen: pointer to output length of message -* - const uint8_t *sm: pointer to signed message -* - size_t smlen: length of signed message -* - const uint8_t *pk: pointer to bit-packed public key -* -* Returns 0 if signed message could be verified correctly and -1 otherwise -**************************************************/ -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_open(uint8_t *m, - size_t *mlen, - const uint8_t *sm, - size_t smlen, - const uint8_t *pk) { - size_t i; - - if (smlen < PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES) { - goto badsig; - } - - *mlen = smlen - PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES; - if (PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_verify(sm, PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES, sm + PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES, *mlen, pk)) { - goto badsig; - } else { - /* All good, copy msg, return 0 */ - for (i = 0; i < *mlen; ++i) { - m[i] = sm[PQCLEAN_DILITHIUM5AES_CLEAN_CRYPTO_BYTES + i]; - } - return 0; - } - -badsig: - /* Signature verification failed */ - *mlen = (size_t) -1; - for (i = 0; i < smlen; ++i) { - m[i] = 0; - } - - return -1; -} diff --git a/crypto_sign/dilithium5aes/clean/sign.h b/crypto_sign/dilithium5aes/clean/sign.h deleted file mode 100644 index 5f79f48a..00000000 --- a/crypto_sign/dilithium5aes/clean/sign.h +++ /dev/null @@ -1,29 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_SIGN_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_SIGN_H -#include "params.h" -#include "poly.h" -#include "polyvec.h" -#include -#include - -void PQCLEAN_DILITHIUM5AES_CLEAN_challenge(poly *c, const uint8_t seed[SEEDBYTES]); - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, - const uint8_t *pk); - -int PQCLEAN_DILITHIUM5AES_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - -#endif diff --git a/crypto_sign/dilithium5aes/clean/symmetric-aes.c b/crypto_sign/dilithium5aes/clean/symmetric-aes.c deleted file mode 100644 index d69ce894..00000000 --- a/crypto_sign/dilithium5aes/clean/symmetric-aes.c +++ /dev/null @@ -1,12 +0,0 @@ -#include "aes256ctr.h" -#include "symmetric.h" -#include - -void PQCLEAN_DILITHIUM5AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint16_t nonce) { - uint8_t expnonce[12] = {0}; - expnonce[0] = (uint8_t) nonce; - expnonce[1] = (uint8_t) (nonce >> 8); - PQCLEAN_DILITHIUM5AES_CLEAN_aes256ctr_init(state, key, expnonce); -} diff --git a/crypto_sign/dilithium5aes/clean/symmetric.h b/crypto_sign/dilithium5aes/clean/symmetric.h deleted file mode 100644 index 8799e987..00000000 --- a/crypto_sign/dilithium5aes/clean/symmetric.h +++ /dev/null @@ -1,33 +0,0 @@ -#ifndef PQCLEAN_DILITHIUM5AES_CLEAN_SYMMETRIC_H -#define PQCLEAN_DILITHIUM5AES_CLEAN_SYMMETRIC_H -#include "aes256ctr.h" -#include "fips202.h" -#include "params.h" -#include - - - -typedef aes256ctr_ctx stream128_state; -typedef aes256ctr_ctx stream256_state; - -void PQCLEAN_DILITHIUM5AES_CLEAN_dilithium_aes256ctr_init(aes256ctr_ctx *state, - const uint8_t key[32], - uint16_t nonce); - -#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES -#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES - -#define crh(OUT, IN, INBYTES) shake256(OUT, CRHBYTES, IN, INBYTES) -#define stream128_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM5AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE) -#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - PQCLEAN_DILITHIUM5AES_CLEAN_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream128_release(STATE) -#define stream256_init(STATE, SEED, NONCE) \ - PQCLEAN_DILITHIUM5AES_CLEAN_dilithium_aes256ctr_init(STATE, SEED, NONCE) -#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \ - PQCLEAN_DILITHIUM5AES_CLEAN_aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE) -#define stream256_release(STATE) - - -#endif diff --git a/crypto_sign/rainbowI-circumzenithal/META.yml b/crypto_sign/rainbowI-circumzenithal/META.yml deleted file mode 100644 index e98c989b..00000000 --- a/crypto_sign/rainbowI-circumzenithal/META.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "RAINBOW(16,36,32,32) - circumzenithal" -type: signature -claimed-nist-level: 1 -length-public-key: 60192 -length-secret-key: 103648 -length-signature: 66 -nistkat-sha256: 819bd33be86eea97c3da516b7dfbe4885ea7dfad6c44d196f5fd7c1c8b00b8a7 -testvectors-sha256: 2cc6d4b3e394832f19ca312ba1ddefcdade1e105b348782d7c6f201635506307 -principal-submitters: - - Jintai Ding -auxiliary-submitters: - - Ming-Shing Chen - - Matthias Kannwischer - - Jacques Patarin - - Albrecht Petzoldt - - Dieter Schmidt - - Bo-Yin Yang -implementations: - - name: clean - version: https://github.com/fast-crypto-lab/rainbow-submission-round2/commit/173ada0e077e1b9dbd8e4a78994f87acc0c92263 diff --git a/crypto_sign/rainbowI-circumzenithal/clean/LICENSE b/crypto_sign/rainbowI-circumzenithal/clean/LICENSE deleted file mode 100644 index cb00a6e3..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/LICENSE +++ /dev/null @@ -1,8 +0,0 @@ -`Software implementation of Rainbow for NIST R2 submission' by Ming-Shing Chen - -To the extent possible under law, the person who associated CC0 with -`Software implementation of Rainbow for NIST R2 submission' has waived all copyright and related or neighboring rights -to `Software implementation of Rainbow for NIST R2 submission'. - -You should have received a copy of the CC0 legalcode along with this -work. If not, see . diff --git a/crypto_sign/rainbowI-circumzenithal/clean/Makefile.Microsoft_nmake b/crypto_sign/rainbowI-circumzenithal/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 4cc2b904..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=librainbowI-circumzenithal_clean.lib -OBJECTS = blas_comm.obj parallel_matrix_op.obj rainbow.obj rainbow_keypair.obj rainbow_keypair_computation.obj sign.obj utils_hash.obj utils_prng.obj blas.obj gf.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/rainbowI-circumzenithal/clean/api.h b/crypto_sign/rainbowI-circumzenithal/clean/api.h deleted file mode 100644 index 69b1d7ad..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/api.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_API_H -#define PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_API_H - -#include -#include - -#define PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_CRYPTO_SECRETKEYBYTES 103648 -#define PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_CRYPTO_PUBLICKEYBYTES 60192 -#define PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_CRYPTO_BYTES 66 -#define PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_CRYPTO_ALGNAME "RAINBOW(16,36,32,32) - circumzenithal" - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - - -#endif diff --git a/crypto_sign/rainbowI-circumzenithal/clean/blas.c b/crypto_sign/rainbowI-circumzenithal/clean/blas.c deleted file mode 100644 index 2d5ad845..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/blas.c +++ /dev/null @@ -1,43 +0,0 @@ -#include "blas.h" -#include "gf.h" - -#include - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte) { - uint8_t pr_u8 = (uint8_t) ((uint8_t) 0 - predicate); - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= (a[i] & pr_u8); - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= a[i]; - } -} - - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_mul_scalar(uint8_t *a, uint8_t gf16_b, size_t _num_byte) { - uint8_t tmp; - for (size_t i = 0; i < _num_byte; i++) { - tmp = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_mul(a[i] & 0xF, gf16_b); - tmp |= (uint8_t) (PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_mul(a[i] >> 4, gf16_b) << 4); - a[i] = tmp; - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf16_b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_c[i] ^= PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_mul(a[i] & 0xF, gf16_b); - accu_c[i] ^= (uint8_t) (PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_mul(a[i] >> 4, gf16_b) << 4); - } -} - -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_dot(const uint8_t *a, const uint8_t *b, size_t _num_byte) { - uint8_t r = 0; - for (size_t i = 0; i < _num_byte; i++) { - r ^= PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_mul(a[i], b[i]); - } - return r; -} - diff --git a/crypto_sign/rainbowI-circumzenithal/clean/blas.h b/crypto_sign/rainbowI-circumzenithal/clean/blas.h deleted file mode 100644 index 8897fc52..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/blas.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef _BLAS_H_ -#define _BLAS_H_ -/// @file blas.h -/// @brief Functions for implementing basic linear algebra functions. -/// - -#include "rainbow_config.h" -#include -#include - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte); -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte); - - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf16_b, size_t _num_byte); -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_mul_scalar(uint8_t *a, uint8_t gf16_b, size_t _num_byte); -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_dot(const uint8_t *a, const uint8_t *b, size_t _num_byte); - - -#endif // _BLAS_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/blas_comm.c b/crypto_sign/rainbowI-circumzenithal/clean/blas_comm.c deleted file mode 100644 index 69bd2dad..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/blas_comm.c +++ /dev/null @@ -1,152 +0,0 @@ -/// @file blas_comm.c -/// @brief The standard implementations for blas_comm.h -/// - -#include "blas_comm.h" -#include "blas.h" -#include "gf.h" -#include "rainbow_config.h" - -#include -#include - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - b[i] = 0; - } -} - -/// @brief get an element from GF(16) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(const uint8_t *a, unsigned int i) { - uint8_t r = a[i >> 1]; - uint8_t r0 = r & 0xf; - uint8_t r1 = r >> 4; - uint8_t m = (uint8_t)(-((int8_t)i & 1)); - return (uint8_t)((r1 & m) | ((~m) & r0)); -} - -/// @brief set an element for a GF(16) vector . -/// -/// @param[in,out] a - the vector a. -/// @param[in] i - the index in the vector a. -/// @param[in] v - the value for the i-th element in vector a. -/// @return the value of the element. -/// -static uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_set_ele(uint8_t *a, unsigned int i, uint8_t v) { - uint8_t m = (uint8_t)(0xf ^ (-((int8_t)i & 1))); /// 1--> 0xf0 , 0--> 0x0f - uint8_t ai_remaining = (uint8_t)(a[i >> 1] & (~m)); /// erase - a[i >> 1] = (uint8_t)(ai_remaining | (m & (v << 4)) | (m & v & 0xf)); /// set - return v; -} - -static void gf16mat_prod_ref(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(c, n_A_vec_byte); - for (unsigned int i = 0; i < n_A_width; i++) { - uint8_t bb = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(b, i); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(c, matA, bb, n_A_vec_byte); - matA += n_A_vec_byte; - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec) { - unsigned int n_vec_byte = (len_vec + 1) / 2; - for (unsigned int k = 0; k < len_vec; k++) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(c, n_vec_byte); - const uint8_t *bk = b + n_vec_byte * k; - for (unsigned int i = 0; i < len_vec; i++) { - uint8_t bb = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(bk, i); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(c, a + n_vec_byte * i, bb, n_vec_byte); - } - c += n_vec_byte; - } -} - -static unsigned int gf16mat_gauss_elim_ref(uint8_t *mat, unsigned int h, unsigned int w) { - unsigned int n_w_byte = (w + 1) / 2; - unsigned int r8 = 1; - for (unsigned int i = 0; i < h; i++) { - unsigned int offset_byte = i >> 1; - uint8_t *ai = mat + n_w_byte * i; - for (unsigned int j = i + 1; j < h; j++) { - uint8_t *aj = mat + n_w_byte * j; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_predicated_add(ai + offset_byte, 1 ^ PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_is_nonzero(PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(ai, i)), aj + offset_byte, n_w_byte - offset_byte); - } - uint8_t pivot = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(ai, i); - r8 &= PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_is_nonzero(pivot); - pivot = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_inv(pivot); - offset_byte = (i + 1) >> 1; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_mul_scalar(ai + offset_byte, pivot, n_w_byte - offset_byte); - for (unsigned int j = 0; j < h; j++) { - if (i == j) { - continue; - } - uint8_t *aj = mat + n_w_byte * j; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(aj + offset_byte, ai + offset_byte, PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(aj, i), n_w_byte - offset_byte); - } - } - return r8; -} - -static unsigned int gf16mat_solve_linear_eq_ref(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - uint8_t mat[64 * 33]; - unsigned int n_byte = (n + 1) >> 1; - for (unsigned int i = 0; i < n; i++) { - memcpy(mat + i * (n_byte + 1), inp_mat + i * n_byte, n_byte); - mat[i * (n_byte + 1) + n_byte] = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(c_terms, i); - } - unsigned int r8 = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_gauss_elim(mat, n, n + 2); - for (unsigned int i = 0; i < n; i++) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_set_ele(sol, i, mat[i * (n_byte + 1) + n_byte]); - } - return r8; -} - -static inline void gf16mat_submat(uint8_t *mat2, unsigned int w2, unsigned int st, const uint8_t *mat, unsigned int w, unsigned int h) { - unsigned int n_byte_w1 = (w + 1) / 2; - unsigned int n_byte_w2 = (w2 + 1) / 2; - unsigned int st_2 = st / 2; - for (unsigned int i = 0; i < h; i++) { - for (unsigned int j = 0; j < n_byte_w2; j++) { - mat2[i * n_byte_w2 + j] = mat[i * n_byte_w1 + st_2 + j]; - } - } -} - -unsigned int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer) { - unsigned int n_w_byte = (H + 1) / 2; - - uint8_t *aa = buffer; - for (unsigned int i = 0; i < H; i++) { - uint8_t *ai = aa + i * 2 * n_w_byte; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(ai, 2 * n_w_byte); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(ai, a + i * n_w_byte, n_w_byte); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_set_ele(ai + n_w_byte, i, 1); - } - unsigned int r8 = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_gauss_elim(aa, H, 2 * H); - gf16mat_submat(inv_a, H, H, aa, 2 * H, H); - return r8; -} - -// choosing the implementations depends on the macros _BLAS_AVX2_ and _BLAS_SSE - -#define gf16mat_prod_impl gf16mat_prod_ref -#define gf16mat_gauss_elim_impl gf16mat_gauss_elim_ref -#define gf16mat_solve_linear_eq_impl gf16mat_solve_linear_eq_ref - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - gf16mat_prod_impl(c, matA, n_A_vec_byte, n_A_width, b); -} - -unsigned int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w) { - return gf16mat_gauss_elim_impl(mat, h, w); -} - -unsigned int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - return gf16mat_solve_linear_eq_impl(sol, inp_mat, c_terms, n); -} - diff --git a/crypto_sign/rainbowI-circumzenithal/clean/blas_comm.h b/crypto_sign/rainbowI-circumzenithal/clean/blas_comm.h deleted file mode 100644 index 0d13a05f..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/blas_comm.h +++ /dev/null @@ -1,74 +0,0 @@ -#ifndef _BLAS_COMM_H_ -#define _BLAS_COMM_H_ -/// @file blas_comm.h -/// @brief Common functions for linear algebra. -/// - -#include "rainbow_config.h" -#include - -/// @brief set a vector to 0. -/// -/// @param[in,out] b - the vector b. -/// @param[in] _num_byte - number of bytes for the vector b. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte); - -/// @brief get an element from GF(16) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(const uint8_t *a, unsigned int i); - -/// @brief matrix-matrix multiplication: c = a * b , in GF(16) -/// -/// @param[out] c - the output matrix c -/// @param[in] c - a matrix a. -/// @param[in] b - a matrix b. -/// @param[in] len_vec - the length of column vectors. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec); - -/// @brief Gauss elimination for a matrix, in GF(16) -/// -/// @param[in,out] mat - the matrix. -/// @param[in] h - the height of the matrix. -/// @param[in] w - the width of the matrix. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w); - -/// @brief Solving linear equations, in GF(16) -/// -/// @param[out] sol - the solutions. -/// @param[in] inp_mat - the matrix parts of input equations. -/// @param[in] c_terms - the constant terms of the input equations. -/// @param[in] n - the number of equations. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n); - -/// @brief Computing the inverse matrix, in GF(16) -/// -/// @param[out] inv_a - the output of matrix a. -/// @param[in] a - a matrix a. -/// @param[in] H - height of matrix a, i.e., matrix a is an HxH matrix. -/// @param[in] buffer - The buffer for computations. it has to be as large as 2 input matrixes. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer); - -/// @brief matrix-vector multiplication: c = matA * b , in GF(16) -/// -/// @param[out] c - the output vector c -/// @param[in] matA - a column-major matrix A. -/// @param[in] n_A_vec_byte - the size of column vectors in bytes. -/// @param[in] n_A_width - the width of matrix A. -/// @param[in] b - the vector b. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b); - - -#endif // _BLAS_COMM_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/gf.c b/crypto_sign/rainbowI-circumzenithal/clean/gf.c deleted file mode 100644 index 862dd66d..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/gf.c +++ /dev/null @@ -1,54 +0,0 @@ -#include "gf.h" - -//// gf4 := gf2[x]/x^2+x+1 -static inline uint8_t gf4_mul_2(uint8_t a) { - uint8_t r = (uint8_t)(a << 1); - r ^= (uint8_t)((a >> 1) * 7); - return r; -} - -static inline uint8_t gf4_mul(uint8_t a, uint8_t b) { - uint8_t r = (uint8_t)(a * (b & 1)); - return r ^ (uint8_t)(gf4_mul_2(a) * (b >> 1)); -} - -static inline uint8_t gf4_squ(uint8_t a) { - return a ^ (a >> 1); -} - -//// gf16 := gf4[y]/y^2+y+x -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - uint8_t b0 = b & 3; - uint8_t b1 = (b >> 2); - uint8_t a0b0 = gf4_mul(a0, b0); - uint8_t a1b1 = gf4_mul(a1, b1); - uint8_t a0b1_a1b0 = gf4_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x2 = gf4_mul_2(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 2 ^ a0b0 ^ a1b1_x2); -} - -static inline uint8_t gf16_squ(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - a1 = gf4_squ(a1); - uint8_t a1squ_x2 = gf4_mul_2(a1); - return (uint8_t)((a1 << 2) ^ a1squ_x2 ^ gf4_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_is_nonzero(uint8_t a) { - unsigned int a4 = a & 0xf; - unsigned int r = ((unsigned int)0) - a4; - r >>= 4; - return r & 1; -} - -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_inv(uint8_t a) { - uint8_t a2 = gf16_squ(a); - uint8_t a4 = gf16_squ(a2); - uint8_t a8 = gf16_squ(a4); - uint8_t a6 = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_mul(a4, a2); - return PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_mul(a8, a6); -} - diff --git a/crypto_sign/rainbowI-circumzenithal/clean/gf.h b/crypto_sign/rainbowI-circumzenithal/clean/gf.h deleted file mode 100644 index 3cd304cc..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/gf.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _GF16_H_ -#define _GF16_H_ - -#include "rainbow_config.h" -#include - -/// @file gf16.h -/// @brief Library for arithmetics in GF(16) and GF(256) -/// - -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_mul(uint8_t a, uint8_t b); - - -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_is_nonzero(uint8_t a); -uint8_t PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16_inv(uint8_t a); - - -#endif // _GF16_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/parallel_matrix_op.c b/crypto_sign/rainbowI-circumzenithal/clean/parallel_matrix_op.c deleted file mode 100644 index 9a04f441..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/parallel_matrix_op.c +++ /dev/null @@ -1,182 +0,0 @@ -/// @file parallel_matrix_op.c -/// @brief the standard implementations for functions in parallel_matrix_op.h -/// -/// the standard implementations for functions in parallel_matrix_op.h -/// - -#include "parallel_matrix_op.h" -#include "blas.h" -#include "blas_comm.h" - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim) { - return (dim + dim - i_row + 1) * i_row / 2 + j_col - i_row; -} - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle or lower-triangle matrix. -/// -/// @param[in] i_row - the i-th row in a triangle matrix. -/// @param[in] j_col - the j-th column in a triangle matrix. -/// @param[in] dim - the dimension of the triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -static inline unsigned int idx_of_2trimat(unsigned int i_row, unsigned int j_col, unsigned int n_var) { - if (i_row > j_col) { - return PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(j_col, i_row, n_var); - } - return PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(i_row, j_col, n_var); -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch) { - unsigned char *runningC = btriC; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < i; j++) { - unsigned int idx = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(j, i, Aheight); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(btriC + idx * size_batch, bA + size_batch * (i * Awidth + j), size_batch); - } - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(runningC, bA + size_batch * (i * Awidth + i), size_batch * (Aheight - i)); - runningC += size_batch * (Aheight - i); - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (k < i) { - continue; - } - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(bC, &btriA[(k - i) * size_batch], PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - btriA += (Aheight - i) * size_batch; - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i < k) { - continue; - } - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(bC, &btriA[size_batch * (PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(k, i, Aheight))], PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i == k) { - continue; - } - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(bC, &btriA[size_batch * (idx_of_2trimat(i, k, Aheight))], PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf16(unsigned char *bC, const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Atr_height = Awidth; - unsigned int Atr_width = Aheight; - for (unsigned int i = 0; i < Atr_height; i++) { - for (unsigned int j = 0; j < Atr_width; j++) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(bC, &bB[j * Bwidth * size_batch], PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(&A_to_tr[size_Acolvec * i], j), size_batch * Bwidth); - } - bC += size_batch * Bwidth; - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf16(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - const unsigned char *bA = bA_to_tr; - unsigned int Aheight = Awidth_before_tr; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(bC, &bA[size_batch * (i + k * Aheight)], PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_mat_madd_gf16(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(bC, &bA[k * size_batch], PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - bA += (Awidth) * size_batch; - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf16(unsigned char *z, const unsigned char *y, unsigned int dim_y, const unsigned char *mat, - const unsigned char *x, unsigned int dim_x, unsigned int size_batch) { - unsigned char tmp[128]; - - unsigned char _x[128]; - for (unsigned int i = 0; i < dim_x; i++) { - _x[i] = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(x, i); - } - unsigned char _y[128]; - for (unsigned int i = 0; i < dim_y; i++) { - _y[i] = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(y, i); - } - - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(z, size_batch); - for (unsigned int i = 0; i < dim_y; i++) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = 0; j < dim_x; j++) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(tmp, mat, _x[j], size_batch); - mat += size_batch; - } - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(z, tmp, _y[i], size_batch); - } -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf16(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch) { - unsigned char tmp[256]; - - unsigned char _x[256]; - for (unsigned int i = 0; i < dim; i++) { - _x[i] = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele(x, i); - } - - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(y, size_batch); - for (unsigned int i = 0; i < dim; i++) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = i; j < dim; j++) { - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(tmp, trimat, _x[j], size_batch); - trimat += size_batch; - } - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd(y, tmp, _x[i], size_batch); - } -} diff --git a/crypto_sign/rainbowI-circumzenithal/clean/parallel_matrix_op.h b/crypto_sign/rainbowI-circumzenithal/clean/parallel_matrix_op.h deleted file mode 100644 index a7697f41..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/parallel_matrix_op.h +++ /dev/null @@ -1,260 +0,0 @@ -#ifndef _P_MATRIX_OP_H_ -#define _P_MATRIX_OP_H_ -/// @file parallel_matrix_op.h -/// @brief Librarys for operations of batched matrixes. -/// -/// - -//////////////// Section: triangle matrix <-> rectangle matrix /////////////////////////////////// - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim); - -/// -/// @brief Upper trianglize a rectangle matrix to the corresponding upper-trangle matrix. -/// -/// @param[out] btriC - the batched upper-trianglized matrix C. -/// @param[in] bA - a batched retangle matrix A. -/// @param[in] bwidth - the width of the batched matrix A, i.e., A is a Awidth x Awidth matrix. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch); - -//////////////////// Section: matrix multiplications /////////////////////////////// - -/// -/// @brief bC += btriA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. A will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A, which will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf16(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf16(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_mat_madd_gf16(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -//////////////////// Section: "quadratric" matrix evaluation /////////////////////////////// - -/// -/// @brief y = x^Tr * trimat * x , in GF(16) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf16(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief y = x^Tr * trimat * x , in GF(256) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(16) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf16(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(256) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -#endif // _P_MATRIX_OP_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/rainbow.c b/crypto_sign/rainbowI-circumzenithal/clean/rainbow.c deleted file mode 100644 index f2b9a9ee..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/rainbow.c +++ /dev/null @@ -1,173 +0,0 @@ -/// @file rainbow.c -/// @brief The standard implementations for functions in rainbow.h -/// - -#include "blas.h" -#include "parallel_matrix_op.h" -#include "rainbow.h" -#include "rainbow_blas.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "utils_hash.h" -#include "utils_prng.h" -#include -#include -#include - -#define MAX_ATTEMPT_FRMAT 128 - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *_digest) { - uint8_t mat_l1[_O1 * _O1_BYTE]; - uint8_t mat_l2[_O2 * _O2_BYTE]; - uint8_t mat_buffer[2 * _MAX_O * _MAX_O_BYTE]; - - // setup PRNG - prng_t prng_sign; - uint8_t prng_preseed[LEN_SKSEED + _HASH_LEN]; - memcpy(prng_preseed, sk->sk_seed, LEN_SKSEED); - memcpy(prng_preseed + LEN_SKSEED, _digest, _HASH_LEN); // prng_preseed = sk_seed || digest - uint8_t prng_seed[_HASH_LEN]; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(prng_seed, _HASH_LEN, prng_preseed, _HASH_LEN + LEN_SKSEED); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_set(&prng_sign, prng_seed, _HASH_LEN); // seed = H( sk_seed || digest ) - for (unsigned int i = 0; i < LEN_SKSEED + _HASH_LEN; i++) { - prng_preseed[i] ^= prng_preseed[i]; // clean - } - for (unsigned int i = 0; i < _HASH_LEN; i++) { - prng_seed[i] ^= prng_seed[i]; // clean - } - - // roll vinegars. - uint8_t vinegar[_V1_BYTE]; - unsigned int n_attempt = 0; - unsigned int l1_succ = 0; - while (!l1_succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen(&prng_sign, vinegar, _V1_BYTE); // generating vinegars - gfmat_prod(mat_l1, sk->l1_F2, _O1 * _O1_BYTE, _V1, vinegar); // generating the linear equations for layer 1 - l1_succ = gfmat_inv(mat_l1, mat_l1, _O1, mat_buffer); // check if the linear equation solvable - n_attempt++; - } - - // Given the vinegars, pre-compute variables needed for layer 2 - uint8_t r_l1_F1[_O1_BYTE] = {0}; - uint8_t r_l2_F1[_O2_BYTE] = {0}; - batch_quad_trimat_eval(r_l1_F1, sk->l1_F1, vinegar, _V1, _O1_BYTE); - batch_quad_trimat_eval(r_l2_F1, sk->l2_F1, vinegar, _V1, _O2_BYTE); - uint8_t mat_l2_F3[_O2 * _O2_BYTE]; - uint8_t mat_l2_F2[_O1 * _O2_BYTE]; - gfmat_prod(mat_l2_F3, sk->l2_F3, _O2 * _O2_BYTE, _V1, vinegar); - gfmat_prod(mat_l2_F2, sk->l2_F2, _O1 * _O2_BYTE, _V1, vinegar); - - // Some local variables. - uint8_t _z[_PUB_M_BYTE]; - uint8_t y[_PUB_M_BYTE]; - uint8_t *x_v1 = vinegar; - uint8_t x_o1[_O1_BYTE]; - uint8_t x_o2[_O2_BYTE]; - - uint8_t digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, _digest, _HASH_LEN); - uint8_t *salt = digest_salt + _HASH_LEN; - - uint8_t temp_o[_MAX_O_BYTE + 32] = {0}; - unsigned int succ = 0; - while (!succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - // The computation: H(digest||salt) --> z --S--> y --C-map--> x --T--> w - - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen(&prng_sign, salt, _SALT_BYTE); // roll the salt - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(_z, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H(digest||salt) - - // y = S^-1 * z - memcpy(y, _z, _PUB_M_BYTE); // identity part of S - gfmat_prod(temp_o, sk->s1, _O1_BYTE, _O2, _z + _O1_BYTE); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(y, temp_o, _O1_BYTE); - - // Central Map: - // layer 1: calculate x_o1 - memcpy(temp_o, r_l1_F1, _O1_BYTE); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, y, _O1_BYTE); - gfmat_prod(x_o1, mat_l1, _O1_BYTE, _O1, temp_o); - - // layer 2: calculate x_o2 - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_set_zero(temp_o, _O2_BYTE); - gfmat_prod(temp_o, mat_l2_F2, _O2_BYTE, _O1, x_o1); // F2 - batch_quad_trimat_eval(mat_l2, sk->l2_F5, x_o1, _O1, _O2_BYTE); // F5 - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, mat_l2, _O2_BYTE); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, r_l2_F1, _O2_BYTE); // F1 - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, y + _O1_BYTE, _O2_BYTE); - - // generate the linear equations of the 2nd layer - gfmat_prod(mat_l2, sk->l2_F6, _O2 * _O2_BYTE, _O1, x_o1); // F6 - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(mat_l2, mat_l2_F3, _O2 * _O2_BYTE); // F3 - succ = gfmat_inv(mat_l2, mat_l2, _O2, mat_buffer); - gfmat_prod(x_o2, mat_l2, _O2_BYTE, _O2, temp_o); // solve l2 eqs - - n_attempt++; - }; - // w = T^-1 * y - uint8_t w[_PUB_N_BYTE]; - // identity part of T. - memcpy(w, x_v1, _V1_BYTE); - memcpy(w + _V1_BYTE, x_o1, _O1_BYTE); - memcpy(w + _V2_BYTE, x_o2, _O2_BYTE); - // Computing the t1 part. - gfmat_prod(y, sk->t1, _V1_BYTE, _O1, x_o1); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t4 part. - gfmat_prod(y, sk->t4, _V1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t3 part. - gfmat_prod(y, sk->t3, _O1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(w + _V1_BYTE, y, _O1_BYTE); - - memset(signature, 0, _SIGNATURE_BYTE); // set the output 0 - // clean - memset(&prng_sign, 0, sizeof(prng_t)); - memset(vinegar, 0, _V1_BYTE); - memset(r_l1_F1, 0, _O1_BYTE); - memset(r_l2_F1, 0, _O2_BYTE); - memset(_z, 0, _PUB_M_BYTE); - memset(y, 0, _PUB_M_BYTE); - memset(x_o1, 0, _O1_BYTE); - memset(x_o2, 0, _O2_BYTE); - memset(temp_o, 0, sizeof(temp_o)); - - // return: copy w and salt to the signature. - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - return -1; - } - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(signature, w, _PUB_N_BYTE); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(signature + _PUB_N_BYTE, salt, _SALT_BYTE); - return 0; -} - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk) { - unsigned char digest_ck[_PUB_M_BYTE]; - // public_map( digest_ck , pk , signature ); Evaluating the quadratic public polynomials. - batch_quad_trimat_eval(digest_ck, pk->pk, signature, _PUB_N, _PUB_M_BYTE); - - unsigned char correct[_PUB_M_BYTE]; - unsigned char digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, digest, _HASH_LEN); - memcpy(digest_salt + _HASH_LEN, signature + _PUB_N_BYTE, _SALT_BYTE); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(correct, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H( digest || salt ) - - // check consistancy. - unsigned char cc = 0; - for (unsigned int i = 0; i < _PUB_M_BYTE; i++) { - cc |= (digest_ck[i] ^ correct[i]); - } - return (0 == cc) ? 0 : -1; -} - - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *_pk) { - unsigned char pk[sizeof(pk_t) + 32]; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_cpk_to_pk((pk_t *)pk, _pk); // generating classic public key. - return PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_verify(digest, signature, (pk_t *)pk); -} diff --git a/crypto_sign/rainbowI-circumzenithal/clean/rainbow.h b/crypto_sign/rainbowI-circumzenithal/clean/rainbow.h deleted file mode 100644 index 5fa1b064..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/rainbow.h +++ /dev/null @@ -1,42 +0,0 @@ -#ifndef _RAINBOW_H_ -#define _RAINBOW_H_ -/// @file rainbow.h -/// @brief APIs for rainbow. -/// - -#include "rainbow_config.h" -#include "rainbow_keypair.h" - -#include - -/// -/// @brief Signing function for classical secret key. -/// -/// @param[out] signature - the signature. -/// @param[in] sk - the secret key. -/// @param[in] digest - the digest. -/// -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *digest); - -/// -/// @brief Verifying function. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk); - - -/// -/// @brief Verifying function for cyclic public keys. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key of cyclic rainbow. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *pk); - -#endif // _RAINBOW_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_blas.h b/crypto_sign/rainbowI-circumzenithal/clean/rainbow_blas.h deleted file mode 100644 index 949bc128..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_blas.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef _RAINBOW_BLAS_H_ -#define _RAINBOW_BLAS_H_ -/// @file rainbow_blas.h -/// @brief Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h -/// -/// Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h - -#include "blas.h" -#include "blas_comm.h" -#include "parallel_matrix_op.h" -#include "rainbow_config.h" - - -#define gfv_get_ele PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_get_ele -#define gfv_mul_scalar PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_mul_scalar -#define gfv_madd PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16v_madd - -#define gfmat_prod PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_prod -#define gfmat_inv PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf16mat_inv - -#define batch_trimat_madd PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf16 -#define batch_trimatTr_madd PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf16 -#define batch_2trimat_madd PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf16 -#define batch_matTr_madd PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf16 -#define batch_bmatTr_madd PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf16 -#define batch_mat_madd PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_mat_madd_gf16 - -#define batch_quad_trimat_eval PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf16 -#define batch_quad_recmat_eval PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf16 - - -#endif // _RAINBOW_BLAS_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_config.h b/crypto_sign/rainbowI-circumzenithal/clean/rainbow_config.h deleted file mode 100644 index a581af34..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_config.h +++ /dev/null @@ -1,49 +0,0 @@ -#ifndef _H_RAINBOW_CONFIG_H_ -#define _H_RAINBOW_CONFIG_H_ - -/// @file rainbow_config.h -/// @brief Defining the parameters of the Rainbow and the corresponding constants. -/// - -#define _USE_GF16 -#define _GFSIZE 16 -#define _V1 36 -#define _O1 32 -#define _O2 32 -#define _MAX_O 32 -#define _HASH_LEN 32 - - -#define _V2 ((_V1) + (_O1)) - -/// size of N, in # of gf elements. -#define _PUB_N (_V1 + _O1 + _O2) - -/// size of M, in # gf elements. -#define _PUB_M (_O1 + _O2) - -/// size of variables, in # bytes. - -// GF16 -#define _V1_BYTE (_V1 / 2) -#define _V2_BYTE (_V2 / 2) -#define _O1_BYTE (_O1 / 2) -#define _O2_BYTE (_O2 / 2) -#define _MAX_O_BYTE (_MAX_O / 2) -#define _PUB_N_BYTE (_PUB_N / 2) -#define _PUB_M_BYTE (_PUB_M / 2) - - -/// length of seed for public key, in # bytes -#define LEN_PKSEED 32 - -/// length of seed for secret key, in # bytes -#define LEN_SKSEED 32 - -/// length of salt for a signature, in # bytes -#define _SALT_BYTE 16 - -/// length of a signature -#define _SIGNATURE_BYTE (_PUB_N_BYTE + _SALT_BYTE) - -#endif // _H_RAINBOW_CONFIG_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair.c b/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair.c deleted file mode 100644 index 683d875e..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair.c +++ /dev/null @@ -1,186 +0,0 @@ -/// @file rainbow_keypair.c -/// @brief implementations of functions in rainbow_keypair.h -/// - -#include "rainbow_keypair.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair_computation.h" -#include "utils_prng.h" -#include -#include -#include - -static -void generate_S_T( unsigned char *s_and_t, prng_t *prng0 ) { - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->s1); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t1); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t4); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t3); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); -} - - -static -unsigned generate_l1_F12( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l1_F1); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l1_F2); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static -unsigned generate_l2_F12356( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l2_F1); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F2); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F3); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F5); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F6); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static void generate_B1_B2(unsigned char *sk, prng_t *prng0) { - sk += generate_l1_F12(sk, prng0); - generate_l2_F12356(sk, prng0); -} - -static void calculate_t4(unsigned char *t2_to_t4, const unsigned char *t1, const unsigned char *t3) { - // t4 = T_sk.t1 * T_sk.t3 - T_sk.t2 - unsigned char temp[_V1_BYTE + 32]; - unsigned char *t4 = t2_to_t4; - for (unsigned int i = 0; i < _O2; i++) { /// t3 width - gfmat_prod(temp, t1, _V1_BYTE, _O1, t3); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(t4, temp, _V1_BYTE); - t4 += _V1_BYTE; - t3 += _O1_BYTE; - } -} - -static void obsfucate_l1_polys(unsigned char *l1_polys, const unsigned char *l2_polys, unsigned int n_terms, const unsigned char *s1) { - unsigned char temp[_O1_BYTE + 32]; - while (n_terms--) { - gfmat_prod(temp, s1, _O1_BYTE, _O2, l2_polys); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_gf256v_add(l1_polys, temp, _O1_BYTE); - l1_polys += _O1_BYTE; - l2_polys += _O2_BYTE; - } -} - -/////////////////// Classic ////////////////////////////////// - - -///////////////////// Cyclic ////////////////////////////////// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(pk->pk_seed, pk_seed, LEN_PKSEED); - memcpy(sk->sk_seed, sk_seed, LEN_SKSEED); - - // prng for sk - prng_t prng; - prng_t *prng0 = &prng; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_set(prng0, sk_seed, LEN_SKSEED); - generate_S_T(sk->s1, prng0); // S,T: only a part of sk - - unsigned char t2[sizeof(sk->t4)]; - memcpy(t2, sk->t4, _V1_BYTE * _O2); // temporarily store t2 - calculate_t4(sk->t4, sk->t1, sk->t3); // t2 <- t4 - - // prng for pk - sk_t inst_Qs; - sk_t *Qs = &inst_Qs; - prng_t *prng1 = &prng; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_set(prng1, pk_seed, LEN_PKSEED); - generate_B1_B2(Qs->l1_F1, prng1); // generating l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 - obsfucate_l1_polys(Qs->l1_F1, Qs->l2_F1, N_TRIANGLE_TERMS(_V1), sk->s1); - obsfucate_l1_polys(Qs->l1_F2, Qs->l2_F2, _V1 * _O1, sk->s1); - // so far, the Qs contains l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6. - - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_calculate_F_from_Q(sk, Qs, sk); // calcuate the rest parts of secret key from Qs and S,T - - unsigned char t4[sizeof(sk->t4)]; - memcpy(t4, sk->t4, _V1_BYTE * _O2); // temporarily store t4 - memcpy(sk->t4, t2, _V1_BYTE * _O2); // restore t2 - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_calculate_Q_from_F_cyclic(pk, sk, sk); // calculate the rest parts of public key: l1_Q3, l1_Q5, l1_Q6, l1_Q9, l2_Q9 - memcpy(sk->t4, t4, _V1_BYTE * _O2); // restore t4 - - obsfucate_l1_polys(pk->l1_Q3, Qs->l2_F3, _V1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q5, Qs->l2_F5, N_TRIANGLE_TERMS(_O1), sk->s1); - obsfucate_l1_polys(pk->l1_Q6, Qs->l2_F6, _O1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q9, pk->l2_Q9, N_TRIANGLE_TERMS(_O2), sk->s1); - - // clean - memset(&prng, 0, sizeof(prng_t)); -} - - - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_cpk_to_pk(pk_t *rpk, const cpk_t *cpk) { - // procedure: cpk_t --> extcpk_t --> pk_t - - // convert from cpk_t to extcpk_t - ext_cpk_t pk; - - // setup prng - prng_t prng0; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_set(&prng0, cpk->pk_seed, LEN_SKSEED); - - // generating parts of key with prng - generate_l1_F12(pk.l1_Q1, &prng0); - // copying parts of key from input. l1_Q3, l1_Q5, l1_Q6, l1_Q9 - memcpy(pk.l1_Q3, cpk->l1_Q3, _O1_BYTE * (_V1 * _O2 + N_TRIANGLE_TERMS(_O1) + _O1 * _O2 + N_TRIANGLE_TERMS(_O2))); - - // generating parts of key with prng - generate_l2_F12356(pk.l2_Q1, &prng0); - // copying parts of key from input: l2_Q9 - memcpy(pk.l2_Q9, cpk->l2_Q9, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - - // convert from extcpk_t to pk_t - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_extcpk_to_pk(rpk, &pk); -} diff --git a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair.h b/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair.h deleted file mode 100644 index 852f10fc..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair.h +++ /dev/null @@ -1,94 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_H_ -#define _RAINBOW_KEYPAIR_H_ -/// @file rainbow_keypair.h -/// @brief Formats of key pairs and functions for generating key pairs. -/// Formats of key pairs and functions for generating key pairs. -/// - -#include "rainbow_config.h" - -#define N_TRIANGLE_TERMS(n_var) ((n_var) * ((n_var) + 1) / 2) - -/// @brief public key for classic rainbow -/// -/// public key for classic rainbow -/// -typedef struct rainbow_publickey { - unsigned char pk[(_PUB_M_BYTE)*N_TRIANGLE_TERMS(_PUB_N)]; -} pk_t; - -/// @brief secret key for classic rainbow -/// -/// secret key for classic rainbow -/// -typedef struct rainbow_secretkey { - /// - /// seed for generating secret key. - /// Generating S, T, and F for classic rainbow. - /// Generating S and T only for cyclic rainbow. - unsigned char sk_seed[LEN_SKSEED]; - - unsigned char s1[_O1_BYTE * _O2]; ///< part of S map - unsigned char t1[_V1_BYTE * _O1]; ///< part of T map - unsigned char t4[_V1_BYTE * _O2]; ///< part of T map - unsigned char t3[_O1_BYTE * _O2]; ///< part of T map - - unsigned char l1_F1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer1 - unsigned char l1_F2[_O1_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer1 - - unsigned char l2_F1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer2 - unsigned char l2_F2[_O2_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer2 - - unsigned char l2_F3[_O2_BYTE * _V1 * _O2]; ///< part of C-map, F3, Layer2 - unsigned char l2_F5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< part of C-map, F5, Layer2 - unsigned char l2_F6[_O2_BYTE * _O1 * _O2]; ///< part of C-map, F6, Layer2 -} sk_t; - -/// @brief public key for cyclic rainbow -/// -/// public key for cyclic rainbow -/// -typedef struct rainbow_publickey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating l1_Q1,l1_Q2,l2_Q1,l2_Q2,l2_Q3,l2_Q5,l2_Q6 - - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; ///< Q3, layer1 - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< Q5, layer1 - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; ///< Q6, layer1 - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer1 - - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer2 -} cpk_t; - -/// @brief compressed secret key for cyclic rainbow -/// -/// compressed secret key for cyclic rainbow -/// -typedef struct rainbow_secretkey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating a part of public key. - unsigned char sk_seed[LEN_SKSEED]; ///< seed for generating a part of secret key. -} csk_t; - - -/// -/// @brief Generate key pairs for cyclic rainbow. -/// -/// @param[out] pk - the public key. -/// @param[out] sk - the secret key. -/// @param[in] pk_seed - seed for generating parts of public key. -/// @param[in] sk_seed - seed for generating secret key. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - - - -//////////////////////////////////// - -/// -/// @brief converting formats of public keys : from cyclic version to classic key -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the cyclic public key. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_cpk_to_pk(pk_t *pk, const cpk_t *cpk); - -#endif // _RAINBOW_KEYPAIR_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair_computation.c b/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair_computation.c deleted file mode 100644 index 606d0cab..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair_computation.c +++ /dev/null @@ -1,213 +0,0 @@ -/// @file rainbow_keypair_computation.c -/// @brief Implementations for functions in rainbow_keypair_computation.h -/// - -#include "rainbow_keypair_computation.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair.h" -#include -#include -#include - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk) { - const unsigned char *idx_l1 = cpk->l1_Q1; - const unsigned char *idx_l2 = cpk->l2_Q1; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = i; j < _V1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q2; - idx_l2 = cpk->l2_Q2; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q3; - idx_l2 = cpk->l2_Q3; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q5; - idx_l2 = cpk->l2_Q5; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = i; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q6; - idx_l2 = cpk->l2_Q6; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q9; - idx_l2 = cpk->l2_Q9; - for (unsigned int i = _V1 + _O1; i < _PUB_N; i++) { - for (unsigned int j = i; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } -} - -static void calculate_F_from_Q_ref(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - // Layer 1 - // F_sk.l1_F1s[i] = Q_pk.l1_F1s[i] - memcpy(Fs->l1_F1, Qs->l1_F1, _O1_BYTE * N_TRIANGLE_TERMS(_V1)); - - // F_sk.l1_F2s[i] = ( Q_pk.l1_F1s[i] + Q_pk.l1_F1s[i].transpose() ) * T_sk.t1 + Q_pk.l1_F2s[i] - memcpy(Fs->l1_F2, Qs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_2trimat_madd(Fs->l1_F2, Qs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); - - /* - Layer 2 - computations: - - F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - Q1_T1 = Q_pk.l2_F1s[i]*T_sk.t1 - F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - - Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - #Q1_Q1T_T4 = Q1_Q1T * t4 - Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - + Q_pk.l2_F2s[i].transpose() * t4 - + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - - */ - memcpy(Fs->l2_F1, Qs->l2_F1, _O2_BYTE * N_TRIANGLE_TERMS(_V1)); // F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - // F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - // F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - memcpy(Fs->l2_F2, Qs->l2_F2, _O2_BYTE * _V1 * _O1); - batch_trimat_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // Q1_T1+ Q2 - - unsigned char tempQ[_O1 * _O1 * _O2_BYTE + 32]; - memset(tempQ, 0, _O1 * _O1 * _O2_BYTE); - batch_matTr_madd(tempQ, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F2, _O1, _O2_BYTE); // t1_tr*(Q1_T1+Q2) - memcpy(Fs->l2_F5, Qs->l2_F5, _O2_BYTE * N_TRIANGLE_TERMS(_O1)); // F5 - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_UpperTrianglize(Fs->l2_F5, tempQ, _O1, _O2_BYTE); // UT( ... ) - - batch_trimatTr_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // F2 = Q1_T1 + Q2 + Q1^tr*t1 - - // Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - // Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - // F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - memcpy(Fs->l2_F3, Qs->l2_F3, _V1 * _O2 * _O2_BYTE); - batch_2trimat_madd(Fs->l2_F3, Qs->l2_F1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); // Q1_Q1T_T4 - batch_mat_madd(Fs->l2_F3, Qs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // Q2_T3 - - // F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - // + Q_pk.l2_F2s[i].transpose() * t4 - // + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - memcpy(Fs->l2_F6, Qs->l2_F6, _O1 * _O2 * _O2_BYTE); - batch_matTr_madd(Fs->l2_F6, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F3, _O2, _O2_BYTE); // t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - batch_2trimat_madd(Fs->l2_F6, Qs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 - batch_bmatTr_madd(Fs->l2_F6, Qs->l2_F2, _O1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); -} - -#define _SIZE_BUFFER_F2 (_O2_BYTE * _V1 * _O2) -#define _SIZE_BUFFER_F3 (_O2_BYTE * _V1 * _O2) -static void calculate_Q_from_F_cyclic_ref(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - // Layer 1: Computing Q5, Q3, Q6, Q9 - - // Q_pk.l1_F5s[i] = UT( T1tr* (F1 * T1 + F2) ) - const unsigned char *t2 = Ts->t4; - - // assuming _O2 >= _O1 - - unsigned char buffer_F2[_SIZE_BUFFER_F2]; - memcpy(buffer_F2, Fs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_trimat_madd( buffer_F2, Fs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); // F1*T1 + F2 - - // assuming _O2 >= _O1 - unsigned char buffer_F3[_SIZE_BUFFER_F3]; - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, Ts->t1, _V1, _V1_BYTE, _O1, buffer_F2, _O1, _O1_BYTE); // T1tr*(F1*T1 + F2) , release buffer_F2 - memset(Qs->l1_Q5, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O1)); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_UpperTrianglize(Qs->l1_Q5, buffer_F3, _O1, _O1_BYTE); // UT( ... ) // Q5 , release buffer_F3 - /* - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - F1_F1T_T2 + F2_T3 = F1_T2 + F2_T3 + F1tr * t2 - Q_pk.l1_F3s[i] = F1_F1T_T2 + F2_T3 - Q_pk.l1_F6s[i] = T1tr* ( F1_F1T_T2 + F2_T3 ) + F2tr * t2 - Q_pk.l1_F9s[i] = UT( T2tr* ( F1_T2 + F2_T3 ) ) - */ - memset(Qs->l1_Q3, 0, _O1_BYTE * _V1 * _O2); - memset(Qs->l1_Q6, 0, _O1_BYTE * _O1 * _O2); - memset(Qs->l1_Q9, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O2)); - - batch_trimat_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1*T2 - batch_mat_madd(Qs->l1_Q3, Fs->l1_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O1_BYTE); // F1_T2 + F - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, t2, _V1, _V1_BYTE, _O2, Qs->l1_Q3, _O2, _O1_BYTE); // T2tr * ( F1_T2 + F2_T3 ) - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_UpperTrianglize(Qs->l1_Q9, buffer_F3, _O2, _O1_BYTE); // Q9 , release buffe - batch_trimatTr_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1_F1T_T2 + F2_T3 / - batch_bmatTr_madd(Qs->l1_Q6, Fs->l1_F2, _O1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F2tr*T2 - batch_matTr_madd(Qs->l1_Q6, Ts->t1, _V1, _V1_BYTE, _O1, Qs->l1_Q3, _O2, _O1_BYTE); // Q6 - /* - Layer 2 - Computing - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - Q9 = UT( T2tr*( F1*T2 + F2*T3 + F3 ) + T3tr*( F5*T3 + F6 ) ) - */ - memcpy(buffer_F3, Fs->l2_F3, _O2_BYTE * _V1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F1, t2, _V1, _V1_BYTE, _O2, _O2_BYTE); // F1*T2 + F3 - batch_mat_madd(buffer_F3, Fs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F1_T2 + F2_T3 - memset(buffer_F2, 0, _O2_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F2, t2, _V1, _V1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr * ( ..... ) , release buffe - memcpy(buffer_F3, Fs->l2_F6, _O2_BYTE * _O1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F5*T3 + F6 - batch_matTr_madd(buffer_F2, Ts->t3, _O1, _O1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr*( ..... ) + T3tr*( ..... ) - memset(Qs->l2_Q9, 0, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_UpperTrianglize(Qs->l2_Q9, buffer_F2, _O2, _O2_BYTE); // Q9 - memset(buffer_F2, 0, _SIZE_BUFFER_F2); - memset(buffer_F3, 0, _SIZE_BUFFER_F3); -} - -// Choosing implementations depends on the macros: _BLAS_SSE_ and _BLAS_AVX2_ -#define calculate_F_from_Q_impl calculate_F_from_Q_ref -#define calculate_Q_from_F_cyclic_impl calculate_Q_from_F_cyclic_ref - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - calculate_F_from_Q_impl(Fs, Qs, Ts); -} - -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - calculate_Q_from_F_cyclic_impl(Qs, Fs, Ts); -} diff --git a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair_computation.h b/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair_computation.h deleted file mode 100644 index 81ac105a..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/rainbow_keypair_computation.h +++ /dev/null @@ -1,71 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_COMP_H_ -#define _RAINBOW_KEYPAIR_COMP_H_ -/// @file rainbow_keypair_computation.h -/// @brief Functions for calculating pk/sk while generating keys. -/// -/// Defining an internal structure of public key. -/// Functions for calculating pk/sk for key generation. -/// - -#include "rainbow_keypair.h" - -/// @brief The (internal use) public key for rainbow -/// -/// The (internal use) public key for rainbow. The public -/// polynomials are divided into l1_Q1, l1_Q2, ... l1_Q9, -/// l2_Q1, .... , l2_Q9. -/// -typedef struct rainbow_extend_publickey { - unsigned char l1_Q1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l1_Q2[_O1_BYTE * _V1 * _O1]; - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; - - unsigned char l2_Q1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l2_Q2[_O2_BYTE * _V1 * _O1]; - unsigned char l2_Q3[_O2_BYTE * _V1 * _O2]; - unsigned char l2_Q5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l2_Q6[_O2_BYTE * _O1 * _O2]; - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; -} ext_cpk_t; - -/// -/// @brief converting formats of public keys : from ext_cpk_t version to pk_t -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the internel public key. -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk); -///////////////////////////////////////////////// - -/// -/// @brief Computing public key from secret key -/// -/// @param[out] Qs - the public key -/// @param[in] Fs - parts of the secret key: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the secret key: T1, T4, T3 -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_calculate_Q_from_F(ext_cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - - -/// -/// @brief Computing parts of the sk from parts of pk and sk -/// -/// @param[out] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Qs - parts of the pk: l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts); - -/// -/// @brief Computing parts of the pk from the secret key -/// -/// @param[out] Qs - parts of the pk: l1_Q3, l1_Q5, l2_Q6, l1_Q9, l2_Q9 -/// @param[in] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - -#endif // _RAINBOW_KEYPAIR_COMP_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/sign.c b/crypto_sign/rainbowI-circumzenithal/clean/sign.c deleted file mode 100644 index f2a92288..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/sign.c +++ /dev/null @@ -1,76 +0,0 @@ -/// @file sign.c -/// @brief the implementations for functions in api.h -/// -/// - -#include "api.h" -#include "rainbow.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { - unsigned char sk_seed[LEN_SKSEED] = {0}; - randombytes(sk_seed, LEN_SKSEED); - - unsigned char pk_seed[LEN_PKSEED] = {0}; - randombytes(pk_seed, LEN_PKSEED); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_generate_keypair_cyclic((cpk_t *)pk, (sk_t *)sk, pk_seed, sk_seed); - return 0; -} - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign(unsigned char *sm, size_t *smlen, const unsigned char *m, size_t mlen, const unsigned char *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - - memcpy(sm, m, mlen); - smlen[0] = mlen + _SIGNATURE_BYTE; - - return PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_sign(sm + mlen, (const sk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign_open(unsigned char *m, size_t *mlen, const unsigned char *sm, size_t smlen, const unsigned char *pk) { - int rc; - if (_SIGNATURE_BYTE > smlen) { - rc = -1; - } else { - *mlen = smlen - _SIGNATURE_BYTE; - - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, sm, *mlen); - - rc = PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(digest, sm + mlen[0], (const cpk_t *)pk); - } - if (!rc) { - memmove(m, sm, smlen - _SIGNATURE_BYTE); - } else { // bad signature - *mlen = (size_t) -1; - memset(m, 0, smlen); - } - return rc; -} - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - *siglen = _SIGNATURE_BYTE; - return PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_sign(sig, (const sk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - if (siglen != _SIGNATURE_BYTE) { - return -1; - } - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - return PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(digest, sig, (const cpk_t *)pk); -} diff --git a/crypto_sign/rainbowI-circumzenithal/clean/utils_hash.c b/crypto_sign/rainbowI-circumzenithal/clean/utils_hash.c deleted file mode 100644 index 75f4c19a..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/utils_hash.c +++ /dev/null @@ -1,50 +0,0 @@ -/// @file utils_hash.c -/// @brief the adapter for SHA2 families. -/// -/// - -#include "utils_hash.h" -#include "rainbow_config.h" -#include "sha2.h" - -static inline int h(unsigned char *digest, const unsigned char *m, size_t mlen) { - sha256(digest, m, mlen); - return 0; -} - -static inline int expand_hash(unsigned char *digest, size_t n_digest, const unsigned char *hash) { - if (_HASH_LEN >= n_digest) { - for (size_t i = 0; i < n_digest; i++) { - digest[i] = hash[i]; - } - return 0; - } - for (size_t i = 0; i < _HASH_LEN; i++) { - digest[i] = hash[i]; - } - n_digest -= _HASH_LEN; - - while (_HASH_LEN <= n_digest) { - h(digest + _HASH_LEN, digest, _HASH_LEN); - - n_digest -= _HASH_LEN; - digest += _HASH_LEN; - } - unsigned char temp[_HASH_LEN]; - if (n_digest) { - h(temp, digest, _HASH_LEN); - for (size_t i = 0; i < n_digest; i++) { - digest[_HASH_LEN + i] = temp[i]; - } - } - return 0; -} - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(unsigned char *digest, - size_t len_digest, - const unsigned char *m, - size_t mlen) { - unsigned char buf[_HASH_LEN]; - h(buf, m, mlen); - return expand_hash(digest, len_digest, buf); -} diff --git a/crypto_sign/rainbowI-circumzenithal/clean/utils_hash.h b/crypto_sign/rainbowI-circumzenithal/clean/utils_hash.h deleted file mode 100644 index 766c232c..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/utils_hash.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _UTILS_HASH_H_ -#define _UTILS_HASH_H_ -/// @file utils_hash.h -/// @brief the interface for adapting hash functions. -/// - -#include - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(unsigned char *digest, size_t len_digest, const unsigned char *m, size_t mlen); - -#endif // _UTILS_HASH_H_ diff --git a/crypto_sign/rainbowI-circumzenithal/clean/utils_prng.c b/crypto_sign/rainbowI-circumzenithal/clean/utils_prng.c deleted file mode 100644 index 08915286..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/utils_prng.c +++ /dev/null @@ -1,97 +0,0 @@ -/// @file utils_prng.c -/// @brief The implementation of PRNG related functions. -/// - -#include "utils_prng.h" -#include "aes.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -static void prng_update(const unsigned char *provided_data, - unsigned char *Key, - unsigned char *V) { - unsigned char temp[48]; - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, Key); - for (int i = 0; i < 3; i++) { - //increment V - for (int j = 15; j >= 0; j--) { - if (V[j] == 0xff) { - V[j] = 0x00; - } else { - V[j]++; - break; - } - } - aes256_ecb(temp + 16 * i, V, 1, &ctx); - } - if (provided_data != NULL) { - for (int i = 0; i < 48; i++) { - temp[i] ^= provided_data[i]; - } - } - aes256_ctx_release(&ctx); - memcpy(Key, temp, 32); - memcpy(V, temp + 32, 16); -} -static void randombytes_init_with_state(prng_t *state, - unsigned char *entropy_input_48bytes) { - memset(state->Key, 0x00, 32); - memset(state->V, 0x00, 16); - prng_update(entropy_input_48bytes, state->Key, state->V); -} - -static int randombytes_with_state(prng_t *state, - unsigned char *x, - size_t xlen) { - - unsigned char block[16]; - int i = 0; - - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, state->Key); - - while (xlen > 0) { - //increment V - for (int j = 15; j >= 0; j--) { - if (state->V[j] == 0xff) { - state->V[j] = 0x00; - } else { - state->V[j]++; - break; - } - } - aes256_ecb(block, state->V, 1, &ctx); - if (xlen > 15) { - memcpy(x + i, block, 16); - i += 16; - xlen -= 16; - } else { - memcpy(x + i, block, xlen); - xlen = 0; - } - } - aes256_ctx_release(&ctx); - prng_update(NULL, state->Key, state->V); - return 0; -} - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen) { - unsigned char seed[48]; - if (prng_seedlen >= 48) { - memcpy(seed, prng_seed, 48); - } else { - memcpy(seed, prng_seed, prng_seedlen); - PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_hash_msg(seed + prng_seedlen, 48 - (unsigned)prng_seedlen, (const unsigned char *)prng_seed, prng_seedlen); - } - - randombytes_init_with_state(ctx, seed); - - return 0; -} - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen) { - return randombytes_with_state(ctx, out, outlen); -} diff --git a/crypto_sign/rainbowI-circumzenithal/clean/utils_prng.h b/crypto_sign/rainbowI-circumzenithal/clean/utils_prng.h deleted file mode 100644 index 2c3649fa..00000000 --- a/crypto_sign/rainbowI-circumzenithal/clean/utils_prng.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _UTILS_PRNG_H_ -#define _UTILS_PRNG_H_ -/// @file utils_prng.h -/// @brief the interface for adapting PRNG functions. -/// -/// - -#include "randombytes.h" - -typedef struct { - unsigned char Key[32]; - unsigned char V[16]; -} prng_t; - -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen); -int PQCLEAN_RAINBOWICIRCUMZENITHAL_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen); - -#endif // _UTILS_PRNG_H_ diff --git a/crypto_sign/rainbowI-compressed/META.yml b/crypto_sign/rainbowI-compressed/META.yml deleted file mode 100644 index b5aee704..00000000 --- a/crypto_sign/rainbowI-compressed/META.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "RAINBOW(16,36,32,32) - compressed" -type: signature -claimed-nist-level: 1 -length-public-key: 60192 -length-secret-key: 64 -length-signature: 66 -nistkat-sha256: 6ff3ff91f17c85593317f18a9de09acf4204c45d620250cb948c9fbc9042f1e9 -testvectors-sha256: 0a2ebcb8cf748ea51510eecc17d7af73d1f831fbe0db9330fbab9b4916d0c57b -principal-submitters: - - Jintai Ding -auxiliary-submitters: - - Ming-Shing Chen - - Matthias Kannwischer - - Jacques Patarin - - Albrecht Petzoldt - - Dieter Schmidt - - Bo-Yin Yang -implementations: - - name: clean - version: https://github.com/fast-crypto-lab/rainbow-submission-round2/commit/173ada0e077e1b9dbd8e4a78994f87acc0c92263 diff --git a/crypto_sign/rainbowI-compressed/clean/LICENSE b/crypto_sign/rainbowI-compressed/clean/LICENSE deleted file mode 100644 index cb00a6e3..00000000 --- a/crypto_sign/rainbowI-compressed/clean/LICENSE +++ /dev/null @@ -1,8 +0,0 @@ -`Software implementation of Rainbow for NIST R2 submission' by Ming-Shing Chen - -To the extent possible under law, the person who associated CC0 with -`Software implementation of Rainbow for NIST R2 submission' has waived all copyright and related or neighboring rights -to `Software implementation of Rainbow for NIST R2 submission'. - -You should have received a copy of the CC0 legalcode along with this -work. If not, see . diff --git a/crypto_sign/rainbowI-compressed/clean/Makefile.Microsoft_nmake b/crypto_sign/rainbowI-compressed/clean/Makefile.Microsoft_nmake deleted file mode 100644 index d4f08bf3..00000000 --- a/crypto_sign/rainbowI-compressed/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=librainbowI-compressed_clean.lib -OBJECTS = blas_comm.obj parallel_matrix_op.obj rainbow.obj rainbow_keypair.obj rainbow_keypair_computation.obj sign.obj utils_hash.obj utils_prng.obj blas.obj gf.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/rainbowI-compressed/clean/api.h b/crypto_sign/rainbowI-compressed/clean/api.h deleted file mode 100644 index 1b1257e7..00000000 --- a/crypto_sign/rainbowI-compressed/clean/api.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_RAINBOWICOMPRESSED_CLEAN_API_H -#define PQCLEAN_RAINBOWICOMPRESSED_CLEAN_API_H - -#include -#include - -#define PQCLEAN_RAINBOWICOMPRESSED_CLEAN_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_RAINBOWICOMPRESSED_CLEAN_CRYPTO_PUBLICKEYBYTES 60192 -#define PQCLEAN_RAINBOWICOMPRESSED_CLEAN_CRYPTO_BYTES 66 -#define PQCLEAN_RAINBOWICOMPRESSED_CLEAN_CRYPTO_ALGNAME "RAINBOW(16,36,32,32) - compressed" - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - - -#endif diff --git a/crypto_sign/rainbowI-compressed/clean/blas.c b/crypto_sign/rainbowI-compressed/clean/blas.c deleted file mode 100644 index 52fdd860..00000000 --- a/crypto_sign/rainbowI-compressed/clean/blas.c +++ /dev/null @@ -1,43 +0,0 @@ -#include "blas.h" -#include "gf.h" - -#include - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte) { - uint8_t pr_u8 = (uint8_t) ((uint8_t) 0 - predicate); - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= (a[i] & pr_u8); - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= a[i]; - } -} - - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_mul_scalar(uint8_t *a, uint8_t gf16_b, size_t _num_byte) { - uint8_t tmp; - for (size_t i = 0; i < _num_byte; i++) { - tmp = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_mul(a[i] & 0xF, gf16_b); - tmp |= (uint8_t) (PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_mul(a[i] >> 4, gf16_b) << 4); - a[i] = tmp; - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf16_b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_c[i] ^= PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_mul(a[i] & 0xF, gf16_b); - accu_c[i] ^= (uint8_t) (PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_mul(a[i] >> 4, gf16_b) << 4); - } -} - -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_dot(const uint8_t *a, const uint8_t *b, size_t _num_byte) { - uint8_t r = 0; - for (size_t i = 0; i < _num_byte; i++) { - r ^= PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_mul(a[i], b[i]); - } - return r; -} - diff --git a/crypto_sign/rainbowI-compressed/clean/blas.h b/crypto_sign/rainbowI-compressed/clean/blas.h deleted file mode 100644 index 3ef76356..00000000 --- a/crypto_sign/rainbowI-compressed/clean/blas.h +++ /dev/null @@ -1,20 +0,0 @@ -#ifndef _BLAS_H_ -#define _BLAS_H_ -/// @file blas.h -/// @brief Functions for implementing basic linear algebra functions. -/// - -#include "rainbow_config.h" -#include -#include - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte); -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte); - - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf16_b, size_t _num_byte); -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_mul_scalar(uint8_t *a, uint8_t gf16_b, size_t _num_byte); -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_dot(const uint8_t *a, const uint8_t *b, size_t _num_byte); - - -#endif // _BLAS_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/blas_comm.c b/crypto_sign/rainbowI-compressed/clean/blas_comm.c deleted file mode 100644 index 9da4fd4b..00000000 --- a/crypto_sign/rainbowI-compressed/clean/blas_comm.c +++ /dev/null @@ -1,152 +0,0 @@ -/// @file blas_comm.c -/// @brief The standard implementations for blas_comm.h -/// - -#include "blas_comm.h" -#include "blas.h" -#include "gf.h" -#include "rainbow_config.h" - -#include -#include - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - b[i] = 0; - } -} - -/// @brief get an element from GF(16) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(const uint8_t *a, unsigned int i) { - uint8_t r = a[i >> 1]; - uint8_t r0 = r & 0xf; - uint8_t r1 = r >> 4; - uint8_t m = (uint8_t)(-((int8_t)i & 1)); - return (uint8_t)((r1 & m) | ((~m) & r0)); -} - -/// @brief set an element for a GF(16) vector . -/// -/// @param[in,out] a - the vector a. -/// @param[in] i - the index in the vector a. -/// @param[in] v - the value for the i-th element in vector a. -/// @return the value of the element. -/// -static uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_set_ele(uint8_t *a, unsigned int i, uint8_t v) { - uint8_t m = (uint8_t)(0xf ^ (-((int8_t)i & 1))); /// 1--> 0xf0 , 0--> 0x0f - uint8_t ai_remaining = (uint8_t)(a[i >> 1] & (~m)); /// erase - a[i >> 1] = (uint8_t)(ai_remaining | (m & (v << 4)) | (m & v & 0xf)); /// set - return v; -} - -static void gf16mat_prod_ref(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(c, n_A_vec_byte); - for (unsigned int i = 0; i < n_A_width; i++) { - uint8_t bb = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(b, i); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(c, matA, bb, n_A_vec_byte); - matA += n_A_vec_byte; - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec) { - unsigned int n_vec_byte = (len_vec + 1) / 2; - for (unsigned int k = 0; k < len_vec; k++) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(c, n_vec_byte); - const uint8_t *bk = b + n_vec_byte * k; - for (unsigned int i = 0; i < len_vec; i++) { - uint8_t bb = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(bk, i); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(c, a + n_vec_byte * i, bb, n_vec_byte); - } - c += n_vec_byte; - } -} - -static unsigned int gf16mat_gauss_elim_ref(uint8_t *mat, unsigned int h, unsigned int w) { - unsigned int n_w_byte = (w + 1) / 2; - unsigned int r8 = 1; - for (unsigned int i = 0; i < h; i++) { - unsigned int offset_byte = i >> 1; - uint8_t *ai = mat + n_w_byte * i; - for (unsigned int j = i + 1; j < h; j++) { - uint8_t *aj = mat + n_w_byte * j; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_predicated_add(ai + offset_byte, 1 ^ PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_is_nonzero(PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(ai, i)), aj + offset_byte, n_w_byte - offset_byte); - } - uint8_t pivot = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(ai, i); - r8 &= PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_is_nonzero(pivot); - pivot = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_inv(pivot); - offset_byte = (i + 1) >> 1; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_mul_scalar(ai + offset_byte, pivot, n_w_byte - offset_byte); - for (unsigned int j = 0; j < h; j++) { - if (i == j) { - continue; - } - uint8_t *aj = mat + n_w_byte * j; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(aj + offset_byte, ai + offset_byte, PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(aj, i), n_w_byte - offset_byte); - } - } - return r8; -} - -static unsigned int gf16mat_solve_linear_eq_ref(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - uint8_t mat[64 * 33]; - unsigned int n_byte = (n + 1) >> 1; - for (unsigned int i = 0; i < n; i++) { - memcpy(mat + i * (n_byte + 1), inp_mat + i * n_byte, n_byte); - mat[i * (n_byte + 1) + n_byte] = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(c_terms, i); - } - unsigned int r8 = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_gauss_elim(mat, n, n + 2); - for (unsigned int i = 0; i < n; i++) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_set_ele(sol, i, mat[i * (n_byte + 1) + n_byte]); - } - return r8; -} - -static inline void gf16mat_submat(uint8_t *mat2, unsigned int w2, unsigned int st, const uint8_t *mat, unsigned int w, unsigned int h) { - unsigned int n_byte_w1 = (w + 1) / 2; - unsigned int n_byte_w2 = (w2 + 1) / 2; - unsigned int st_2 = st / 2; - for (unsigned int i = 0; i < h; i++) { - for (unsigned int j = 0; j < n_byte_w2; j++) { - mat2[i * n_byte_w2 + j] = mat[i * n_byte_w1 + st_2 + j]; - } - } -} - -unsigned int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer) { - unsigned int n_w_byte = (H + 1) / 2; - - uint8_t *aa = buffer; - for (unsigned int i = 0; i < H; i++) { - uint8_t *ai = aa + i * 2 * n_w_byte; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(ai, 2 * n_w_byte); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(ai, a + i * n_w_byte, n_w_byte); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_set_ele(ai + n_w_byte, i, 1); - } - unsigned int r8 = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_gauss_elim(aa, H, 2 * H); - gf16mat_submat(inv_a, H, H, aa, 2 * H, H); - return r8; -} - -// choosing the implementations depends on the macros _BLAS_AVX2_ and _BLAS_SSE - -#define gf16mat_prod_impl gf16mat_prod_ref -#define gf16mat_gauss_elim_impl gf16mat_gauss_elim_ref -#define gf16mat_solve_linear_eq_impl gf16mat_solve_linear_eq_ref - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - gf16mat_prod_impl(c, matA, n_A_vec_byte, n_A_width, b); -} - -unsigned int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w) { - return gf16mat_gauss_elim_impl(mat, h, w); -} - -unsigned int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - return gf16mat_solve_linear_eq_impl(sol, inp_mat, c_terms, n); -} - diff --git a/crypto_sign/rainbowI-compressed/clean/blas_comm.h b/crypto_sign/rainbowI-compressed/clean/blas_comm.h deleted file mode 100644 index 24b19862..00000000 --- a/crypto_sign/rainbowI-compressed/clean/blas_comm.h +++ /dev/null @@ -1,74 +0,0 @@ -#ifndef _BLAS_COMM_H_ -#define _BLAS_COMM_H_ -/// @file blas_comm.h -/// @brief Common functions for linear algebra. -/// - -#include "rainbow_config.h" -#include - -/// @brief set a vector to 0. -/// -/// @param[in,out] b - the vector b. -/// @param[in] _num_byte - number of bytes for the vector b. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte); - -/// @brief get an element from GF(16) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(const uint8_t *a, unsigned int i); - -/// @brief matrix-matrix multiplication: c = a * b , in GF(16) -/// -/// @param[out] c - the output matrix c -/// @param[in] c - a matrix a. -/// @param[in] b - a matrix b. -/// @param[in] len_vec - the length of column vectors. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec); - -/// @brief Gauss elimination for a matrix, in GF(16) -/// -/// @param[in,out] mat - the matrix. -/// @param[in] h - the height of the matrix. -/// @param[in] w - the width of the matrix. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w); - -/// @brief Solving linear equations, in GF(16) -/// -/// @param[out] sol - the solutions. -/// @param[in] inp_mat - the matrix parts of input equations. -/// @param[in] c_terms - the constant terms of the input equations. -/// @param[in] n - the number of equations. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n); - -/// @brief Computing the inverse matrix, in GF(16) -/// -/// @param[out] inv_a - the output of matrix a. -/// @param[in] a - a matrix a. -/// @param[in] H - height of matrix a, i.e., matrix a is an HxH matrix. -/// @param[in] buffer - The buffer for computations. it has to be as large as 2 input matrixes. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer); - -/// @brief matrix-vector multiplication: c = matA * b , in GF(16) -/// -/// @param[out] c - the output vector c -/// @param[in] matA - a column-major matrix A. -/// @param[in] n_A_vec_byte - the size of column vectors in bytes. -/// @param[in] n_A_width - the width of matrix A. -/// @param[in] b - the vector b. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b); - - -#endif // _BLAS_COMM_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/gf.c b/crypto_sign/rainbowI-compressed/clean/gf.c deleted file mode 100644 index 6bd36c64..00000000 --- a/crypto_sign/rainbowI-compressed/clean/gf.c +++ /dev/null @@ -1,54 +0,0 @@ -#include "gf.h" - -//// gf4 := gf2[x]/x^2+x+1 -static inline uint8_t gf4_mul_2(uint8_t a) { - uint8_t r = (uint8_t)(a << 1); - r ^= (uint8_t)((a >> 1) * 7); - return r; -} - -static inline uint8_t gf4_mul(uint8_t a, uint8_t b) { - uint8_t r = (uint8_t)(a * (b & 1)); - return r ^ (uint8_t)(gf4_mul_2(a) * (b >> 1)); -} - -static inline uint8_t gf4_squ(uint8_t a) { - return a ^ (a >> 1); -} - -//// gf16 := gf4[y]/y^2+y+x -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - uint8_t b0 = b & 3; - uint8_t b1 = (b >> 2); - uint8_t a0b0 = gf4_mul(a0, b0); - uint8_t a1b1 = gf4_mul(a1, b1); - uint8_t a0b1_a1b0 = gf4_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x2 = gf4_mul_2(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 2 ^ a0b0 ^ a1b1_x2); -} - -static inline uint8_t gf16_squ(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - a1 = gf4_squ(a1); - uint8_t a1squ_x2 = gf4_mul_2(a1); - return (uint8_t)((a1 << 2) ^ a1squ_x2 ^ gf4_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_is_nonzero(uint8_t a) { - unsigned int a4 = a & 0xf; - unsigned int r = ((unsigned int)0) - a4; - r >>= 4; - return r & 1; -} - -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_inv(uint8_t a) { - uint8_t a2 = gf16_squ(a); - uint8_t a4 = gf16_squ(a2); - uint8_t a8 = gf16_squ(a4); - uint8_t a6 = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_mul(a4, a2); - return PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_mul(a8, a6); -} - diff --git a/crypto_sign/rainbowI-compressed/clean/gf.h b/crypto_sign/rainbowI-compressed/clean/gf.h deleted file mode 100644 index 8f6935a7..00000000 --- a/crypto_sign/rainbowI-compressed/clean/gf.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _GF16_H_ -#define _GF16_H_ - -#include "rainbow_config.h" -#include - -/// @file gf16.h -/// @brief Library for arithmetics in GF(16) and GF(256) -/// - -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_mul(uint8_t a, uint8_t b); - - -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_is_nonzero(uint8_t a); -uint8_t PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16_inv(uint8_t a); - - -#endif // _GF16_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/parallel_matrix_op.c b/crypto_sign/rainbowI-compressed/clean/parallel_matrix_op.c deleted file mode 100644 index b3ef7a49..00000000 --- a/crypto_sign/rainbowI-compressed/clean/parallel_matrix_op.c +++ /dev/null @@ -1,182 +0,0 @@ -/// @file parallel_matrix_op.c -/// @brief the standard implementations for functions in parallel_matrix_op.h -/// -/// the standard implementations for functions in parallel_matrix_op.h -/// - -#include "parallel_matrix_op.h" -#include "blas.h" -#include "blas_comm.h" - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim) { - return (dim + dim - i_row + 1) * i_row / 2 + j_col - i_row; -} - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle or lower-triangle matrix. -/// -/// @param[in] i_row - the i-th row in a triangle matrix. -/// @param[in] j_col - the j-th column in a triangle matrix. -/// @param[in] dim - the dimension of the triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -static inline unsigned int idx_of_2trimat(unsigned int i_row, unsigned int j_col, unsigned int n_var) { - if (i_row > j_col) { - return PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(j_col, i_row, n_var); - } - return PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(i_row, j_col, n_var); -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch) { - unsigned char *runningC = btriC; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < i; j++) { - unsigned int idx = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(j, i, Aheight); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(btriC + idx * size_batch, bA + size_batch * (i * Awidth + j), size_batch); - } - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(runningC, bA + size_batch * (i * Awidth + i), size_batch * (Aheight - i)); - runningC += size_batch * (Aheight - i); - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (k < i) { - continue; - } - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(bC, &btriA[(k - i) * size_batch], PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - btriA += (Aheight - i) * size_batch; - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_trimatTr_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i < k) { - continue; - } - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(bC, &btriA[size_batch * (PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(k, i, Aheight))], PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_2trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i == k) { - continue; - } - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(bC, &btriA[size_batch * (idx_of_2trimat(i, k, Aheight))], PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_matTr_madd_gf16(unsigned char *bC, const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Atr_height = Awidth; - unsigned int Atr_width = Aheight; - for (unsigned int i = 0; i < Atr_height; i++) { - for (unsigned int j = 0; j < Atr_width; j++) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(bC, &bB[j * Bwidth * size_batch], PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(&A_to_tr[size_Acolvec * i], j), size_batch * Bwidth); - } - bC += size_batch * Bwidth; - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_bmatTr_madd_gf16(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - const unsigned char *bA = bA_to_tr; - unsigned int Aheight = Awidth_before_tr; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(bC, &bA[size_batch * (i + k * Aheight)], PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_mat_madd_gf16(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(bC, &bA[k * size_batch], PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - bA += (Awidth) * size_batch; - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_quad_recmat_eval_gf16(unsigned char *z, const unsigned char *y, unsigned int dim_y, const unsigned char *mat, - const unsigned char *x, unsigned int dim_x, unsigned int size_batch) { - unsigned char tmp[128]; - - unsigned char _x[128]; - for (unsigned int i = 0; i < dim_x; i++) { - _x[i] = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(x, i); - } - unsigned char _y[128]; - for (unsigned int i = 0; i < dim_y; i++) { - _y[i] = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(y, i); - } - - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(z, size_batch); - for (unsigned int i = 0; i < dim_y; i++) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = 0; j < dim_x; j++) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(tmp, mat, _x[j], size_batch); - mat += size_batch; - } - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(z, tmp, _y[i], size_batch); - } -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_quad_trimat_eval_gf16(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch) { - unsigned char tmp[256]; - - unsigned char _x[256]; - for (unsigned int i = 0; i < dim; i++) { - _x[i] = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele(x, i); - } - - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(y, size_batch); - for (unsigned int i = 0; i < dim; i++) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = i; j < dim; j++) { - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(tmp, trimat, _x[j], size_batch); - trimat += size_batch; - } - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd(y, tmp, _x[i], size_batch); - } -} diff --git a/crypto_sign/rainbowI-compressed/clean/parallel_matrix_op.h b/crypto_sign/rainbowI-compressed/clean/parallel_matrix_op.h deleted file mode 100644 index a88e861e..00000000 --- a/crypto_sign/rainbowI-compressed/clean/parallel_matrix_op.h +++ /dev/null @@ -1,260 +0,0 @@ -#ifndef _P_MATRIX_OP_H_ -#define _P_MATRIX_OP_H_ -/// @file parallel_matrix_op.h -/// @brief Librarys for operations of batched matrixes. -/// -/// - -//////////////// Section: triangle matrix <-> rectangle matrix /////////////////////////////////// - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim); - -/// -/// @brief Upper trianglize a rectangle matrix to the corresponding upper-trangle matrix. -/// -/// @param[out] btriC - the batched upper-trianglized matrix C. -/// @param[in] bA - a batched retangle matrix A. -/// @param[in] bwidth - the width of the batched matrix A, i.e., A is a Awidth x Awidth matrix. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch); - -//////////////////// Section: matrix multiplications /////////////////////////////// - -/// -/// @brief bC += btriA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. A will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_trimatTr_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A, which will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_2trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_matTr_madd_gf16(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_bmatTr_madd_gf16(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_mat_madd_gf16(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -//////////////////// Section: "quadratric" matrix evaluation /////////////////////////////// - -/// -/// @brief y = x^Tr * trimat * x , in GF(16) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_quad_trimat_eval_gf16(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief y = x^Tr * trimat * x , in GF(256) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(16) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_quad_recmat_eval_gf16(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(256) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -#endif // _P_MATRIX_OP_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/rainbow.c b/crypto_sign/rainbowI-compressed/clean/rainbow.c deleted file mode 100644 index c85690fa..00000000 --- a/crypto_sign/rainbowI-compressed/clean/rainbow.c +++ /dev/null @@ -1,179 +0,0 @@ -/// @file rainbow.c -/// @brief The standard implementations for functions in rainbow.h -/// - -#include "blas.h" -#include "parallel_matrix_op.h" -#include "rainbow.h" -#include "rainbow_blas.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "utils_hash.h" -#include "utils_prng.h" -#include -#include -#include - -#define MAX_ATTEMPT_FRMAT 128 - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *_digest) { - uint8_t mat_l1[_O1 * _O1_BYTE]; - uint8_t mat_l2[_O2 * _O2_BYTE]; - uint8_t mat_buffer[2 * _MAX_O * _MAX_O_BYTE]; - - // setup PRNG - prng_t prng_sign; - uint8_t prng_preseed[LEN_SKSEED + _HASH_LEN]; - memcpy(prng_preseed, sk->sk_seed, LEN_SKSEED); - memcpy(prng_preseed + LEN_SKSEED, _digest, _HASH_LEN); // prng_preseed = sk_seed || digest - uint8_t prng_seed[_HASH_LEN]; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(prng_seed, _HASH_LEN, prng_preseed, _HASH_LEN + LEN_SKSEED); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_set(&prng_sign, prng_seed, _HASH_LEN); // seed = H( sk_seed || digest ) - for (unsigned int i = 0; i < LEN_SKSEED + _HASH_LEN; i++) { - prng_preseed[i] ^= prng_preseed[i]; // clean - } - for (unsigned int i = 0; i < _HASH_LEN; i++) { - prng_seed[i] ^= prng_seed[i]; // clean - } - - // roll vinegars. - uint8_t vinegar[_V1_BYTE]; - unsigned int n_attempt = 0; - unsigned int l1_succ = 0; - while (!l1_succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen(&prng_sign, vinegar, _V1_BYTE); // generating vinegars - gfmat_prod(mat_l1, sk->l1_F2, _O1 * _O1_BYTE, _V1, vinegar); // generating the linear equations for layer 1 - l1_succ = gfmat_inv(mat_l1, mat_l1, _O1, mat_buffer); // check if the linear equation solvable - n_attempt++; - } - - // Given the vinegars, pre-compute variables needed for layer 2 - uint8_t r_l1_F1[_O1_BYTE] = {0}; - uint8_t r_l2_F1[_O2_BYTE] = {0}; - batch_quad_trimat_eval(r_l1_F1, sk->l1_F1, vinegar, _V1, _O1_BYTE); - batch_quad_trimat_eval(r_l2_F1, sk->l2_F1, vinegar, _V1, _O2_BYTE); - uint8_t mat_l2_F3[_O2 * _O2_BYTE]; - uint8_t mat_l2_F2[_O1 * _O2_BYTE]; - gfmat_prod(mat_l2_F3, sk->l2_F3, _O2 * _O2_BYTE, _V1, vinegar); - gfmat_prod(mat_l2_F2, sk->l2_F2, _O1 * _O2_BYTE, _V1, vinegar); - - // Some local variables. - uint8_t _z[_PUB_M_BYTE]; - uint8_t y[_PUB_M_BYTE]; - uint8_t *x_v1 = vinegar; - uint8_t x_o1[_O1_BYTE]; - uint8_t x_o2[_O2_BYTE]; - - uint8_t digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, _digest, _HASH_LEN); - uint8_t *salt = digest_salt + _HASH_LEN; - - uint8_t temp_o[_MAX_O_BYTE + 32] = {0}; - unsigned int succ = 0; - while (!succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - // The computation: H(digest||salt) --> z --S--> y --C-map--> x --T--> w - - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen(&prng_sign, salt, _SALT_BYTE); // roll the salt - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(_z, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H(digest||salt) - - // y = S^-1 * z - memcpy(y, _z, _PUB_M_BYTE); // identity part of S - gfmat_prod(temp_o, sk->s1, _O1_BYTE, _O2, _z + _O1_BYTE); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(y, temp_o, _O1_BYTE); - - // Central Map: - // layer 1: calculate x_o1 - memcpy(temp_o, r_l1_F1, _O1_BYTE); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(temp_o, y, _O1_BYTE); - gfmat_prod(x_o1, mat_l1, _O1_BYTE, _O1, temp_o); - - // layer 2: calculate x_o2 - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_set_zero(temp_o, _O2_BYTE); - gfmat_prod(temp_o, mat_l2_F2, _O2_BYTE, _O1, x_o1); // F2 - batch_quad_trimat_eval(mat_l2, sk->l2_F5, x_o1, _O1, _O2_BYTE); // F5 - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(temp_o, mat_l2, _O2_BYTE); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(temp_o, r_l2_F1, _O2_BYTE); // F1 - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(temp_o, y + _O1_BYTE, _O2_BYTE); - - // generate the linear equations of the 2nd layer - gfmat_prod(mat_l2, sk->l2_F6, _O2 * _O2_BYTE, _O1, x_o1); // F6 - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(mat_l2, mat_l2_F3, _O2 * _O2_BYTE); // F3 - succ = gfmat_inv(mat_l2, mat_l2, _O2, mat_buffer); - gfmat_prod(x_o2, mat_l2, _O2_BYTE, _O2, temp_o); // solve l2 eqs - - n_attempt++; - }; - // w = T^-1 * y - uint8_t w[_PUB_N_BYTE]; - // identity part of T. - memcpy(w, x_v1, _V1_BYTE); - memcpy(w + _V1_BYTE, x_o1, _O1_BYTE); - memcpy(w + _V2_BYTE, x_o2, _O2_BYTE); - // Computing the t1 part. - gfmat_prod(y, sk->t1, _V1_BYTE, _O1, x_o1); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t4 part. - gfmat_prod(y, sk->t4, _V1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t3 part. - gfmat_prod(y, sk->t3, _O1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(w + _V1_BYTE, y, _O1_BYTE); - - memset(signature, 0, _SIGNATURE_BYTE); // set the output 0 - // clean - memset(&prng_sign, 0, sizeof(prng_t)); - memset(vinegar, 0, _V1_BYTE); - memset(r_l1_F1, 0, _O1_BYTE); - memset(r_l2_F1, 0, _O2_BYTE); - memset(_z, 0, _PUB_M_BYTE); - memset(y, 0, _PUB_M_BYTE); - memset(x_o1, 0, _O1_BYTE); - memset(x_o2, 0, _O2_BYTE); - memset(temp_o, 0, sizeof(temp_o)); - - // return: copy w and salt to the signature. - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - return -1; - } - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(signature, w, _PUB_N_BYTE); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(signature + _PUB_N_BYTE, salt, _SALT_BYTE); - return 0; -} - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk) { - unsigned char digest_ck[_PUB_M_BYTE]; - // public_map( digest_ck , pk , signature ); Evaluating the quadratic public polynomials. - batch_quad_trimat_eval(digest_ck, pk->pk, signature, _PUB_N, _PUB_M_BYTE); - - unsigned char correct[_PUB_M_BYTE]; - unsigned char digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, digest, _HASH_LEN); - memcpy(digest_salt + _HASH_LEN, signature + _PUB_N_BYTE, _SALT_BYTE); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(correct, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H( digest || salt ) - - // check consistancy. - unsigned char cc = 0; - for (unsigned int i = 0; i < _PUB_M_BYTE; i++) { - cc |= (digest_ck[i] ^ correct[i]); - } - return (0 == cc) ? 0 : -1; -} - -/////////////// cyclic version /////////////////////////// -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_sign_cyclic(uint8_t *signature, const csk_t *csk, const uint8_t *digest) { - unsigned char sk[sizeof(sk_t) + 32]; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_generate_secretkey_cyclic((sk_t *)sk, csk->pk_seed, csk->sk_seed); // generating classic secret key. - return PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_sign(signature, (sk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *_pk) { - unsigned char pk[sizeof(pk_t) + 32]; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_cpk_to_pk((pk_t *)pk, _pk); // generating classic public key. - return PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_verify(digest, signature, (pk_t *)pk); -} diff --git a/crypto_sign/rainbowI-compressed/clean/rainbow.h b/crypto_sign/rainbowI-compressed/clean/rainbow.h deleted file mode 100644 index 9b341caa..00000000 --- a/crypto_sign/rainbowI-compressed/clean/rainbow.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef _RAINBOW_H_ -#define _RAINBOW_H_ -/// @file rainbow.h -/// @brief APIs for rainbow. -/// - -#include "rainbow_config.h" -#include "rainbow_keypair.h" - -#include - -/// -/// @brief Signing function for classical secret key. -/// -/// @param[out] signature - the signature. -/// @param[in] sk - the secret key. -/// @param[in] digest - the digest. -/// -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *digest); - -/// -/// @brief Verifying function. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk); - -/// -/// @brief Signing function for compressed secret key of the cyclic rainbow. -/// -/// @param[out] signature - the signature. -/// @param[in] sk - the compressed secret key. -/// @param[in] digest - the digest. -/// -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_sign_cyclic(uint8_t *signature, const csk_t *sk, const uint8_t *digest); - -/// -/// @brief Verifying function for cyclic public keys. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key of cyclic rainbow. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *pk); - -#endif // _RAINBOW_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/rainbow_blas.h b/crypto_sign/rainbowI-compressed/clean/rainbow_blas.h deleted file mode 100644 index 78e3bff4..00000000 --- a/crypto_sign/rainbowI-compressed/clean/rainbow_blas.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef _RAINBOW_BLAS_H_ -#define _RAINBOW_BLAS_H_ -/// @file rainbow_blas.h -/// @brief Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h -/// -/// Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h - -#include "blas.h" -#include "blas_comm.h" -#include "parallel_matrix_op.h" -#include "rainbow_config.h" - - -#define gfv_get_ele PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_get_ele -#define gfv_mul_scalar PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_mul_scalar -#define gfv_madd PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16v_madd - -#define gfmat_prod PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_prod -#define gfmat_inv PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf16mat_inv - -#define batch_trimat_madd PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_trimat_madd_gf16 -#define batch_trimatTr_madd PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_trimatTr_madd_gf16 -#define batch_2trimat_madd PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_2trimat_madd_gf16 -#define batch_matTr_madd PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_matTr_madd_gf16 -#define batch_bmatTr_madd PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_bmatTr_madd_gf16 -#define batch_mat_madd PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_mat_madd_gf16 - -#define batch_quad_trimat_eval PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_quad_trimat_eval_gf16 -#define batch_quad_recmat_eval PQCLEAN_RAINBOWICOMPRESSED_CLEAN_batch_quad_recmat_eval_gf16 - - -#endif // _RAINBOW_BLAS_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/rainbow_config.h b/crypto_sign/rainbowI-compressed/clean/rainbow_config.h deleted file mode 100644 index a581af34..00000000 --- a/crypto_sign/rainbowI-compressed/clean/rainbow_config.h +++ /dev/null @@ -1,49 +0,0 @@ -#ifndef _H_RAINBOW_CONFIG_H_ -#define _H_RAINBOW_CONFIG_H_ - -/// @file rainbow_config.h -/// @brief Defining the parameters of the Rainbow and the corresponding constants. -/// - -#define _USE_GF16 -#define _GFSIZE 16 -#define _V1 36 -#define _O1 32 -#define _O2 32 -#define _MAX_O 32 -#define _HASH_LEN 32 - - -#define _V2 ((_V1) + (_O1)) - -/// size of N, in # of gf elements. -#define _PUB_N (_V1 + _O1 + _O2) - -/// size of M, in # gf elements. -#define _PUB_M (_O1 + _O2) - -/// size of variables, in # bytes. - -// GF16 -#define _V1_BYTE (_V1 / 2) -#define _V2_BYTE (_V2 / 2) -#define _O1_BYTE (_O1 / 2) -#define _O2_BYTE (_O2 / 2) -#define _MAX_O_BYTE (_MAX_O / 2) -#define _PUB_N_BYTE (_PUB_N / 2) -#define _PUB_M_BYTE (_PUB_M / 2) - - -/// length of seed for public key, in # bytes -#define LEN_PKSEED 32 - -/// length of seed for secret key, in # bytes -#define LEN_SKSEED 32 - -/// length of salt for a signature, in # bytes -#define _SALT_BYTE 16 - -/// length of a signature -#define _SIGNATURE_BYTE (_PUB_N_BYTE + _SALT_BYTE) - -#endif // _H_RAINBOW_CONFIG_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/rainbow_keypair.c b/crypto_sign/rainbowI-compressed/clean/rainbow_keypair.c deleted file mode 100644 index a3460d28..00000000 --- a/crypto_sign/rainbowI-compressed/clean/rainbow_keypair.c +++ /dev/null @@ -1,217 +0,0 @@ -/// @file rainbow_keypair.c -/// @brief implementations of functions in rainbow_keypair.h -/// - -#include "rainbow_keypair.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair_computation.h" -#include "utils_prng.h" -#include -#include -#include - -static -void generate_S_T( unsigned char *s_and_t, prng_t *prng0 ) { - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->s1); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t1); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t4); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t3); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); -} - - -static -unsigned generate_l1_F12( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l1_F1); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l1_F2); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static -unsigned generate_l2_F12356( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l2_F1); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F2); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F3); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F5); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F6); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static void generate_B1_B2(unsigned char *sk, prng_t *prng0) { - sk += generate_l1_F12(sk, prng0); - generate_l2_F12356(sk, prng0); -} - -static void calculate_t4(unsigned char *t2_to_t4, const unsigned char *t1, const unsigned char *t3) { - // t4 = T_sk.t1 * T_sk.t3 - T_sk.t2 - unsigned char temp[_V1_BYTE + 32]; - unsigned char *t4 = t2_to_t4; - for (unsigned int i = 0; i < _O2; i++) { /// t3 width - gfmat_prod(temp, t1, _V1_BYTE, _O1, t3); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(t4, temp, _V1_BYTE); - t4 += _V1_BYTE; - t3 += _O1_BYTE; - } -} - -static void obsfucate_l1_polys(unsigned char *l1_polys, const unsigned char *l2_polys, unsigned int n_terms, const unsigned char *s1) { - unsigned char temp[_O1_BYTE + 32]; - while (n_terms--) { - gfmat_prod(temp, s1, _O1_BYTE, _O2, l2_polys); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_gf256v_add(l1_polys, temp, _O1_BYTE); - l1_polys += _O1_BYTE; - l2_polys += _O2_BYTE; - } -} - -/////////////////// Classic ////////////////////////////////// - - -///////////////////// Cyclic ////////////////////////////////// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(pk->pk_seed, pk_seed, LEN_PKSEED); - memcpy(sk->sk_seed, sk_seed, LEN_SKSEED); - - // prng for sk - prng_t prng; - prng_t *prng0 = &prng; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_set(prng0, sk_seed, LEN_SKSEED); - generate_S_T(sk->s1, prng0); // S,T: only a part of sk - - unsigned char t2[sizeof(sk->t4)]; - memcpy(t2, sk->t4, _V1_BYTE * _O2); // temporarily store t2 - calculate_t4(sk->t4, sk->t1, sk->t3); // t2 <- t4 - - // prng for pk - sk_t inst_Qs; - sk_t *Qs = &inst_Qs; - prng_t *prng1 = &prng; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_set(prng1, pk_seed, LEN_PKSEED); - generate_B1_B2(Qs->l1_F1, prng1); // generating l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 - obsfucate_l1_polys(Qs->l1_F1, Qs->l2_F1, N_TRIANGLE_TERMS(_V1), sk->s1); - obsfucate_l1_polys(Qs->l1_F2, Qs->l2_F2, _V1 * _O1, sk->s1); - // so far, the Qs contains l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6. - - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_calculate_F_from_Q(sk, Qs, sk); // calcuate the rest parts of secret key from Qs and S,T - - unsigned char t4[sizeof(sk->t4)]; - memcpy(t4, sk->t4, _V1_BYTE * _O2); // temporarily store t4 - memcpy(sk->t4, t2, _V1_BYTE * _O2); // restore t2 - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_calculate_Q_from_F_cyclic(pk, sk, sk); // calculate the rest parts of public key: l1_Q3, l1_Q5, l1_Q6, l1_Q9, l2_Q9 - memcpy(sk->t4, t4, _V1_BYTE * _O2); // restore t4 - - obsfucate_l1_polys(pk->l1_Q3, Qs->l2_F3, _V1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q5, Qs->l2_F5, N_TRIANGLE_TERMS(_O1), sk->s1); - obsfucate_l1_polys(pk->l1_Q6, Qs->l2_F6, _O1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q9, pk->l2_Q9, N_TRIANGLE_TERMS(_O2), sk->s1); - - // clean - memset(&prng, 0, sizeof(prng_t)); -} - - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_generate_compact_keypair_cyclic(cpk_t *pk, csk_t *rsk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(rsk->pk_seed, pk_seed, LEN_PKSEED); - memcpy(rsk->sk_seed, sk_seed, LEN_SKSEED); - sk_t sk; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_generate_keypair_cyclic(pk, &sk, pk_seed, sk_seed); -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_generate_secretkey_cyclic(sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(sk->sk_seed, sk_seed, LEN_SKSEED); - - // prng for sk - prng_t prng0; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_set(&prng0, sk_seed, LEN_SKSEED); - generate_S_T(sk->s1, &prng0); - calculate_t4(sk->t4, sk->t1, sk->t3); - - // prng for pk - sk_t inst_Qs; - sk_t *Qs = &inst_Qs; - prng_t prng1; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_set(&prng1, pk_seed, LEN_PKSEED); - generate_B1_B2(Qs->l1_F1, &prng1); - - obsfucate_l1_polys(Qs->l1_F1, Qs->l2_F1, N_TRIANGLE_TERMS(_V1), sk->s1); - obsfucate_l1_polys(Qs->l1_F2, Qs->l2_F2, _V1 * _O1, sk->s1); - - // calcuate the parts of sk according to pk. - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_calculate_F_from_Q(sk, Qs, sk); - - // clean prng for sk - memset(&prng0, 0, sizeof(prng_t)); -} -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_cpk_to_pk(pk_t *rpk, const cpk_t *cpk) { - // procedure: cpk_t --> extcpk_t --> pk_t - - // convert from cpk_t to extcpk_t - ext_cpk_t pk; - - // setup prng - prng_t prng0; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_set(&prng0, cpk->pk_seed, LEN_SKSEED); - - // generating parts of key with prng - generate_l1_F12(pk.l1_Q1, &prng0); - // copying parts of key from input. l1_Q3, l1_Q5, l1_Q6, l1_Q9 - memcpy(pk.l1_Q3, cpk->l1_Q3, _O1_BYTE * (_V1 * _O2 + N_TRIANGLE_TERMS(_O1) + _O1 * _O2 + N_TRIANGLE_TERMS(_O2))); - - // generating parts of key with prng - generate_l2_F12356(pk.l2_Q1, &prng0); - // copying parts of key from input: l2_Q9 - memcpy(pk.l2_Q9, cpk->l2_Q9, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - - // convert from extcpk_t to pk_t - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_extcpk_to_pk(rpk, &pk); -} diff --git a/crypto_sign/rainbowI-compressed/clean/rainbow_keypair.h b/crypto_sign/rainbowI-compressed/clean/rainbow_keypair.h deleted file mode 100644 index 8c2a077b..00000000 --- a/crypto_sign/rainbowI-compressed/clean/rainbow_keypair.h +++ /dev/null @@ -1,111 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_H_ -#define _RAINBOW_KEYPAIR_H_ -/// @file rainbow_keypair.h -/// @brief Formats of key pairs and functions for generating key pairs. -/// Formats of key pairs and functions for generating key pairs. -/// - -#include "rainbow_config.h" - -#define N_TRIANGLE_TERMS(n_var) ((n_var) * ((n_var) + 1) / 2) - -/// @brief public key for classic rainbow -/// -/// public key for classic rainbow -/// -typedef struct rainbow_publickey { - unsigned char pk[(_PUB_M_BYTE)*N_TRIANGLE_TERMS(_PUB_N)]; -} pk_t; - -/// @brief secret key for classic rainbow -/// -/// secret key for classic rainbow -/// -typedef struct rainbow_secretkey { - /// - /// seed for generating secret key. - /// Generating S, T, and F for classic rainbow. - /// Generating S and T only for cyclic rainbow. - unsigned char sk_seed[LEN_SKSEED]; - - unsigned char s1[_O1_BYTE * _O2]; ///< part of S map - unsigned char t1[_V1_BYTE * _O1]; ///< part of T map - unsigned char t4[_V1_BYTE * _O2]; ///< part of T map - unsigned char t3[_O1_BYTE * _O2]; ///< part of T map - - unsigned char l1_F1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer1 - unsigned char l1_F2[_O1_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer1 - - unsigned char l2_F1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer2 - unsigned char l2_F2[_O2_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer2 - - unsigned char l2_F3[_O2_BYTE * _V1 * _O2]; ///< part of C-map, F3, Layer2 - unsigned char l2_F5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< part of C-map, F5, Layer2 - unsigned char l2_F6[_O2_BYTE * _O1 * _O2]; ///< part of C-map, F6, Layer2 -} sk_t; - -/// @brief public key for cyclic rainbow -/// -/// public key for cyclic rainbow -/// -typedef struct rainbow_publickey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating l1_Q1,l1_Q2,l2_Q1,l2_Q2,l2_Q3,l2_Q5,l2_Q6 - - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; ///< Q3, layer1 - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< Q5, layer1 - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; ///< Q6, layer1 - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer1 - - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer2 -} cpk_t; - -/// @brief compressed secret key for cyclic rainbow -/// -/// compressed secret key for cyclic rainbow -/// -typedef struct rainbow_secretkey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating a part of public key. - unsigned char sk_seed[LEN_SKSEED]; ///< seed for generating a part of secret key. -} csk_t; - - -/// -/// @brief Generate key pairs for cyclic rainbow. -/// -/// @param[out] pk - the public key. -/// @param[out] sk - the secret key. -/// @param[in] pk_seed - seed for generating parts of public key. -/// @param[in] sk_seed - seed for generating secret key. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - -/// -/// @brief Generate compressed key pairs for cyclic rainbow. -/// -/// @param[out] pk - the public key. -/// @param[out] sk - the compressed secret key. -/// @param[in] pk_seed - seed for generating parts of the public key. -/// @param[in] sk_seed - seed for generating the secret key. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_generate_compact_keypair_cyclic(cpk_t *pk, csk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - -/// -/// @brief Generate secret key for cyclic rainbow. -/// -/// @param[out] sk - the secret key. -/// @param[in] pk_seed - seed for generating parts of the pbulic key. -/// @param[in] sk_seed - seed for generating the secret key. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_generate_secretkey_cyclic(sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - -//////////////////////////////////// - -/// -/// @brief converting formats of public keys : from cyclic version to classic key -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the cyclic public key. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_cpk_to_pk(pk_t *pk, const cpk_t *cpk); - -#endif // _RAINBOW_KEYPAIR_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/rainbow_keypair_computation.c b/crypto_sign/rainbowI-compressed/clean/rainbow_keypair_computation.c deleted file mode 100644 index 98efd459..00000000 --- a/crypto_sign/rainbowI-compressed/clean/rainbow_keypair_computation.c +++ /dev/null @@ -1,213 +0,0 @@ -/// @file rainbow_keypair_computation.c -/// @brief Implementations for functions in rainbow_keypair_computation.h -/// - -#include "rainbow_keypair_computation.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair.h" -#include -#include -#include - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk) { - const unsigned char *idx_l1 = cpk->l1_Q1; - const unsigned char *idx_l2 = cpk->l2_Q1; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = i; j < _V1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q2; - idx_l2 = cpk->l2_Q2; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q3; - idx_l2 = cpk->l2_Q3; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q5; - idx_l2 = cpk->l2_Q5; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = i; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q6; - idx_l2 = cpk->l2_Q6; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q9; - idx_l2 = cpk->l2_Q9; - for (unsigned int i = _V1 + _O1; i < _PUB_N; i++) { - for (unsigned int j = i; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } -} - -static void calculate_F_from_Q_ref(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - // Layer 1 - // F_sk.l1_F1s[i] = Q_pk.l1_F1s[i] - memcpy(Fs->l1_F1, Qs->l1_F1, _O1_BYTE * N_TRIANGLE_TERMS(_V1)); - - // F_sk.l1_F2s[i] = ( Q_pk.l1_F1s[i] + Q_pk.l1_F1s[i].transpose() ) * T_sk.t1 + Q_pk.l1_F2s[i] - memcpy(Fs->l1_F2, Qs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_2trimat_madd(Fs->l1_F2, Qs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); - - /* - Layer 2 - computations: - - F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - Q1_T1 = Q_pk.l2_F1s[i]*T_sk.t1 - F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - - Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - #Q1_Q1T_T4 = Q1_Q1T * t4 - Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - + Q_pk.l2_F2s[i].transpose() * t4 - + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - - */ - memcpy(Fs->l2_F1, Qs->l2_F1, _O2_BYTE * N_TRIANGLE_TERMS(_V1)); // F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - // F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - // F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - memcpy(Fs->l2_F2, Qs->l2_F2, _O2_BYTE * _V1 * _O1); - batch_trimat_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // Q1_T1+ Q2 - - unsigned char tempQ[_O1 * _O1 * _O2_BYTE + 32]; - memset(tempQ, 0, _O1 * _O1 * _O2_BYTE); - batch_matTr_madd(tempQ, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F2, _O1, _O2_BYTE); // t1_tr*(Q1_T1+Q2) - memcpy(Fs->l2_F5, Qs->l2_F5, _O2_BYTE * N_TRIANGLE_TERMS(_O1)); // F5 - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_UpperTrianglize(Fs->l2_F5, tempQ, _O1, _O2_BYTE); // UT( ... ) - - batch_trimatTr_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // F2 = Q1_T1 + Q2 + Q1^tr*t1 - - // Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - // Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - // F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - memcpy(Fs->l2_F3, Qs->l2_F3, _V1 * _O2 * _O2_BYTE); - batch_2trimat_madd(Fs->l2_F3, Qs->l2_F1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); // Q1_Q1T_T4 - batch_mat_madd(Fs->l2_F3, Qs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // Q2_T3 - - // F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - // + Q_pk.l2_F2s[i].transpose() * t4 - // + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - memcpy(Fs->l2_F6, Qs->l2_F6, _O1 * _O2 * _O2_BYTE); - batch_matTr_madd(Fs->l2_F6, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F3, _O2, _O2_BYTE); // t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - batch_2trimat_madd(Fs->l2_F6, Qs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 - batch_bmatTr_madd(Fs->l2_F6, Qs->l2_F2, _O1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); -} - -#define _SIZE_BUFFER_F2 (_O2_BYTE * _V1 * _O2) -#define _SIZE_BUFFER_F3 (_O2_BYTE * _V1 * _O2) -static void calculate_Q_from_F_cyclic_ref(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - // Layer 1: Computing Q5, Q3, Q6, Q9 - - // Q_pk.l1_F5s[i] = UT( T1tr* (F1 * T1 + F2) ) - const unsigned char *t2 = Ts->t4; - - // assuming _O2 >= _O1 - - unsigned char buffer_F2[_SIZE_BUFFER_F2]; - memcpy(buffer_F2, Fs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_trimat_madd( buffer_F2, Fs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); // F1*T1 + F2 - - // assuming _O2 >= _O1 - unsigned char buffer_F3[_SIZE_BUFFER_F3]; - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, Ts->t1, _V1, _V1_BYTE, _O1, buffer_F2, _O1, _O1_BYTE); // T1tr*(F1*T1 + F2) , release buffer_F2 - memset(Qs->l1_Q5, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O1)); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_UpperTrianglize(Qs->l1_Q5, buffer_F3, _O1, _O1_BYTE); // UT( ... ) // Q5 , release buffer_F3 - /* - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - F1_F1T_T2 + F2_T3 = F1_T2 + F2_T3 + F1tr * t2 - Q_pk.l1_F3s[i] = F1_F1T_T2 + F2_T3 - Q_pk.l1_F6s[i] = T1tr* ( F1_F1T_T2 + F2_T3 ) + F2tr * t2 - Q_pk.l1_F9s[i] = UT( T2tr* ( F1_T2 + F2_T3 ) ) - */ - memset(Qs->l1_Q3, 0, _O1_BYTE * _V1 * _O2); - memset(Qs->l1_Q6, 0, _O1_BYTE * _O1 * _O2); - memset(Qs->l1_Q9, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O2)); - - batch_trimat_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1*T2 - batch_mat_madd(Qs->l1_Q3, Fs->l1_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O1_BYTE); // F1_T2 + F - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, t2, _V1, _V1_BYTE, _O2, Qs->l1_Q3, _O2, _O1_BYTE); // T2tr * ( F1_T2 + F2_T3 ) - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_UpperTrianglize(Qs->l1_Q9, buffer_F3, _O2, _O1_BYTE); // Q9 , release buffe - batch_trimatTr_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1_F1T_T2 + F2_T3 / - batch_bmatTr_madd(Qs->l1_Q6, Fs->l1_F2, _O1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F2tr*T2 - batch_matTr_madd(Qs->l1_Q6, Ts->t1, _V1, _V1_BYTE, _O1, Qs->l1_Q3, _O2, _O1_BYTE); // Q6 - /* - Layer 2 - Computing - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - Q9 = UT( T2tr*( F1*T2 + F2*T3 + F3 ) + T3tr*( F5*T3 + F6 ) ) - */ - memcpy(buffer_F3, Fs->l2_F3, _O2_BYTE * _V1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F1, t2, _V1, _V1_BYTE, _O2, _O2_BYTE); // F1*T2 + F3 - batch_mat_madd(buffer_F3, Fs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F1_T2 + F2_T3 - memset(buffer_F2, 0, _O2_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F2, t2, _V1, _V1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr * ( ..... ) , release buffe - memcpy(buffer_F3, Fs->l2_F6, _O2_BYTE * _O1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F5*T3 + F6 - batch_matTr_madd(buffer_F2, Ts->t3, _O1, _O1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr*( ..... ) + T3tr*( ..... ) - memset(Qs->l2_Q9, 0, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_UpperTrianglize(Qs->l2_Q9, buffer_F2, _O2, _O2_BYTE); // Q9 - memset(buffer_F2, 0, _SIZE_BUFFER_F2); - memset(buffer_F3, 0, _SIZE_BUFFER_F3); -} - -// Choosing implementations depends on the macros: _BLAS_SSE_ and _BLAS_AVX2_ -#define calculate_F_from_Q_impl calculate_F_from_Q_ref -#define calculate_Q_from_F_cyclic_impl calculate_Q_from_F_cyclic_ref - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - calculate_F_from_Q_impl(Fs, Qs, Ts); -} - -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - calculate_Q_from_F_cyclic_impl(Qs, Fs, Ts); -} diff --git a/crypto_sign/rainbowI-compressed/clean/rainbow_keypair_computation.h b/crypto_sign/rainbowI-compressed/clean/rainbow_keypair_computation.h deleted file mode 100644 index 3b20bc59..00000000 --- a/crypto_sign/rainbowI-compressed/clean/rainbow_keypair_computation.h +++ /dev/null @@ -1,71 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_COMP_H_ -#define _RAINBOW_KEYPAIR_COMP_H_ -/// @file rainbow_keypair_computation.h -/// @brief Functions for calculating pk/sk while generating keys. -/// -/// Defining an internal structure of public key. -/// Functions for calculating pk/sk for key generation. -/// - -#include "rainbow_keypair.h" - -/// @brief The (internal use) public key for rainbow -/// -/// The (internal use) public key for rainbow. The public -/// polynomials are divided into l1_Q1, l1_Q2, ... l1_Q9, -/// l2_Q1, .... , l2_Q9. -/// -typedef struct rainbow_extend_publickey { - unsigned char l1_Q1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l1_Q2[_O1_BYTE * _V1 * _O1]; - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; - - unsigned char l2_Q1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l2_Q2[_O2_BYTE * _V1 * _O1]; - unsigned char l2_Q3[_O2_BYTE * _V1 * _O2]; - unsigned char l2_Q5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l2_Q6[_O2_BYTE * _O1 * _O2]; - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; -} ext_cpk_t; - -/// -/// @brief converting formats of public keys : from ext_cpk_t version to pk_t -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the internel public key. -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk); -///////////////////////////////////////////////// - -/// -/// @brief Computing public key from secret key -/// -/// @param[out] Qs - the public key -/// @param[in] Fs - parts of the secret key: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the secret key: T1, T4, T3 -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_calculate_Q_from_F(ext_cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - - -/// -/// @brief Computing parts of the sk from parts of pk and sk -/// -/// @param[out] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Qs - parts of the pk: l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts); - -/// -/// @brief Computing parts of the pk from the secret key -/// -/// @param[out] Qs - parts of the pk: l1_Q3, l1_Q5, l2_Q6, l1_Q9, l2_Q9 -/// @param[in] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWICOMPRESSED_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - -#endif // _RAINBOW_KEYPAIR_COMP_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/sign.c b/crypto_sign/rainbowI-compressed/clean/sign.c deleted file mode 100644 index 6bdb9461..00000000 --- a/crypto_sign/rainbowI-compressed/clean/sign.c +++ /dev/null @@ -1,76 +0,0 @@ -/// @file sign.c -/// @brief the implementations for functions in api.h -/// -/// - -#include "api.h" -#include "rainbow.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { - unsigned char sk_seed[LEN_SKSEED] = {0}; - randombytes(sk_seed, LEN_SKSEED); - - unsigned char pk_seed[LEN_PKSEED] = {0}; - randombytes(pk_seed, LEN_PKSEED); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_generate_compact_keypair_cyclic((cpk_t *)pk, (csk_t *)sk, pk_seed, sk_seed); - return 0; -} - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign(unsigned char *sm, size_t *smlen, const unsigned char *m, size_t mlen, const unsigned char *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - - memcpy(sm, m, mlen); - smlen[0] = mlen + _SIGNATURE_BYTE; - - return PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_sign_cyclic(sm + mlen, (const csk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign_open(unsigned char *m, size_t *mlen, const unsigned char *sm, size_t smlen, const unsigned char *pk) { - int rc; - if (_SIGNATURE_BYTE > smlen) { - rc = -1; - } else { - *mlen = smlen - _SIGNATURE_BYTE; - - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, sm, *mlen); - - rc = PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_verify_cyclic(digest, sm + mlen[0], (const cpk_t *)pk); - } - if (!rc) { - memmove(m, sm, smlen - _SIGNATURE_BYTE); - } else { // bad signature - *mlen = (size_t) -1; - memset(m, 0, smlen); - } - return rc; -} - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - *siglen = _SIGNATURE_BYTE; - return PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_sign_cyclic(sig, (const csk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - if (siglen != _SIGNATURE_BYTE) { - return -1; - } - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - return PQCLEAN_RAINBOWICOMPRESSED_CLEAN_rainbow_verify_cyclic(digest, sig, (const cpk_t *)pk); -} diff --git a/crypto_sign/rainbowI-compressed/clean/utils_hash.c b/crypto_sign/rainbowI-compressed/clean/utils_hash.c deleted file mode 100644 index 22d61016..00000000 --- a/crypto_sign/rainbowI-compressed/clean/utils_hash.c +++ /dev/null @@ -1,50 +0,0 @@ -/// @file utils_hash.c -/// @brief the adapter for SHA2 families. -/// -/// - -#include "utils_hash.h" -#include "rainbow_config.h" -#include "sha2.h" - -static inline int h(unsigned char *digest, const unsigned char *m, size_t mlen) { - sha256(digest, m, mlen); - return 0; -} - -static inline int expand_hash(unsigned char *digest, size_t n_digest, const unsigned char *hash) { - if (_HASH_LEN >= n_digest) { - for (size_t i = 0; i < n_digest; i++) { - digest[i] = hash[i]; - } - return 0; - } - for (size_t i = 0; i < _HASH_LEN; i++) { - digest[i] = hash[i]; - } - n_digest -= _HASH_LEN; - - while (_HASH_LEN <= n_digest) { - h(digest + _HASH_LEN, digest, _HASH_LEN); - - n_digest -= _HASH_LEN; - digest += _HASH_LEN; - } - unsigned char temp[_HASH_LEN]; - if (n_digest) { - h(temp, digest, _HASH_LEN); - for (size_t i = 0; i < n_digest; i++) { - digest[_HASH_LEN + i] = temp[i]; - } - } - return 0; -} - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(unsigned char *digest, - size_t len_digest, - const unsigned char *m, - size_t mlen) { - unsigned char buf[_HASH_LEN]; - h(buf, m, mlen); - return expand_hash(digest, len_digest, buf); -} diff --git a/crypto_sign/rainbowI-compressed/clean/utils_hash.h b/crypto_sign/rainbowI-compressed/clean/utils_hash.h deleted file mode 100644 index 91916356..00000000 --- a/crypto_sign/rainbowI-compressed/clean/utils_hash.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _UTILS_HASH_H_ -#define _UTILS_HASH_H_ -/// @file utils_hash.h -/// @brief the interface for adapting hash functions. -/// - -#include - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(unsigned char *digest, size_t len_digest, const unsigned char *m, size_t mlen); - -#endif // _UTILS_HASH_H_ diff --git a/crypto_sign/rainbowI-compressed/clean/utils_prng.c b/crypto_sign/rainbowI-compressed/clean/utils_prng.c deleted file mode 100644 index 2c1399db..00000000 --- a/crypto_sign/rainbowI-compressed/clean/utils_prng.c +++ /dev/null @@ -1,97 +0,0 @@ -/// @file utils_prng.c -/// @brief The implementation of PRNG related functions. -/// - -#include "utils_prng.h" -#include "aes.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -static void prng_update(const unsigned char *provided_data, - unsigned char *Key, - unsigned char *V) { - unsigned char temp[48]; - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, Key); - for (int i = 0; i < 3; i++) { - //increment V - for (int j = 15; j >= 0; j--) { - if (V[j] == 0xff) { - V[j] = 0x00; - } else { - V[j]++; - break; - } - } - aes256_ecb(temp + 16 * i, V, 1, &ctx); - } - if (provided_data != NULL) { - for (int i = 0; i < 48; i++) { - temp[i] ^= provided_data[i]; - } - } - aes256_ctx_release(&ctx); - memcpy(Key, temp, 32); - memcpy(V, temp + 32, 16); -} -static void randombytes_init_with_state(prng_t *state, - unsigned char *entropy_input_48bytes) { - memset(state->Key, 0x00, 32); - memset(state->V, 0x00, 16); - prng_update(entropy_input_48bytes, state->Key, state->V); -} - -static int randombytes_with_state(prng_t *state, - unsigned char *x, - size_t xlen) { - - unsigned char block[16]; - int i = 0; - - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, state->Key); - - while (xlen > 0) { - //increment V - for (int j = 15; j >= 0; j--) { - if (state->V[j] == 0xff) { - state->V[j] = 0x00; - } else { - state->V[j]++; - break; - } - } - aes256_ecb(block, state->V, 1, &ctx); - if (xlen > 15) { - memcpy(x + i, block, 16); - i += 16; - xlen -= 16; - } else { - memcpy(x + i, block, xlen); - xlen = 0; - } - } - aes256_ctx_release(&ctx); - prng_update(NULL, state->Key, state->V); - return 0; -} - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen) { - unsigned char seed[48]; - if (prng_seedlen >= 48) { - memcpy(seed, prng_seed, 48); - } else { - memcpy(seed, prng_seed, prng_seedlen); - PQCLEAN_RAINBOWICOMPRESSED_CLEAN_hash_msg(seed + prng_seedlen, 48 - (unsigned)prng_seedlen, (const unsigned char *)prng_seed, prng_seedlen); - } - - randombytes_init_with_state(ctx, seed); - - return 0; -} - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen) { - return randombytes_with_state(ctx, out, outlen); -} diff --git a/crypto_sign/rainbowI-compressed/clean/utils_prng.h b/crypto_sign/rainbowI-compressed/clean/utils_prng.h deleted file mode 100644 index 98164c91..00000000 --- a/crypto_sign/rainbowI-compressed/clean/utils_prng.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _UTILS_PRNG_H_ -#define _UTILS_PRNG_H_ -/// @file utils_prng.h -/// @brief the interface for adapting PRNG functions. -/// -/// - -#include "randombytes.h" - -typedef struct { - unsigned char Key[32]; - unsigned char V[16]; -} prng_t; - -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen); -int PQCLEAN_RAINBOWICOMPRESSED_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen); - -#endif // _UTILS_PRNG_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/META.yml b/crypto_sign/rainbowIII-circumzenithal/META.yml deleted file mode 100644 index f6c942b9..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/META.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "RAINBOW(256,68,32,48) - circumzenithal" -type: signature -claimed-nist-level: 3 -length-public-key: 264608 -length-secret-key: 626048 -length-signature: 164 -nistkat-sha256: 1b5cbbdef12492ba8176309a44461d3d64a05b049f78edb85af1d166f4b64f32 -testvectors-sha256: de0cb0aabde2f779bffde09af2bde4b0b125cbbe9491551869e39051b94a2183 -principal-submitters: - - Jintai Ding -auxiliary-submitters: - - Ming-Shing Chen - - Matthias Kannwischer - - Jacques Patarin - - Albrecht Petzoldt - - Dieter Schmidt - - Bo-Yin Yang -implementations: - - name: clean - version: https://github.com/fast-crypto-lab/rainbow-submission-round2/commit/173ada0e077e1b9dbd8e4a78994f87acc0c92263 diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/LICENSE b/crypto_sign/rainbowIII-circumzenithal/clean/LICENSE deleted file mode 100644 index cb00a6e3..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/LICENSE +++ /dev/null @@ -1,8 +0,0 @@ -`Software implementation of Rainbow for NIST R2 submission' by Ming-Shing Chen - -To the extent possible under law, the person who associated CC0 with -`Software implementation of Rainbow for NIST R2 submission' has waived all copyright and related or neighboring rights -to `Software implementation of Rainbow for NIST R2 submission'. - -You should have received a copy of the CC0 legalcode along with this -work. If not, see . diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/Makefile.Microsoft_nmake b/crypto_sign/rainbowIII-circumzenithal/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 18d4fbf7..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=librainbowIII-circumzenithal_clean.lib -OBJECTS = blas_comm.obj parallel_matrix_op.obj rainbow.obj rainbow_keypair.obj rainbow_keypair_computation.obj sign.obj utils_hash.obj utils_prng.obj blas.obj gf.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/api.h b/crypto_sign/rainbowIII-circumzenithal/clean/api.h deleted file mode 100644 index 25f21f69..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/api.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_API_H -#define PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_API_H - -#include -#include - -#define PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_CRYPTO_SECRETKEYBYTES 626048 -#define PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_CRYPTO_PUBLICKEYBYTES 264608 -#define PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_CRYPTO_BYTES 164 -#define PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_CRYPTO_ALGNAME "RAINBOW(256,68,32,48) - circumzenithal" - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - - -#endif diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/blas.c b/crypto_sign/rainbowIII-circumzenithal/clean/blas.c deleted file mode 100644 index 858bf3d1..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/blas.c +++ /dev/null @@ -1,31 +0,0 @@ -#include "blas.h" -#include "gf.h" - -#include - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte) { - uint8_t pr_u8 = (uint8_t) ((uint8_t) 0 - predicate); - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= (a[i] & pr_u8); - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= a[i]; - } -} - - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_mul_scalar(uint8_t *a, uint8_t b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - a[i] = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_mul(a[i], b); - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf256_b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_c[i] ^= PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_mul(a[i], gf256_b); - } -} - diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/blas.h b/crypto_sign/rainbowIII-circumzenithal/clean/blas.h deleted file mode 100644 index 7e114ba2..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/blas.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _BLAS_H_ -#define _BLAS_H_ -/// @file blas.h -/// @brief Functions for implementing basic linear algebra functions. -/// - -#include "rainbow_config.h" -#include -#include - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte); -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte); - - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_mul_scalar(uint8_t *a, uint8_t b, size_t _num_byte); -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf256_b, size_t _num_byte); - - -#endif // _BLAS_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/blas_comm.c b/crypto_sign/rainbowIII-circumzenithal/clean/blas_comm.c deleted file mode 100644 index e63dc760..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/blas_comm.c +++ /dev/null @@ -1,144 +0,0 @@ -/// @file blas_comm.c -/// @brief The standard implementations for blas_comm.h -/// - -#include "blas_comm.h" -#include "blas.h" -#include "gf.h" -#include "rainbow_config.h" - -#include -#include - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - b[i] = 0; - } -} -/// @brief get an element from GF(256) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(const uint8_t *a, unsigned int i) { - return a[i]; -} - -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_is_zero(const uint8_t *a, unsigned int _num_byte) { - uint8_t r = 0; - while (_num_byte--) { - r |= a[0]; - a++; - } - return (0 == r); -} - -/// polynomial multplication -/// School boook -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_polymul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int _num) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(c, _num * 2 - 1); - for (unsigned int i = 0; i < _num; i++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(c + i, a, b[i], _num); - } -} - -static void gf256mat_prod_ref(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(c, n_A_vec_byte); - for (unsigned int i = 0; i < n_A_width; i++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(c, matA, b[i], n_A_vec_byte); - matA += n_A_vec_byte; - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec) { - unsigned int n_vec_byte = len_vec; - for (unsigned int k = 0; k < len_vec; k++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(c, n_vec_byte); - const uint8_t *bk = b + n_vec_byte * k; - for (unsigned int i = 0; i < len_vec; i++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(c, a + n_vec_byte * i, bk[i], n_vec_byte); - } - c += n_vec_byte; - } -} - -static unsigned int gf256mat_gauss_elim_ref(uint8_t *mat, unsigned int h, unsigned int w) { - unsigned int r8 = 1; - - for (unsigned int i = 0; i < h; i++) { - uint8_t *ai = mat + w * i; - unsigned int skip_len_align4 = i & ((unsigned int)~0x3); - - for (unsigned int j = i + 1; j < h; j++) { - uint8_t *aj = mat + w * j; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_predicated_add(ai + skip_len_align4, 1 ^ PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_is_nonzero(ai[i]), aj + skip_len_align4, w - skip_len_align4); - } - r8 &= PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_is_nonzero(ai[i]); - uint8_t pivot = ai[i]; - pivot = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_inv(pivot); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_mul_scalar(ai + skip_len_align4, pivot, w - skip_len_align4); - for (unsigned int j = 0; j < h; j++) { - if (i == j) { - continue; - } - uint8_t *aj = mat + w * j; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(aj + skip_len_align4, ai + skip_len_align4, aj[i], w - skip_len_align4); - } - } - - return r8; -} - -static unsigned int gf256mat_solve_linear_eq_ref(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - uint8_t mat[64 * 64]; - for (unsigned int i = 0; i < n; i++) { - memcpy(mat + i * (n + 1), inp_mat + i * n, n); - mat[i * (n + 1) + n] = c_terms[i]; - } - unsigned int r8 = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_gauss_elim(mat, n, n + 1); - for (unsigned int i = 0; i < n; i++) { - sol[i] = mat[i * (n + 1) + n]; - } - return r8; -} - -static inline void gf256mat_submat(uint8_t *mat2, unsigned int w2, unsigned int st, const uint8_t *mat, unsigned int w, unsigned int h) { - for (unsigned int i = 0; i < h; i++) { - for (unsigned int j = 0; j < w2; j++) { - mat2[i * w2 + j] = mat[i * w + st + j]; - } - } -} - -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer) { - uint8_t *aa = buffer; - for (unsigned int i = 0; i < H; i++) { - uint8_t *ai = aa + i * 2 * H; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(ai, 2 * H); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(ai, a + i * H, H); - ai[H + i] = 1; - } - unsigned int r8 = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_gauss_elim(aa, H, 2 * H); - gf256mat_submat(inv_a, H, H, aa, 2 * H, H); - return r8; -} - - -// choosing the implementations depends on the macros _BLAS_AVX2_ and _BLAS_SSE - -#define gf256mat_prod_impl gf256mat_prod_ref -#define gf256mat_gauss_elim_impl gf256mat_gauss_elim_ref -#define gf256mat_solve_linear_eq_impl gf256mat_solve_linear_eq_ref -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - gf256mat_prod_impl(c, matA, n_A_vec_byte, n_A_width, b); -} - -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w) { - return gf256mat_gauss_elim_impl(mat, h, w); -} - -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - return gf256mat_solve_linear_eq_impl(sol, inp_mat, c_terms, n); -} - diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/blas_comm.h b/crypto_sign/rainbowIII-circumzenithal/clean/blas_comm.h deleted file mode 100644 index 3130149d..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/blas_comm.h +++ /dev/null @@ -1,90 +0,0 @@ -#ifndef _BLAS_COMM_H_ -#define _BLAS_COMM_H_ -/// @file blas_comm.h -/// @brief Common functions for linear algebra. -/// - -#include "rainbow_config.h" -#include - -/// @brief set a vector to 0. -/// -/// @param[in,out] b - the vector b. -/// @param[in] _num_byte - number of bytes for the vector b. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte); - -/// @brief get an element from GF(256) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(const uint8_t *a, unsigned int i); - -/// @brief check if a vector is 0. -/// -/// @param[in] a - the vector a. -/// @param[in] _num_byte - number of bytes for the vector a. -/// @return 1(true) if a is 0. 0(false) else. -/// -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_is_zero(const uint8_t *a, unsigned int _num_byte); - -/// @brief polynomial multiplication: c = a*b -/// -/// @param[out] c - the output polynomial c -/// @param[in] a - the vector a. -/// @param[in] b - the vector b. -/// @param[in] _num - number of elements for the polynomials a and b. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_polymul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int _num); - -/// @brief matrix-vector multiplication: c = matA * b , in GF(256) -/// -/// @param[out] c - the output vector c -/// @param[in] matA - a column-major matrix A. -/// @param[in] n_A_vec_byte - the size of column vectors in bytes. -/// @param[in] n_A_width - the width of matrix A. -/// @param[in] b - the vector b. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b); - -/// @brief matrix-matrix multiplication: c = a * b , in GF(256) -/// -/// @param[out] c - the output matrix c -/// @param[in] c - a matrix a. -/// @param[in] b - a matrix b. -/// @param[in] len_vec - the length of column vectors. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec); - -/// @brief Gauss elimination for a matrix, in GF(256) -/// -/// @param[in,out] mat - the matrix. -/// @param[in] h - the height of the matrix. -/// @param[in] w - the width of the matrix. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w); - -/// @brief Solving linear equations, in GF(256) -/// -/// @param[out] sol - the solutions. -/// @param[in] inp_mat - the matrix parts of input equations. -/// @param[in] c_terms - the constant terms of the input equations. -/// @param[in] n - the number of equations. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n); - -/// @brief Computing the inverse matrix, in GF(256) -/// -/// @param[out] inv_a - the output of matrix a. -/// @param[in] a - a matrix a. -/// @param[in] H - height of matrix a, i.e., matrix a is an HxH matrix. -/// @param[in] buffer - The buffer for computations. it has to be as large as 2 input matrixes. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer); - -#endif // _BLAS_COMM_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/gf.c b/crypto_sign/rainbowIII-circumzenithal/clean/gf.c deleted file mode 100644 index b93c9a4b..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/gf.c +++ /dev/null @@ -1,91 +0,0 @@ -#include "gf.h" - -//// gf4 := gf2[x]/x^2+x+1 -static inline uint8_t gf4_mul_2(uint8_t a) { - uint8_t r = (uint8_t)(a << 1); - r ^= (uint8_t)((a >> 1) * 7); - return r; -} - -static inline uint8_t gf4_mul(uint8_t a, uint8_t b) { - uint8_t r = (uint8_t)(a * (b & 1)); - return r ^ (uint8_t)(gf4_mul_2(a) * (b >> 1)); -} - -static inline uint8_t gf4_squ(uint8_t a) { - return a ^ (a >> 1); -} - -//// gf16 := gf4[y]/y^2+y+x -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf16_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - uint8_t b0 = b & 3; - uint8_t b1 = (b >> 2); - uint8_t a0b0 = gf4_mul(a0, b0); - uint8_t a1b1 = gf4_mul(a1, b1); - uint8_t a0b1_a1b0 = gf4_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x2 = gf4_mul_2(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 2 ^ a0b0 ^ a1b1_x2); -} - -static inline uint8_t gf16_squ(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - a1 = gf4_squ(a1); - uint8_t a1squ_x2 = gf4_mul_2(a1); - return (uint8_t)((a1 << 2) ^ a1squ_x2 ^ gf4_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_is_nonzero(uint8_t a) { - unsigned int a8 = a; - unsigned int r = ((unsigned int)0) - a8; - r >>= 8; - return r & 1; -} - -static inline uint8_t gf4_mul_3(uint8_t a) { - uint8_t msk = (uint8_t)((a - 2) >> 1); - return (uint8_t)((msk & ((int)a * 3)) | ((~msk) & ((int)a - 1))); -} -static inline uint8_t gf16_mul_8(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = a >> 2; - return (uint8_t)((gf4_mul_2(a0 ^ a1) << 2) | gf4_mul_3(a1)); -} - -// gf256 := gf16[X]/X^2+X+xy -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 15; - uint8_t a1 = (a >> 4); - uint8_t b0 = b & 15; - uint8_t b1 = (b >> 4); - uint8_t a0b0 = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf16_mul(a0, b0); - uint8_t a1b1 = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf16_mul(a1, b1); - uint8_t a0b1_a1b0 = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf16_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x8 = gf16_mul_8(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 4 ^ a0b0 ^ a1b1_x8); -} - -static inline uint8_t gf256_squ(uint8_t a) { - uint8_t a0 = a & 15; - uint8_t a1 = (a >> 4); - a1 = gf16_squ(a1); - uint8_t a1squ_x8 = gf16_mul_8(a1); - return (uint8_t)((a1 << 4) ^ a1squ_x8 ^ gf16_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_inv(uint8_t a) { - // 128+64+32+16+8+4+2 = 254 - uint8_t a2 = gf256_squ(a); - uint8_t a4 = gf256_squ(a2); - uint8_t a8 = gf256_squ(a4); - uint8_t a4_2 = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_mul(a4, a2); - uint8_t a8_4_2 = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_mul(a4_2, a8); - uint8_t a64_ = gf256_squ(a8_4_2); - a64_ = gf256_squ(a64_); - a64_ = gf256_squ(a64_); - uint8_t a64_2 = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_mul(a64_, a8_4_2); - uint8_t a128_ = gf256_squ(a64_2); - return PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_mul(a2, a128_); -} diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/gf.h b/crypto_sign/rainbowIII-circumzenithal/clean/gf.h deleted file mode 100644 index 75e80cc7..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/gf.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _GF16_H_ -#define _GF16_H_ - -#include "rainbow_config.h" -#include - -/// @file gf16.h -/// @brief Library for arithmetics in GF(16) and GF(256) -/// - -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf16_mul(uint8_t a, uint8_t b); - - -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_is_nonzero(uint8_t a); -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_inv(uint8_t a); -uint8_t PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256_mul(uint8_t a, uint8_t b); - - -#endif // _GF16_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/parallel_matrix_op.c b/crypto_sign/rainbowIII-circumzenithal/clean/parallel_matrix_op.c deleted file mode 100644 index 50298156..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/parallel_matrix_op.c +++ /dev/null @@ -1,183 +0,0 @@ -/// @file parallel_matrix_op.c -/// @brief the standard implementations for functions in parallel_matrix_op.h -/// -/// the standard implementations for functions in parallel_matrix_op.h -/// - -#include "parallel_matrix_op.h" -#include "blas.h" -#include "blas_comm.h" - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim) { - return (dim + dim - i_row + 1) * i_row / 2 + j_col - i_row; -} - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle or lower-triangle matrix. -/// -/// @param[in] i_row - the i-th row in a triangle matrix. -/// @param[in] j_col - the j-th column in a triangle matrix. -/// @param[in] dim - the dimension of the triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -static inline unsigned int idx_of_2trimat(unsigned int i_row, unsigned int j_col, unsigned int n_var) { - if (i_row > j_col) { - return PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(j_col, i_row, n_var); - } - return PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(i_row, j_col, n_var); -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch) { - unsigned char *runningC = btriC; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < i; j++) { - unsigned int idx = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(j, i, Aheight); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(btriC + idx * size_batch, bA + size_batch * (i * Awidth + j), size_batch); - } - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(runningC, bA + size_batch * (i * Awidth + i), size_batch * (Aheight - i)); - runningC += size_batch * (Aheight - i); - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (k < i) { - continue; - } - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &btriA[(k - i) * size_batch], PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - btriA += (Aheight - i) * size_batch; - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i < k) { - continue; - } - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &btriA[size_batch * (PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(k, i, Aheight))], PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i == k) { - continue; - } - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &btriA[size_batch * (idx_of_2trimat(i, k, Aheight))], PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Atr_height = Awidth; - unsigned int Atr_width = Aheight; - for (unsigned int i = 0; i < Atr_height; i++) { - for (unsigned int j = 0; j < Atr_width; j++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &bB[j * Bwidth * size_batch], PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(&A_to_tr[size_Acolvec * i], j), size_batch * Bwidth); - } - bC += size_batch * Bwidth; - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - const unsigned char *bA = bA_to_tr; - unsigned int Aheight = Awidth_before_tr; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &bA[size_batch * (i + k * Aheight)], PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &bA[k * size_batch], PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - bA += (Awidth) * size_batch; - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch) { - unsigned char tmp[256]; - - unsigned char _x[256]; - for (unsigned int i = 0; i < dim; i++) { - _x[i] = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(x, i); - } - - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(y, size_batch); - for (unsigned int i = 0; i < dim; i++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = i; j < dim; j++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(tmp, trimat, _x[j], size_batch); - trimat += size_batch; - } - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(y, tmp, _x[i], size_batch); - } -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, const unsigned char *mat, - const unsigned char *x, unsigned dim_x, unsigned size_batch) { - unsigned char tmp[128]; - - unsigned char _x[128]; - for (unsigned int i = 0; i < dim_x; i++) { - _x[i] = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(x, i); - } - unsigned char _y[128]; - for (unsigned int i = 0; i < dim_y; i++) { - _y[i] = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele(y, i); - } - - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(z, size_batch); - for (unsigned int i = 0; i < dim_y; i++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = 0; j < dim_x; j++) { - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(tmp, mat, _x[j], size_batch); - mat += size_batch; - } - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd(z, tmp, _y[i], size_batch); - } -} - diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/parallel_matrix_op.h b/crypto_sign/rainbowIII-circumzenithal/clean/parallel_matrix_op.h deleted file mode 100644 index 9d576710..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/parallel_matrix_op.h +++ /dev/null @@ -1,260 +0,0 @@ -#ifndef _P_MATRIX_OP_H_ -#define _P_MATRIX_OP_H_ -/// @file parallel_matrix_op.h -/// @brief Librarys for operations of batched matrixes. -/// -/// - -//////////////// Section: triangle matrix <-> rectangle matrix /////////////////////////////////// - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim); - -/// -/// @brief Upper trianglize a rectangle matrix to the corresponding upper-trangle matrix. -/// -/// @param[out] btriC - the batched upper-trianglized matrix C. -/// @param[in] bA - a batched retangle matrix A. -/// @param[in] bwidth - the width of the batched matrix A, i.e., A is a Awidth x Awidth matrix. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch); - -//////////////////// Section: matrix multiplications /////////////////////////////// - -/// -/// @brief bC += btriA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. A will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A, which will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf16(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf16(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_mat_madd_gf16(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -//////////////////// Section: "quadratric" matrix evaluation /////////////////////////////// - -/// -/// @brief y = x^Tr * trimat * x , in GF(16) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf16(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief y = x^Tr * trimat * x , in GF(256) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(16) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf16(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(256) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -#endif // _P_MATRIX_OP_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow.c b/crypto_sign/rainbowIII-circumzenithal/clean/rainbow.c deleted file mode 100644 index 0f8265cb..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow.c +++ /dev/null @@ -1,173 +0,0 @@ -/// @file rainbow.c -/// @brief The standard implementations for functions in rainbow.h -/// - -#include "blas.h" -#include "parallel_matrix_op.h" -#include "rainbow.h" -#include "rainbow_blas.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "utils_hash.h" -#include "utils_prng.h" -#include -#include -#include - -#define MAX_ATTEMPT_FRMAT 128 - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *_digest) { - uint8_t mat_l1[_O1 * _O1_BYTE]; - uint8_t mat_l2[_O2 * _O2_BYTE]; - uint8_t mat_buffer[2 * _MAX_O * _MAX_O_BYTE]; - - // setup PRNG - prng_t prng_sign; - uint8_t prng_preseed[LEN_SKSEED + _HASH_LEN]; - memcpy(prng_preseed, sk->sk_seed, LEN_SKSEED); - memcpy(prng_preseed + LEN_SKSEED, _digest, _HASH_LEN); // prng_preseed = sk_seed || digest - uint8_t prng_seed[_HASH_LEN]; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(prng_seed, _HASH_LEN, prng_preseed, _HASH_LEN + LEN_SKSEED); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_set(&prng_sign, prng_seed, _HASH_LEN); // seed = H( sk_seed || digest ) - for (unsigned int i = 0; i < LEN_SKSEED + _HASH_LEN; i++) { - prng_preseed[i] ^= prng_preseed[i]; // clean - } - for (unsigned int i = 0; i < _HASH_LEN; i++) { - prng_seed[i] ^= prng_seed[i]; // clean - } - - // roll vinegars. - uint8_t vinegar[_V1_BYTE]; - unsigned int n_attempt = 0; - unsigned int l1_succ = 0; - while (!l1_succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen(&prng_sign, vinegar, _V1_BYTE); // generating vinegars - gfmat_prod(mat_l1, sk->l1_F2, _O1 * _O1_BYTE, _V1, vinegar); // generating the linear equations for layer 1 - l1_succ = gfmat_inv(mat_l1, mat_l1, _O1, mat_buffer); // check if the linear equation solvable - n_attempt++; - } - - // Given the vinegars, pre-compute variables needed for layer 2 - uint8_t r_l1_F1[_O1_BYTE] = {0}; - uint8_t r_l2_F1[_O2_BYTE] = {0}; - batch_quad_trimat_eval(r_l1_F1, sk->l1_F1, vinegar, _V1, _O1_BYTE); - batch_quad_trimat_eval(r_l2_F1, sk->l2_F1, vinegar, _V1, _O2_BYTE); - uint8_t mat_l2_F3[_O2 * _O2_BYTE]; - uint8_t mat_l2_F2[_O1 * _O2_BYTE]; - gfmat_prod(mat_l2_F3, sk->l2_F3, _O2 * _O2_BYTE, _V1, vinegar); - gfmat_prod(mat_l2_F2, sk->l2_F2, _O1 * _O2_BYTE, _V1, vinegar); - - // Some local variables. - uint8_t _z[_PUB_M_BYTE]; - uint8_t y[_PUB_M_BYTE]; - uint8_t *x_v1 = vinegar; - uint8_t x_o1[_O1_BYTE]; - uint8_t x_o2[_O2_BYTE]; - - uint8_t digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, _digest, _HASH_LEN); - uint8_t *salt = digest_salt + _HASH_LEN; - - uint8_t temp_o[_MAX_O_BYTE + 32] = {0}; - unsigned int succ = 0; - while (!succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - // The computation: H(digest||salt) --> z --S--> y --C-map--> x --T--> w - - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen(&prng_sign, salt, _SALT_BYTE); // roll the salt - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(_z, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H(digest||salt) - - // y = S^-1 * z - memcpy(y, _z, _PUB_M_BYTE); // identity part of S - gfmat_prod(temp_o, sk->s1, _O1_BYTE, _O2, _z + _O1_BYTE); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(y, temp_o, _O1_BYTE); - - // Central Map: - // layer 1: calculate x_o1 - memcpy(temp_o, r_l1_F1, _O1_BYTE); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, y, _O1_BYTE); - gfmat_prod(x_o1, mat_l1, _O1_BYTE, _O1, temp_o); - - // layer 2: calculate x_o2 - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_set_zero(temp_o, _O2_BYTE); - gfmat_prod(temp_o, mat_l2_F2, _O2_BYTE, _O1, x_o1); // F2 - batch_quad_trimat_eval(mat_l2, sk->l2_F5, x_o1, _O1, _O2_BYTE); // F5 - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, mat_l2, _O2_BYTE); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, r_l2_F1, _O2_BYTE); // F1 - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, y + _O1_BYTE, _O2_BYTE); - - // generate the linear equations of the 2nd layer - gfmat_prod(mat_l2, sk->l2_F6, _O2 * _O2_BYTE, _O1, x_o1); // F6 - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(mat_l2, mat_l2_F3, _O2 * _O2_BYTE); // F3 - succ = gfmat_inv(mat_l2, mat_l2, _O2, mat_buffer); - gfmat_prod(x_o2, mat_l2, _O2_BYTE, _O2, temp_o); // solve l2 eqs - - n_attempt++; - }; - // w = T^-1 * y - uint8_t w[_PUB_N_BYTE]; - // identity part of T. - memcpy(w, x_v1, _V1_BYTE); - memcpy(w + _V1_BYTE, x_o1, _O1_BYTE); - memcpy(w + _V2_BYTE, x_o2, _O2_BYTE); - // Computing the t1 part. - gfmat_prod(y, sk->t1, _V1_BYTE, _O1, x_o1); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t4 part. - gfmat_prod(y, sk->t4, _V1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t3 part. - gfmat_prod(y, sk->t3, _O1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(w + _V1_BYTE, y, _O1_BYTE); - - memset(signature, 0, _SIGNATURE_BYTE); // set the output 0 - // clean - memset(&prng_sign, 0, sizeof(prng_t)); - memset(vinegar, 0, _V1_BYTE); - memset(r_l1_F1, 0, _O1_BYTE); - memset(r_l2_F1, 0, _O2_BYTE); - memset(_z, 0, _PUB_M_BYTE); - memset(y, 0, _PUB_M_BYTE); - memset(x_o1, 0, _O1_BYTE); - memset(x_o2, 0, _O2_BYTE); - memset(temp_o, 0, sizeof(temp_o)); - - // return: copy w and salt to the signature. - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - return -1; - } - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(signature, w, _PUB_N_BYTE); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(signature + _PUB_N_BYTE, salt, _SALT_BYTE); - return 0; -} - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk) { - unsigned char digest_ck[_PUB_M_BYTE]; - // public_map( digest_ck , pk , signature ); Evaluating the quadratic public polynomials. - batch_quad_trimat_eval(digest_ck, pk->pk, signature, _PUB_N, _PUB_M_BYTE); - - unsigned char correct[_PUB_M_BYTE]; - unsigned char digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, digest, _HASH_LEN); - memcpy(digest_salt + _HASH_LEN, signature + _PUB_N_BYTE, _SALT_BYTE); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(correct, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H( digest || salt ) - - // check consistancy. - unsigned char cc = 0; - for (unsigned int i = 0; i < _PUB_M_BYTE; i++) { - cc |= (digest_ck[i] ^ correct[i]); - } - return (0 == cc) ? 0 : -1; -} - - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *_pk) { - unsigned char pk[sizeof(pk_t) + 32]; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_cpk_to_pk((pk_t *)pk, _pk); // generating classic public key. - return PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_verify(digest, signature, (pk_t *)pk); -} diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow.h b/crypto_sign/rainbowIII-circumzenithal/clean/rainbow.h deleted file mode 100644 index 95c02d08..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow.h +++ /dev/null @@ -1,42 +0,0 @@ -#ifndef _RAINBOW_H_ -#define _RAINBOW_H_ -/// @file rainbow.h -/// @brief APIs for rainbow. -/// - -#include "rainbow_config.h" -#include "rainbow_keypair.h" - -#include - -/// -/// @brief Signing function for classical secret key. -/// -/// @param[out] signature - the signature. -/// @param[in] sk - the secret key. -/// @param[in] digest - the digest. -/// -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *digest); - -/// -/// @brief Verifying function. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk); - - -/// -/// @brief Verifying function for cyclic public keys. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key of cyclic rainbow. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *pk); - -#endif // _RAINBOW_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_blas.h b/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_blas.h deleted file mode 100644 index d7275d52..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_blas.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef _RAINBOW_BLAS_H_ -#define _RAINBOW_BLAS_H_ -/// @file rainbow_blas.h -/// @brief Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h -/// -/// Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h - -#include "blas.h" -#include "blas_comm.h" -#include "parallel_matrix_op.h" -#include "rainbow_config.h" - - -#define gfv_get_ele PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_get_ele -#define gfv_mul_scalar PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_mul_scalar -#define gfv_madd PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_madd - -#define gfmat_prod PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_prod -#define gfmat_inv PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256mat_inv - -#define batch_trimat_madd PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf256 -#define batch_trimatTr_madd PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf256 -#define batch_2trimat_madd PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf256 -#define batch_matTr_madd PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf256 -#define batch_bmatTr_madd PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf256 -#define batch_mat_madd PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_mat_madd_gf256 - -#define batch_quad_trimat_eval PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf256 -#define batch_quad_recmat_eval PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf256 - - -#endif // _RAINBOW_BLAS_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_config.h b/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_config.h deleted file mode 100644 index f3cbb700..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_config.h +++ /dev/null @@ -1,48 +0,0 @@ -#ifndef _H_RAINBOW_CONFIG_H_ -#define _H_RAINBOW_CONFIG_H_ - -/// @file rainbow_config.h -/// @brief Defining the parameters of the Rainbow and the corresponding constants. -/// - -#define _GFSIZE 256 -#define _V1 68 -#define _O1 32 -#define _O2 48 -#define _MAX_O 48 -#define _HASH_LEN 48 - - -#define _V2 ((_V1) + (_O1)) - -/// size of N, in # of gf elements. -#define _PUB_N (_V1 + _O1 + _O2) - -/// size of M, in # gf elements. -#define _PUB_M (_O1 + _O2) - -/// size of variables, in # bytes. - -// GF256 -#define _V1_BYTE (_V1) -#define _V2_BYTE (_V2) -#define _O1_BYTE (_O1) -#define _O2_BYTE (_O2) -#define _MAX_O_BYTE (_MAX_O) -#define _PUB_N_BYTE (_PUB_N) -#define _PUB_M_BYTE (_PUB_M) - - -/// length of seed for public key, in # bytes -#define LEN_PKSEED 32 - -/// length of seed for secret key, in # bytes -#define LEN_SKSEED 32 - -/// length of salt for a signature, in # bytes -#define _SALT_BYTE 16 - -/// length of a signature -#define _SIGNATURE_BYTE (_PUB_N_BYTE + _SALT_BYTE) - -#endif // _H_RAINBOW_CONFIG_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair.c b/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair.c deleted file mode 100644 index 33fd81b2..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair.c +++ /dev/null @@ -1,186 +0,0 @@ -/// @file rainbow_keypair.c -/// @brief implementations of functions in rainbow_keypair.h -/// - -#include "rainbow_keypair.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair_computation.h" -#include "utils_prng.h" -#include -#include -#include - -static -void generate_S_T( unsigned char *s_and_t, prng_t *prng0 ) { - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->s1); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t1); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t4); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t3); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); -} - - -static -unsigned generate_l1_F12( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l1_F1); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l1_F2); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static -unsigned generate_l2_F12356( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l2_F1); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F2); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F3); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F5); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F6); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static void generate_B1_B2(unsigned char *sk, prng_t *prng0) { - sk += generate_l1_F12(sk, prng0); - generate_l2_F12356(sk, prng0); -} - -static void calculate_t4(unsigned char *t2_to_t4, const unsigned char *t1, const unsigned char *t3) { - // t4 = T_sk.t1 * T_sk.t3 - T_sk.t2 - unsigned char temp[_V1_BYTE + 32]; - unsigned char *t4 = t2_to_t4; - for (unsigned int i = 0; i < _O2; i++) { /// t3 width - gfmat_prod(temp, t1, _V1_BYTE, _O1, t3); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(t4, temp, _V1_BYTE); - t4 += _V1_BYTE; - t3 += _O1_BYTE; - } -} - -static void obsfucate_l1_polys(unsigned char *l1_polys, const unsigned char *l2_polys, unsigned int n_terms, const unsigned char *s1) { - unsigned char temp[_O1_BYTE + 32]; - while (n_terms--) { - gfmat_prod(temp, s1, _O1_BYTE, _O2, l2_polys); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_gf256v_add(l1_polys, temp, _O1_BYTE); - l1_polys += _O1_BYTE; - l2_polys += _O2_BYTE; - } -} - -/////////////////// Classic ////////////////////////////////// - - -///////////////////// Cyclic ////////////////////////////////// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(pk->pk_seed, pk_seed, LEN_PKSEED); - memcpy(sk->sk_seed, sk_seed, LEN_SKSEED); - - // prng for sk - prng_t prng; - prng_t *prng0 = &prng; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_set(prng0, sk_seed, LEN_SKSEED); - generate_S_T(sk->s1, prng0); // S,T: only a part of sk - - unsigned char t2[sizeof(sk->t4)]; - memcpy(t2, sk->t4, _V1_BYTE * _O2); // temporarily store t2 - calculate_t4(sk->t4, sk->t1, sk->t3); // t2 <- t4 - - // prng for pk - sk_t inst_Qs; - sk_t *Qs = &inst_Qs; - prng_t *prng1 = &prng; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_set(prng1, pk_seed, LEN_PKSEED); - generate_B1_B2(Qs->l1_F1, prng1); // generating l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 - obsfucate_l1_polys(Qs->l1_F1, Qs->l2_F1, N_TRIANGLE_TERMS(_V1), sk->s1); - obsfucate_l1_polys(Qs->l1_F2, Qs->l2_F2, _V1 * _O1, sk->s1); - // so far, the Qs contains l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6. - - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_calculate_F_from_Q(sk, Qs, sk); // calcuate the rest parts of secret key from Qs and S,T - - unsigned char t4[sizeof(sk->t4)]; - memcpy(t4, sk->t4, _V1_BYTE * _O2); // temporarily store t4 - memcpy(sk->t4, t2, _V1_BYTE * _O2); // restore t2 - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_calculate_Q_from_F_cyclic(pk, sk, sk); // calculate the rest parts of public key: l1_Q3, l1_Q5, l1_Q6, l1_Q9, l2_Q9 - memcpy(sk->t4, t4, _V1_BYTE * _O2); // restore t4 - - obsfucate_l1_polys(pk->l1_Q3, Qs->l2_F3, _V1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q5, Qs->l2_F5, N_TRIANGLE_TERMS(_O1), sk->s1); - obsfucate_l1_polys(pk->l1_Q6, Qs->l2_F6, _O1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q9, pk->l2_Q9, N_TRIANGLE_TERMS(_O2), sk->s1); - - // clean - memset(&prng, 0, sizeof(prng_t)); -} - - - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_cpk_to_pk(pk_t *rpk, const cpk_t *cpk) { - // procedure: cpk_t --> extcpk_t --> pk_t - - // convert from cpk_t to extcpk_t - ext_cpk_t pk; - - // setup prng - prng_t prng0; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_set(&prng0, cpk->pk_seed, LEN_SKSEED); - - // generating parts of key with prng - generate_l1_F12(pk.l1_Q1, &prng0); - // copying parts of key from input. l1_Q3, l1_Q5, l1_Q6, l1_Q9 - memcpy(pk.l1_Q3, cpk->l1_Q3, _O1_BYTE * (_V1 * _O2 + N_TRIANGLE_TERMS(_O1) + _O1 * _O2 + N_TRIANGLE_TERMS(_O2))); - - // generating parts of key with prng - generate_l2_F12356(pk.l2_Q1, &prng0); - // copying parts of key from input: l2_Q9 - memcpy(pk.l2_Q9, cpk->l2_Q9, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - - // convert from extcpk_t to pk_t - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_extcpk_to_pk(rpk, &pk); -} diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair.h b/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair.h deleted file mode 100644 index c042135c..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair.h +++ /dev/null @@ -1,94 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_H_ -#define _RAINBOW_KEYPAIR_H_ -/// @file rainbow_keypair.h -/// @brief Formats of key pairs and functions for generating key pairs. -/// Formats of key pairs and functions for generating key pairs. -/// - -#include "rainbow_config.h" - -#define N_TRIANGLE_TERMS(n_var) ((n_var) * ((n_var) + 1) / 2) - -/// @brief public key for classic rainbow -/// -/// public key for classic rainbow -/// -typedef struct rainbow_publickey { - unsigned char pk[(_PUB_M_BYTE)*N_TRIANGLE_TERMS(_PUB_N)]; -} pk_t; - -/// @brief secret key for classic rainbow -/// -/// secret key for classic rainbow -/// -typedef struct rainbow_secretkey { - /// - /// seed for generating secret key. - /// Generating S, T, and F for classic rainbow. - /// Generating S and T only for cyclic rainbow. - unsigned char sk_seed[LEN_SKSEED]; - - unsigned char s1[_O1_BYTE * _O2]; ///< part of S map - unsigned char t1[_V1_BYTE * _O1]; ///< part of T map - unsigned char t4[_V1_BYTE * _O2]; ///< part of T map - unsigned char t3[_O1_BYTE * _O2]; ///< part of T map - - unsigned char l1_F1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer1 - unsigned char l1_F2[_O1_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer1 - - unsigned char l2_F1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer2 - unsigned char l2_F2[_O2_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer2 - - unsigned char l2_F3[_O2_BYTE * _V1 * _O2]; ///< part of C-map, F3, Layer2 - unsigned char l2_F5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< part of C-map, F5, Layer2 - unsigned char l2_F6[_O2_BYTE * _O1 * _O2]; ///< part of C-map, F6, Layer2 -} sk_t; - -/// @brief public key for cyclic rainbow -/// -/// public key for cyclic rainbow -/// -typedef struct rainbow_publickey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating l1_Q1,l1_Q2,l2_Q1,l2_Q2,l2_Q3,l2_Q5,l2_Q6 - - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; ///< Q3, layer1 - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< Q5, layer1 - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; ///< Q6, layer1 - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer1 - - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer2 -} cpk_t; - -/// @brief compressed secret key for cyclic rainbow -/// -/// compressed secret key for cyclic rainbow -/// -typedef struct rainbow_secretkey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating a part of public key. - unsigned char sk_seed[LEN_SKSEED]; ///< seed for generating a part of secret key. -} csk_t; - - -/// -/// @brief Generate key pairs for cyclic rainbow. -/// -/// @param[out] pk - the public key. -/// @param[out] sk - the secret key. -/// @param[in] pk_seed - seed for generating parts of public key. -/// @param[in] sk_seed - seed for generating secret key. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - - - -//////////////////////////////////// - -/// -/// @brief converting formats of public keys : from cyclic version to classic key -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the cyclic public key. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_cpk_to_pk(pk_t *pk, const cpk_t *cpk); - -#endif // _RAINBOW_KEYPAIR_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair_computation.c b/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair_computation.c deleted file mode 100644 index 073aaf1d..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair_computation.c +++ /dev/null @@ -1,213 +0,0 @@ -/// @file rainbow_keypair_computation.c -/// @brief Implementations for functions in rainbow_keypair_computation.h -/// - -#include "rainbow_keypair_computation.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair.h" -#include -#include -#include - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk) { - const unsigned char *idx_l1 = cpk->l1_Q1; - const unsigned char *idx_l2 = cpk->l2_Q1; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = i; j < _V1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q2; - idx_l2 = cpk->l2_Q2; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q3; - idx_l2 = cpk->l2_Q3; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q5; - idx_l2 = cpk->l2_Q5; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = i; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q6; - idx_l2 = cpk->l2_Q6; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q9; - idx_l2 = cpk->l2_Q9; - for (unsigned int i = _V1 + _O1; i < _PUB_N; i++) { - for (unsigned int j = i; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } -} - -static void calculate_F_from_Q_ref(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - // Layer 1 - // F_sk.l1_F1s[i] = Q_pk.l1_F1s[i] - memcpy(Fs->l1_F1, Qs->l1_F1, _O1_BYTE * N_TRIANGLE_TERMS(_V1)); - - // F_sk.l1_F2s[i] = ( Q_pk.l1_F1s[i] + Q_pk.l1_F1s[i].transpose() ) * T_sk.t1 + Q_pk.l1_F2s[i] - memcpy(Fs->l1_F2, Qs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_2trimat_madd(Fs->l1_F2, Qs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); - - /* - Layer 2 - computations: - - F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - Q1_T1 = Q_pk.l2_F1s[i]*T_sk.t1 - F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - - Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - #Q1_Q1T_T4 = Q1_Q1T * t4 - Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - + Q_pk.l2_F2s[i].transpose() * t4 - + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - - */ - memcpy(Fs->l2_F1, Qs->l2_F1, _O2_BYTE * N_TRIANGLE_TERMS(_V1)); // F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - // F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - // F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - memcpy(Fs->l2_F2, Qs->l2_F2, _O2_BYTE * _V1 * _O1); - batch_trimat_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // Q1_T1+ Q2 - - unsigned char tempQ[_O1 * _O1 * _O2_BYTE + 32]; - memset(tempQ, 0, _O1 * _O1 * _O2_BYTE); - batch_matTr_madd(tempQ, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F2, _O1, _O2_BYTE); // t1_tr*(Q1_T1+Q2) - memcpy(Fs->l2_F5, Qs->l2_F5, _O2_BYTE * N_TRIANGLE_TERMS(_O1)); // F5 - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_UpperTrianglize(Fs->l2_F5, tempQ, _O1, _O2_BYTE); // UT( ... ) - - batch_trimatTr_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // F2 = Q1_T1 + Q2 + Q1^tr*t1 - - // Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - // Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - // F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - memcpy(Fs->l2_F3, Qs->l2_F3, _V1 * _O2 * _O2_BYTE); - batch_2trimat_madd(Fs->l2_F3, Qs->l2_F1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); // Q1_Q1T_T4 - batch_mat_madd(Fs->l2_F3, Qs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // Q2_T3 - - // F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - // + Q_pk.l2_F2s[i].transpose() * t4 - // + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - memcpy(Fs->l2_F6, Qs->l2_F6, _O1 * _O2 * _O2_BYTE); - batch_matTr_madd(Fs->l2_F6, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F3, _O2, _O2_BYTE); // t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - batch_2trimat_madd(Fs->l2_F6, Qs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 - batch_bmatTr_madd(Fs->l2_F6, Qs->l2_F2, _O1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); -} - -#define _SIZE_BUFFER_F2 (_O2_BYTE * _V1 * _O2) -#define _SIZE_BUFFER_F3 (_O2_BYTE * _V1 * _O2) -static void calculate_Q_from_F_cyclic_ref(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - // Layer 1: Computing Q5, Q3, Q6, Q9 - - // Q_pk.l1_F5s[i] = UT( T1tr* (F1 * T1 + F2) ) - const unsigned char *t2 = Ts->t4; - - // assuming _O2 >= _O1 - - unsigned char buffer_F2[_SIZE_BUFFER_F2]; - memcpy(buffer_F2, Fs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_trimat_madd( buffer_F2, Fs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); // F1*T1 + F2 - - // assuming _O2 >= _O1 - unsigned char buffer_F3[_SIZE_BUFFER_F3]; - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, Ts->t1, _V1, _V1_BYTE, _O1, buffer_F2, _O1, _O1_BYTE); // T1tr*(F1*T1 + F2) , release buffer_F2 - memset(Qs->l1_Q5, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O1)); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_UpperTrianglize(Qs->l1_Q5, buffer_F3, _O1, _O1_BYTE); // UT( ... ) // Q5 , release buffer_F3 - /* - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - F1_F1T_T2 + F2_T3 = F1_T2 + F2_T3 + F1tr * t2 - Q_pk.l1_F3s[i] = F1_F1T_T2 + F2_T3 - Q_pk.l1_F6s[i] = T1tr* ( F1_F1T_T2 + F2_T3 ) + F2tr * t2 - Q_pk.l1_F9s[i] = UT( T2tr* ( F1_T2 + F2_T3 ) ) - */ - memset(Qs->l1_Q3, 0, _O1_BYTE * _V1 * _O2); - memset(Qs->l1_Q6, 0, _O1_BYTE * _O1 * _O2); - memset(Qs->l1_Q9, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O2)); - - batch_trimat_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1*T2 - batch_mat_madd(Qs->l1_Q3, Fs->l1_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O1_BYTE); // F1_T2 + F - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, t2, _V1, _V1_BYTE, _O2, Qs->l1_Q3, _O2, _O1_BYTE); // T2tr * ( F1_T2 + F2_T3 ) - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_UpperTrianglize(Qs->l1_Q9, buffer_F3, _O2, _O1_BYTE); // Q9 , release buffe - batch_trimatTr_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1_F1T_T2 + F2_T3 / - batch_bmatTr_madd(Qs->l1_Q6, Fs->l1_F2, _O1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F2tr*T2 - batch_matTr_madd(Qs->l1_Q6, Ts->t1, _V1, _V1_BYTE, _O1, Qs->l1_Q3, _O2, _O1_BYTE); // Q6 - /* - Layer 2 - Computing - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - Q9 = UT( T2tr*( F1*T2 + F2*T3 + F3 ) + T3tr*( F5*T3 + F6 ) ) - */ - memcpy(buffer_F3, Fs->l2_F3, _O2_BYTE * _V1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F1, t2, _V1, _V1_BYTE, _O2, _O2_BYTE); // F1*T2 + F3 - batch_mat_madd(buffer_F3, Fs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F1_T2 + F2_T3 - memset(buffer_F2, 0, _O2_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F2, t2, _V1, _V1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr * ( ..... ) , release buffe - memcpy(buffer_F3, Fs->l2_F6, _O2_BYTE * _O1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F5*T3 + F6 - batch_matTr_madd(buffer_F2, Ts->t3, _O1, _O1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr*( ..... ) + T3tr*( ..... ) - memset(Qs->l2_Q9, 0, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_UpperTrianglize(Qs->l2_Q9, buffer_F2, _O2, _O2_BYTE); // Q9 - memset(buffer_F2, 0, _SIZE_BUFFER_F2); - memset(buffer_F3, 0, _SIZE_BUFFER_F3); -} - -// Choosing implementations depends on the macros: _BLAS_SSE_ and _BLAS_AVX2_ -#define calculate_F_from_Q_impl calculate_F_from_Q_ref -#define calculate_Q_from_F_cyclic_impl calculate_Q_from_F_cyclic_ref - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - calculate_F_from_Q_impl(Fs, Qs, Ts); -} - -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - calculate_Q_from_F_cyclic_impl(Qs, Fs, Ts); -} diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair_computation.h b/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair_computation.h deleted file mode 100644 index bfb862cb..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/rainbow_keypair_computation.h +++ /dev/null @@ -1,71 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_COMP_H_ -#define _RAINBOW_KEYPAIR_COMP_H_ -/// @file rainbow_keypair_computation.h -/// @brief Functions for calculating pk/sk while generating keys. -/// -/// Defining an internal structure of public key. -/// Functions for calculating pk/sk for key generation. -/// - -#include "rainbow_keypair.h" - -/// @brief The (internal use) public key for rainbow -/// -/// The (internal use) public key for rainbow. The public -/// polynomials are divided into l1_Q1, l1_Q2, ... l1_Q9, -/// l2_Q1, .... , l2_Q9. -/// -typedef struct rainbow_extend_publickey { - unsigned char l1_Q1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l1_Q2[_O1_BYTE * _V1 * _O1]; - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; - - unsigned char l2_Q1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l2_Q2[_O2_BYTE * _V1 * _O1]; - unsigned char l2_Q3[_O2_BYTE * _V1 * _O2]; - unsigned char l2_Q5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l2_Q6[_O2_BYTE * _O1 * _O2]; - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; -} ext_cpk_t; - -/// -/// @brief converting formats of public keys : from ext_cpk_t version to pk_t -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the internel public key. -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk); -///////////////////////////////////////////////// - -/// -/// @brief Computing public key from secret key -/// -/// @param[out] Qs - the public key -/// @param[in] Fs - parts of the secret key: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the secret key: T1, T4, T3 -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_calculate_Q_from_F(ext_cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - - -/// -/// @brief Computing parts of the sk from parts of pk and sk -/// -/// @param[out] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Qs - parts of the pk: l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts); - -/// -/// @brief Computing parts of the pk from the secret key -/// -/// @param[out] Qs - parts of the pk: l1_Q3, l1_Q5, l2_Q6, l1_Q9, l2_Q9 -/// @param[in] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - -#endif // _RAINBOW_KEYPAIR_COMP_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/sign.c b/crypto_sign/rainbowIII-circumzenithal/clean/sign.c deleted file mode 100644 index bc108be2..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/sign.c +++ /dev/null @@ -1,76 +0,0 @@ -/// @file sign.c -/// @brief the implementations for functions in api.h -/// -/// - -#include "api.h" -#include "rainbow.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { - unsigned char sk_seed[LEN_SKSEED] = {0}; - randombytes(sk_seed, LEN_SKSEED); - - unsigned char pk_seed[LEN_PKSEED] = {0}; - randombytes(pk_seed, LEN_PKSEED); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_generate_keypair_cyclic((cpk_t *)pk, (sk_t *)sk, pk_seed, sk_seed); - return 0; -} - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign(unsigned char *sm, size_t *smlen, const unsigned char *m, size_t mlen, const unsigned char *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - - memcpy(sm, m, mlen); - smlen[0] = mlen + _SIGNATURE_BYTE; - - return PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_sign(sm + mlen, (const sk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign_open(unsigned char *m, size_t *mlen, const unsigned char *sm, size_t smlen, const unsigned char *pk) { - int rc; - if (_SIGNATURE_BYTE > smlen) { - rc = -1; - } else { - *mlen = smlen - _SIGNATURE_BYTE; - - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, sm, *mlen); - - rc = PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(digest, sm + mlen[0], (const cpk_t *)pk); - } - if (!rc) { - memmove(m, sm, smlen - _SIGNATURE_BYTE); - } else { // bad signature - *mlen = (size_t) -1; - memset(m, 0, smlen); - } - return rc; -} - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - *siglen = _SIGNATURE_BYTE; - return PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_sign(sig, (const sk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - if (siglen != _SIGNATURE_BYTE) { - return -1; - } - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - return PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(digest, sig, (const cpk_t *)pk); -} diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/utils_hash.c b/crypto_sign/rainbowIII-circumzenithal/clean/utils_hash.c deleted file mode 100644 index 05d6b572..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/utils_hash.c +++ /dev/null @@ -1,50 +0,0 @@ -/// @file utils_hash.c -/// @brief the adapter for SHA2 families. -/// -/// - -#include "utils_hash.h" -#include "rainbow_config.h" -#include "sha2.h" - -static inline int h(unsigned char *digest, const unsigned char *m, size_t mlen) { - sha384(digest, m, mlen); - return 0; -} - -static inline int expand_hash(unsigned char *digest, size_t n_digest, const unsigned char *hash) { - if (_HASH_LEN >= n_digest) { - for (size_t i = 0; i < n_digest; i++) { - digest[i] = hash[i]; - } - return 0; - } - for (size_t i = 0; i < _HASH_LEN; i++) { - digest[i] = hash[i]; - } - n_digest -= _HASH_LEN; - - while (_HASH_LEN <= n_digest) { - h(digest + _HASH_LEN, digest, _HASH_LEN); - - n_digest -= _HASH_LEN; - digest += _HASH_LEN; - } - unsigned char temp[_HASH_LEN]; - if (n_digest) { - h(temp, digest, _HASH_LEN); - for (size_t i = 0; i < n_digest; i++) { - digest[_HASH_LEN + i] = temp[i]; - } - } - return 0; -} - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(unsigned char *digest, - size_t len_digest, - const unsigned char *m, - size_t mlen) { - unsigned char buf[_HASH_LEN]; - h(buf, m, mlen); - return expand_hash(digest, len_digest, buf); -} diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/utils_hash.h b/crypto_sign/rainbowIII-circumzenithal/clean/utils_hash.h deleted file mode 100644 index 5a13e3f4..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/utils_hash.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _UTILS_HASH_H_ -#define _UTILS_HASH_H_ -/// @file utils_hash.h -/// @brief the interface for adapting hash functions. -/// - -#include - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(unsigned char *digest, size_t len_digest, const unsigned char *m, size_t mlen); - -#endif // _UTILS_HASH_H_ diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/utils_prng.c b/crypto_sign/rainbowIII-circumzenithal/clean/utils_prng.c deleted file mode 100644 index 9a381bcb..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/utils_prng.c +++ /dev/null @@ -1,97 +0,0 @@ -/// @file utils_prng.c -/// @brief The implementation of PRNG related functions. -/// - -#include "utils_prng.h" -#include "aes.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -static void prng_update(const unsigned char *provided_data, - unsigned char *Key, - unsigned char *V) { - unsigned char temp[48]; - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, Key); - for (int i = 0; i < 3; i++) { - //increment V - for (int j = 15; j >= 0; j--) { - if (V[j] == 0xff) { - V[j] = 0x00; - } else { - V[j]++; - break; - } - } - aes256_ecb(temp + 16 * i, V, 1, &ctx); - } - if (provided_data != NULL) { - for (int i = 0; i < 48; i++) { - temp[i] ^= provided_data[i]; - } - } - aes256_ctx_release(&ctx); - memcpy(Key, temp, 32); - memcpy(V, temp + 32, 16); -} -static void randombytes_init_with_state(prng_t *state, - unsigned char *entropy_input_48bytes) { - memset(state->Key, 0x00, 32); - memset(state->V, 0x00, 16); - prng_update(entropy_input_48bytes, state->Key, state->V); -} - -static int randombytes_with_state(prng_t *state, - unsigned char *x, - size_t xlen) { - - unsigned char block[16]; - int i = 0; - - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, state->Key); - - while (xlen > 0) { - //increment V - for (int j = 15; j >= 0; j--) { - if (state->V[j] == 0xff) { - state->V[j] = 0x00; - } else { - state->V[j]++; - break; - } - } - aes256_ecb(block, state->V, 1, &ctx); - if (xlen > 15) { - memcpy(x + i, block, 16); - i += 16; - xlen -= 16; - } else { - memcpy(x + i, block, xlen); - xlen = 0; - } - } - aes256_ctx_release(&ctx); - prng_update(NULL, state->Key, state->V); - return 0; -} - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen) { - unsigned char seed[48]; - if (prng_seedlen >= 48) { - memcpy(seed, prng_seed, 48); - } else { - memcpy(seed, prng_seed, prng_seedlen); - PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_hash_msg(seed + prng_seedlen, 48 - (unsigned)prng_seedlen, (const unsigned char *)prng_seed, prng_seedlen); - } - - randombytes_init_with_state(ctx, seed); - - return 0; -} - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen) { - return randombytes_with_state(ctx, out, outlen); -} diff --git a/crypto_sign/rainbowIII-circumzenithal/clean/utils_prng.h b/crypto_sign/rainbowIII-circumzenithal/clean/utils_prng.h deleted file mode 100644 index 52cbb4d8..00000000 --- a/crypto_sign/rainbowIII-circumzenithal/clean/utils_prng.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _UTILS_PRNG_H_ -#define _UTILS_PRNG_H_ -/// @file utils_prng.h -/// @brief the interface for adapting PRNG functions. -/// -/// - -#include "randombytes.h" - -typedef struct { - unsigned char Key[32]; - unsigned char V[16]; -} prng_t; - -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen); -int PQCLEAN_RAINBOWIIICIRCUMZENITHAL_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen); - -#endif // _UTILS_PRNG_H_ diff --git a/crypto_sign/rainbowIII-compressed/META.yml b/crypto_sign/rainbowIII-compressed/META.yml deleted file mode 100644 index 98b7bb72..00000000 --- a/crypto_sign/rainbowIII-compressed/META.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "RAINBOW(256,68,32,48) - compressed" -type: signature -claimed-nist-level: 3 -length-public-key: 264608 -length-secret-key: 64 -length-signature: 164 -nistkat-sha256: 8f895e88918df9e26123b5e0be722e952f3603bfc1f6b2859a8155edf3907969 -testvectors-sha256: 3cefa91b4d9fcc17341ca760a3c22329b08f3f1448e049ba3520d5703f90c863 -principal-submitters: - - Jintai Ding -auxiliary-submitters: - - Ming-Shing Chen - - Matthias Kannwischer - - Jacques Patarin - - Albrecht Petzoldt - - Dieter Schmidt - - Bo-Yin Yang -implementations: - - name: clean - version: https://github.com/fast-crypto-lab/rainbow-submission-round2/commit/173ada0e077e1b9dbd8e4a78994f87acc0c92263 diff --git a/crypto_sign/rainbowIII-compressed/clean/LICENSE b/crypto_sign/rainbowIII-compressed/clean/LICENSE deleted file mode 100644 index cb00a6e3..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/LICENSE +++ /dev/null @@ -1,8 +0,0 @@ -`Software implementation of Rainbow for NIST R2 submission' by Ming-Shing Chen - -To the extent possible under law, the person who associated CC0 with -`Software implementation of Rainbow for NIST R2 submission' has waived all copyright and related or neighboring rights -to `Software implementation of Rainbow for NIST R2 submission'. - -You should have received a copy of the CC0 legalcode along with this -work. If not, see . diff --git a/crypto_sign/rainbowIII-compressed/clean/Makefile.Microsoft_nmake b/crypto_sign/rainbowIII-compressed/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 01381c49..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=librainbowIII-compressed_clean.lib -OBJECTS = blas_comm.obj parallel_matrix_op.obj rainbow.obj rainbow_keypair.obj rainbow_keypair_computation.obj sign.obj utils_hash.obj utils_prng.obj blas.obj gf.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/rainbowIII-compressed/clean/api.h b/crypto_sign/rainbowIII-compressed/clean/api.h deleted file mode 100644 index 4c2dd863..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/api.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_API_H -#define PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_API_H - -#include -#include - -#define PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_CRYPTO_PUBLICKEYBYTES 264608 -#define PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_CRYPTO_BYTES 164 -#define PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_CRYPTO_ALGNAME "RAINBOW(256,68,32,48) - compressed" - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - - -#endif diff --git a/crypto_sign/rainbowIII-compressed/clean/blas.c b/crypto_sign/rainbowIII-compressed/clean/blas.c deleted file mode 100644 index 9ee4f0e5..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/blas.c +++ /dev/null @@ -1,31 +0,0 @@ -#include "blas.h" -#include "gf.h" - -#include - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte) { - uint8_t pr_u8 = (uint8_t) ((uint8_t) 0 - predicate); - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= (a[i] & pr_u8); - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= a[i]; - } -} - - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_mul_scalar(uint8_t *a, uint8_t b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - a[i] = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_mul(a[i], b); - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf256_b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_c[i] ^= PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_mul(a[i], gf256_b); - } -} - diff --git a/crypto_sign/rainbowIII-compressed/clean/blas.h b/crypto_sign/rainbowIII-compressed/clean/blas.h deleted file mode 100644 index f0eaf12f..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/blas.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _BLAS_H_ -#define _BLAS_H_ -/// @file blas.h -/// @brief Functions for implementing basic linear algebra functions. -/// - -#include "rainbow_config.h" -#include -#include - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte); -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte); - - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_mul_scalar(uint8_t *a, uint8_t b, size_t _num_byte); -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf256_b, size_t _num_byte); - - -#endif // _BLAS_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/blas_comm.c b/crypto_sign/rainbowIII-compressed/clean/blas_comm.c deleted file mode 100644 index 7d5e7865..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/blas_comm.c +++ /dev/null @@ -1,144 +0,0 @@ -/// @file blas_comm.c -/// @brief The standard implementations for blas_comm.h -/// - -#include "blas_comm.h" -#include "blas.h" -#include "gf.h" -#include "rainbow_config.h" - -#include -#include - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - b[i] = 0; - } -} -/// @brief get an element from GF(256) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(const uint8_t *a, unsigned int i) { - return a[i]; -} - -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_is_zero(const uint8_t *a, unsigned int _num_byte) { - uint8_t r = 0; - while (_num_byte--) { - r |= a[0]; - a++; - } - return (0 == r); -} - -/// polynomial multplication -/// School boook -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_polymul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int _num) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(c, _num * 2 - 1); - for (unsigned int i = 0; i < _num; i++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(c + i, a, b[i], _num); - } -} - -static void gf256mat_prod_ref(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(c, n_A_vec_byte); - for (unsigned int i = 0; i < n_A_width; i++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(c, matA, b[i], n_A_vec_byte); - matA += n_A_vec_byte; - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec) { - unsigned int n_vec_byte = len_vec; - for (unsigned int k = 0; k < len_vec; k++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(c, n_vec_byte); - const uint8_t *bk = b + n_vec_byte * k; - for (unsigned int i = 0; i < len_vec; i++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(c, a + n_vec_byte * i, bk[i], n_vec_byte); - } - c += n_vec_byte; - } -} - -static unsigned int gf256mat_gauss_elim_ref(uint8_t *mat, unsigned int h, unsigned int w) { - unsigned int r8 = 1; - - for (unsigned int i = 0; i < h; i++) { - uint8_t *ai = mat + w * i; - unsigned int skip_len_align4 = i & ((unsigned int)~0x3); - - for (unsigned int j = i + 1; j < h; j++) { - uint8_t *aj = mat + w * j; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_predicated_add(ai + skip_len_align4, 1 ^ PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_is_nonzero(ai[i]), aj + skip_len_align4, w - skip_len_align4); - } - r8 &= PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_is_nonzero(ai[i]); - uint8_t pivot = ai[i]; - pivot = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_inv(pivot); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_mul_scalar(ai + skip_len_align4, pivot, w - skip_len_align4); - for (unsigned int j = 0; j < h; j++) { - if (i == j) { - continue; - } - uint8_t *aj = mat + w * j; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(aj + skip_len_align4, ai + skip_len_align4, aj[i], w - skip_len_align4); - } - } - - return r8; -} - -static unsigned int gf256mat_solve_linear_eq_ref(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - uint8_t mat[64 * 64]; - for (unsigned int i = 0; i < n; i++) { - memcpy(mat + i * (n + 1), inp_mat + i * n, n); - mat[i * (n + 1) + n] = c_terms[i]; - } - unsigned int r8 = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_gauss_elim(mat, n, n + 1); - for (unsigned int i = 0; i < n; i++) { - sol[i] = mat[i * (n + 1) + n]; - } - return r8; -} - -static inline void gf256mat_submat(uint8_t *mat2, unsigned int w2, unsigned int st, const uint8_t *mat, unsigned int w, unsigned int h) { - for (unsigned int i = 0; i < h; i++) { - for (unsigned int j = 0; j < w2; j++) { - mat2[i * w2 + j] = mat[i * w + st + j]; - } - } -} - -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer) { - uint8_t *aa = buffer; - for (unsigned int i = 0; i < H; i++) { - uint8_t *ai = aa + i * 2 * H; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(ai, 2 * H); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(ai, a + i * H, H); - ai[H + i] = 1; - } - unsigned int r8 = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_gauss_elim(aa, H, 2 * H); - gf256mat_submat(inv_a, H, H, aa, 2 * H, H); - return r8; -} - - -// choosing the implementations depends on the macros _BLAS_AVX2_ and _BLAS_SSE - -#define gf256mat_prod_impl gf256mat_prod_ref -#define gf256mat_gauss_elim_impl gf256mat_gauss_elim_ref -#define gf256mat_solve_linear_eq_impl gf256mat_solve_linear_eq_ref -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - gf256mat_prod_impl(c, matA, n_A_vec_byte, n_A_width, b); -} - -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w) { - return gf256mat_gauss_elim_impl(mat, h, w); -} - -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - return gf256mat_solve_linear_eq_impl(sol, inp_mat, c_terms, n); -} - diff --git a/crypto_sign/rainbowIII-compressed/clean/blas_comm.h b/crypto_sign/rainbowIII-compressed/clean/blas_comm.h deleted file mode 100644 index de5368c3..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/blas_comm.h +++ /dev/null @@ -1,90 +0,0 @@ -#ifndef _BLAS_COMM_H_ -#define _BLAS_COMM_H_ -/// @file blas_comm.h -/// @brief Common functions for linear algebra. -/// - -#include "rainbow_config.h" -#include - -/// @brief set a vector to 0. -/// -/// @param[in,out] b - the vector b. -/// @param[in] _num_byte - number of bytes for the vector b. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte); - -/// @brief get an element from GF(256) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(const uint8_t *a, unsigned int i); - -/// @brief check if a vector is 0. -/// -/// @param[in] a - the vector a. -/// @param[in] _num_byte - number of bytes for the vector a. -/// @return 1(true) if a is 0. 0(false) else. -/// -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_is_zero(const uint8_t *a, unsigned int _num_byte); - -/// @brief polynomial multiplication: c = a*b -/// -/// @param[out] c - the output polynomial c -/// @param[in] a - the vector a. -/// @param[in] b - the vector b. -/// @param[in] _num - number of elements for the polynomials a and b. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_polymul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int _num); - -/// @brief matrix-vector multiplication: c = matA * b , in GF(256) -/// -/// @param[out] c - the output vector c -/// @param[in] matA - a column-major matrix A. -/// @param[in] n_A_vec_byte - the size of column vectors in bytes. -/// @param[in] n_A_width - the width of matrix A. -/// @param[in] b - the vector b. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b); - -/// @brief matrix-matrix multiplication: c = a * b , in GF(256) -/// -/// @param[out] c - the output matrix c -/// @param[in] c - a matrix a. -/// @param[in] b - a matrix b. -/// @param[in] len_vec - the length of column vectors. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec); - -/// @brief Gauss elimination for a matrix, in GF(256) -/// -/// @param[in,out] mat - the matrix. -/// @param[in] h - the height of the matrix. -/// @param[in] w - the width of the matrix. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w); - -/// @brief Solving linear equations, in GF(256) -/// -/// @param[out] sol - the solutions. -/// @param[in] inp_mat - the matrix parts of input equations. -/// @param[in] c_terms - the constant terms of the input equations. -/// @param[in] n - the number of equations. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n); - -/// @brief Computing the inverse matrix, in GF(256) -/// -/// @param[out] inv_a - the output of matrix a. -/// @param[in] a - a matrix a. -/// @param[in] H - height of matrix a, i.e., matrix a is an HxH matrix. -/// @param[in] buffer - The buffer for computations. it has to be as large as 2 input matrixes. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer); - -#endif // _BLAS_COMM_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/gf.c b/crypto_sign/rainbowIII-compressed/clean/gf.c deleted file mode 100644 index 5b0967f2..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/gf.c +++ /dev/null @@ -1,91 +0,0 @@ -#include "gf.h" - -//// gf4 := gf2[x]/x^2+x+1 -static inline uint8_t gf4_mul_2(uint8_t a) { - uint8_t r = (uint8_t)(a << 1); - r ^= (uint8_t)((a >> 1) * 7); - return r; -} - -static inline uint8_t gf4_mul(uint8_t a, uint8_t b) { - uint8_t r = (uint8_t)(a * (b & 1)); - return r ^ (uint8_t)(gf4_mul_2(a) * (b >> 1)); -} - -static inline uint8_t gf4_squ(uint8_t a) { - return a ^ (a >> 1); -} - -//// gf16 := gf4[y]/y^2+y+x -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf16_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - uint8_t b0 = b & 3; - uint8_t b1 = (b >> 2); - uint8_t a0b0 = gf4_mul(a0, b0); - uint8_t a1b1 = gf4_mul(a1, b1); - uint8_t a0b1_a1b0 = gf4_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x2 = gf4_mul_2(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 2 ^ a0b0 ^ a1b1_x2); -} - -static inline uint8_t gf16_squ(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - a1 = gf4_squ(a1); - uint8_t a1squ_x2 = gf4_mul_2(a1); - return (uint8_t)((a1 << 2) ^ a1squ_x2 ^ gf4_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_is_nonzero(uint8_t a) { - unsigned int a8 = a; - unsigned int r = ((unsigned int)0) - a8; - r >>= 8; - return r & 1; -} - -static inline uint8_t gf4_mul_3(uint8_t a) { - uint8_t msk = (uint8_t)((a - 2) >> 1); - return (uint8_t)((msk & ((int)a * 3)) | ((~msk) & ((int)a - 1))); -} -static inline uint8_t gf16_mul_8(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = a >> 2; - return (uint8_t)((gf4_mul_2(a0 ^ a1) << 2) | gf4_mul_3(a1)); -} - -// gf256 := gf16[X]/X^2+X+xy -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 15; - uint8_t a1 = (a >> 4); - uint8_t b0 = b & 15; - uint8_t b1 = (b >> 4); - uint8_t a0b0 = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf16_mul(a0, b0); - uint8_t a1b1 = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf16_mul(a1, b1); - uint8_t a0b1_a1b0 = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf16_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x8 = gf16_mul_8(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 4 ^ a0b0 ^ a1b1_x8); -} - -static inline uint8_t gf256_squ(uint8_t a) { - uint8_t a0 = a & 15; - uint8_t a1 = (a >> 4); - a1 = gf16_squ(a1); - uint8_t a1squ_x8 = gf16_mul_8(a1); - return (uint8_t)((a1 << 4) ^ a1squ_x8 ^ gf16_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_inv(uint8_t a) { - // 128+64+32+16+8+4+2 = 254 - uint8_t a2 = gf256_squ(a); - uint8_t a4 = gf256_squ(a2); - uint8_t a8 = gf256_squ(a4); - uint8_t a4_2 = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_mul(a4, a2); - uint8_t a8_4_2 = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_mul(a4_2, a8); - uint8_t a64_ = gf256_squ(a8_4_2); - a64_ = gf256_squ(a64_); - a64_ = gf256_squ(a64_); - uint8_t a64_2 = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_mul(a64_, a8_4_2); - uint8_t a128_ = gf256_squ(a64_2); - return PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_mul(a2, a128_); -} diff --git a/crypto_sign/rainbowIII-compressed/clean/gf.h b/crypto_sign/rainbowIII-compressed/clean/gf.h deleted file mode 100644 index 1f35c8bb..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/gf.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _GF16_H_ -#define _GF16_H_ - -#include "rainbow_config.h" -#include - -/// @file gf16.h -/// @brief Library for arithmetics in GF(16) and GF(256) -/// - -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf16_mul(uint8_t a, uint8_t b); - - -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_is_nonzero(uint8_t a); -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_inv(uint8_t a); -uint8_t PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256_mul(uint8_t a, uint8_t b); - - -#endif // _GF16_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/parallel_matrix_op.c b/crypto_sign/rainbowIII-compressed/clean/parallel_matrix_op.c deleted file mode 100644 index 64d5c33c..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/parallel_matrix_op.c +++ /dev/null @@ -1,183 +0,0 @@ -/// @file parallel_matrix_op.c -/// @brief the standard implementations for functions in parallel_matrix_op.h -/// -/// the standard implementations for functions in parallel_matrix_op.h -/// - -#include "parallel_matrix_op.h" -#include "blas.h" -#include "blas_comm.h" - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim) { - return (dim + dim - i_row + 1) * i_row / 2 + j_col - i_row; -} - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle or lower-triangle matrix. -/// -/// @param[in] i_row - the i-th row in a triangle matrix. -/// @param[in] j_col - the j-th column in a triangle matrix. -/// @param[in] dim - the dimension of the triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -static inline unsigned int idx_of_2trimat(unsigned int i_row, unsigned int j_col, unsigned int n_var) { - if (i_row > j_col) { - return PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(j_col, i_row, n_var); - } - return PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(i_row, j_col, n_var); -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch) { - unsigned char *runningC = btriC; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < i; j++) { - unsigned int idx = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(j, i, Aheight); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(btriC + idx * size_batch, bA + size_batch * (i * Awidth + j), size_batch); - } - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(runningC, bA + size_batch * (i * Awidth + i), size_batch * (Aheight - i)); - runningC += size_batch * (Aheight - i); - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (k < i) { - continue; - } - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(bC, &btriA[(k - i) * size_batch], PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - btriA += (Aheight - i) * size_batch; - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i < k) { - continue; - } - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(bC, &btriA[size_batch * (PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(k, i, Aheight))], PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i == k) { - continue; - } - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(bC, &btriA[size_batch * (idx_of_2trimat(i, k, Aheight))], PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Atr_height = Awidth; - unsigned int Atr_width = Aheight; - for (unsigned int i = 0; i < Atr_height; i++) { - for (unsigned int j = 0; j < Atr_width; j++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(bC, &bB[j * Bwidth * size_batch], PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(&A_to_tr[size_Acolvec * i], j), size_batch * Bwidth); - } - bC += size_batch * Bwidth; - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - const unsigned char *bA = bA_to_tr; - unsigned int Aheight = Awidth_before_tr; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(bC, &bA[size_batch * (i + k * Aheight)], PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(bC, &bA[k * size_batch], PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - bA += (Awidth) * size_batch; - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch) { - unsigned char tmp[256]; - - unsigned char _x[256]; - for (unsigned int i = 0; i < dim; i++) { - _x[i] = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(x, i); - } - - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(y, size_batch); - for (unsigned int i = 0; i < dim; i++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = i; j < dim; j++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(tmp, trimat, _x[j], size_batch); - trimat += size_batch; - } - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(y, tmp, _x[i], size_batch); - } -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, const unsigned char *mat, - const unsigned char *x, unsigned dim_x, unsigned size_batch) { - unsigned char tmp[128]; - - unsigned char _x[128]; - for (unsigned int i = 0; i < dim_x; i++) { - _x[i] = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(x, i); - } - unsigned char _y[128]; - for (unsigned int i = 0; i < dim_y; i++) { - _y[i] = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele(y, i); - } - - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(z, size_batch); - for (unsigned int i = 0; i < dim_y; i++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = 0; j < dim_x; j++) { - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(tmp, mat, _x[j], size_batch); - mat += size_batch; - } - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd(z, tmp, _y[i], size_batch); - } -} - diff --git a/crypto_sign/rainbowIII-compressed/clean/parallel_matrix_op.h b/crypto_sign/rainbowIII-compressed/clean/parallel_matrix_op.h deleted file mode 100644 index f4a5e3ef..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/parallel_matrix_op.h +++ /dev/null @@ -1,260 +0,0 @@ -#ifndef _P_MATRIX_OP_H_ -#define _P_MATRIX_OP_H_ -/// @file parallel_matrix_op.h -/// @brief Librarys for operations of batched matrixes. -/// -/// - -//////////////// Section: triangle matrix <-> rectangle matrix /////////////////////////////////// - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim); - -/// -/// @brief Upper trianglize a rectangle matrix to the corresponding upper-trangle matrix. -/// -/// @param[out] btriC - the batched upper-trianglized matrix C. -/// @param[in] bA - a batched retangle matrix A. -/// @param[in] bwidth - the width of the batched matrix A, i.e., A is a Awidth x Awidth matrix. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch); - -//////////////////// Section: matrix multiplications /////////////////////////////// - -/// -/// @brief bC += btriA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. A will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_trimatTr_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A, which will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_2trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_matTr_madd_gf16(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_bmatTr_madd_gf16(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_mat_madd_gf16(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -//////////////////// Section: "quadratric" matrix evaluation /////////////////////////////// - -/// -/// @brief y = x^Tr * trimat * x , in GF(16) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_quad_trimat_eval_gf16(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief y = x^Tr * trimat * x , in GF(256) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(16) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_quad_recmat_eval_gf16(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(256) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -#endif // _P_MATRIX_OP_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/rainbow.c b/crypto_sign/rainbowIII-compressed/clean/rainbow.c deleted file mode 100644 index b2d2ac83..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/rainbow.c +++ /dev/null @@ -1,179 +0,0 @@ -/// @file rainbow.c -/// @brief The standard implementations for functions in rainbow.h -/// - -#include "blas.h" -#include "parallel_matrix_op.h" -#include "rainbow.h" -#include "rainbow_blas.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "utils_hash.h" -#include "utils_prng.h" -#include -#include -#include - -#define MAX_ATTEMPT_FRMAT 128 - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *_digest) { - uint8_t mat_l1[_O1 * _O1_BYTE]; - uint8_t mat_l2[_O2 * _O2_BYTE]; - uint8_t mat_buffer[2 * _MAX_O * _MAX_O_BYTE]; - - // setup PRNG - prng_t prng_sign; - uint8_t prng_preseed[LEN_SKSEED + _HASH_LEN]; - memcpy(prng_preseed, sk->sk_seed, LEN_SKSEED); - memcpy(prng_preseed + LEN_SKSEED, _digest, _HASH_LEN); // prng_preseed = sk_seed || digest - uint8_t prng_seed[_HASH_LEN]; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(prng_seed, _HASH_LEN, prng_preseed, _HASH_LEN + LEN_SKSEED); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_set(&prng_sign, prng_seed, _HASH_LEN); // seed = H( sk_seed || digest ) - for (unsigned int i = 0; i < LEN_SKSEED + _HASH_LEN; i++) { - prng_preseed[i] ^= prng_preseed[i]; // clean - } - for (unsigned int i = 0; i < _HASH_LEN; i++) { - prng_seed[i] ^= prng_seed[i]; // clean - } - - // roll vinegars. - uint8_t vinegar[_V1_BYTE]; - unsigned int n_attempt = 0; - unsigned int l1_succ = 0; - while (!l1_succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen(&prng_sign, vinegar, _V1_BYTE); // generating vinegars - gfmat_prod(mat_l1, sk->l1_F2, _O1 * _O1_BYTE, _V1, vinegar); // generating the linear equations for layer 1 - l1_succ = gfmat_inv(mat_l1, mat_l1, _O1, mat_buffer); // check if the linear equation solvable - n_attempt++; - } - - // Given the vinegars, pre-compute variables needed for layer 2 - uint8_t r_l1_F1[_O1_BYTE] = {0}; - uint8_t r_l2_F1[_O2_BYTE] = {0}; - batch_quad_trimat_eval(r_l1_F1, sk->l1_F1, vinegar, _V1, _O1_BYTE); - batch_quad_trimat_eval(r_l2_F1, sk->l2_F1, vinegar, _V1, _O2_BYTE); - uint8_t mat_l2_F3[_O2 * _O2_BYTE]; - uint8_t mat_l2_F2[_O1 * _O2_BYTE]; - gfmat_prod(mat_l2_F3, sk->l2_F3, _O2 * _O2_BYTE, _V1, vinegar); - gfmat_prod(mat_l2_F2, sk->l2_F2, _O1 * _O2_BYTE, _V1, vinegar); - - // Some local variables. - uint8_t _z[_PUB_M_BYTE]; - uint8_t y[_PUB_M_BYTE]; - uint8_t *x_v1 = vinegar; - uint8_t x_o1[_O1_BYTE]; - uint8_t x_o2[_O2_BYTE]; - - uint8_t digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, _digest, _HASH_LEN); - uint8_t *salt = digest_salt + _HASH_LEN; - - uint8_t temp_o[_MAX_O_BYTE + 32] = {0}; - unsigned int succ = 0; - while (!succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - // The computation: H(digest||salt) --> z --S--> y --C-map--> x --T--> w - - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen(&prng_sign, salt, _SALT_BYTE); // roll the salt - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(_z, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H(digest||salt) - - // y = S^-1 * z - memcpy(y, _z, _PUB_M_BYTE); // identity part of S - gfmat_prod(temp_o, sk->s1, _O1_BYTE, _O2, _z + _O1_BYTE); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(y, temp_o, _O1_BYTE); - - // Central Map: - // layer 1: calculate x_o1 - memcpy(temp_o, r_l1_F1, _O1_BYTE); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(temp_o, y, _O1_BYTE); - gfmat_prod(x_o1, mat_l1, _O1_BYTE, _O1, temp_o); - - // layer 2: calculate x_o2 - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_set_zero(temp_o, _O2_BYTE); - gfmat_prod(temp_o, mat_l2_F2, _O2_BYTE, _O1, x_o1); // F2 - batch_quad_trimat_eval(mat_l2, sk->l2_F5, x_o1, _O1, _O2_BYTE); // F5 - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(temp_o, mat_l2, _O2_BYTE); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(temp_o, r_l2_F1, _O2_BYTE); // F1 - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(temp_o, y + _O1_BYTE, _O2_BYTE); - - // generate the linear equations of the 2nd layer - gfmat_prod(mat_l2, sk->l2_F6, _O2 * _O2_BYTE, _O1, x_o1); // F6 - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(mat_l2, mat_l2_F3, _O2 * _O2_BYTE); // F3 - succ = gfmat_inv(mat_l2, mat_l2, _O2, mat_buffer); - gfmat_prod(x_o2, mat_l2, _O2_BYTE, _O2, temp_o); // solve l2 eqs - - n_attempt++; - }; - // w = T^-1 * y - uint8_t w[_PUB_N_BYTE]; - // identity part of T. - memcpy(w, x_v1, _V1_BYTE); - memcpy(w + _V1_BYTE, x_o1, _O1_BYTE); - memcpy(w + _V2_BYTE, x_o2, _O2_BYTE); - // Computing the t1 part. - gfmat_prod(y, sk->t1, _V1_BYTE, _O1, x_o1); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t4 part. - gfmat_prod(y, sk->t4, _V1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t3 part. - gfmat_prod(y, sk->t3, _O1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(w + _V1_BYTE, y, _O1_BYTE); - - memset(signature, 0, _SIGNATURE_BYTE); // set the output 0 - // clean - memset(&prng_sign, 0, sizeof(prng_t)); - memset(vinegar, 0, _V1_BYTE); - memset(r_l1_F1, 0, _O1_BYTE); - memset(r_l2_F1, 0, _O2_BYTE); - memset(_z, 0, _PUB_M_BYTE); - memset(y, 0, _PUB_M_BYTE); - memset(x_o1, 0, _O1_BYTE); - memset(x_o2, 0, _O2_BYTE); - memset(temp_o, 0, sizeof(temp_o)); - - // return: copy w and salt to the signature. - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - return -1; - } - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(signature, w, _PUB_N_BYTE); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(signature + _PUB_N_BYTE, salt, _SALT_BYTE); - return 0; -} - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk) { - unsigned char digest_ck[_PUB_M_BYTE]; - // public_map( digest_ck , pk , signature ); Evaluating the quadratic public polynomials. - batch_quad_trimat_eval(digest_ck, pk->pk, signature, _PUB_N, _PUB_M_BYTE); - - unsigned char correct[_PUB_M_BYTE]; - unsigned char digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, digest, _HASH_LEN); - memcpy(digest_salt + _HASH_LEN, signature + _PUB_N_BYTE, _SALT_BYTE); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(correct, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H( digest || salt ) - - // check consistancy. - unsigned char cc = 0; - for (unsigned int i = 0; i < _PUB_M_BYTE; i++) { - cc |= (digest_ck[i] ^ correct[i]); - } - return (0 == cc) ? 0 : -1; -} - -/////////////// cyclic version /////////////////////////// -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_sign_cyclic(uint8_t *signature, const csk_t *csk, const uint8_t *digest) { - unsigned char sk[sizeof(sk_t) + 32]; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_generate_secretkey_cyclic((sk_t *)sk, csk->pk_seed, csk->sk_seed); // generating classic secret key. - return PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_sign(signature, (sk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *_pk) { - unsigned char pk[sizeof(pk_t) + 32]; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_cpk_to_pk((pk_t *)pk, _pk); // generating classic public key. - return PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_verify(digest, signature, (pk_t *)pk); -} diff --git a/crypto_sign/rainbowIII-compressed/clean/rainbow.h b/crypto_sign/rainbowIII-compressed/clean/rainbow.h deleted file mode 100644 index 954a3a1b..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/rainbow.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef _RAINBOW_H_ -#define _RAINBOW_H_ -/// @file rainbow.h -/// @brief APIs for rainbow. -/// - -#include "rainbow_config.h" -#include "rainbow_keypair.h" - -#include - -/// -/// @brief Signing function for classical secret key. -/// -/// @param[out] signature - the signature. -/// @param[in] sk - the secret key. -/// @param[in] digest - the digest. -/// -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *digest); - -/// -/// @brief Verifying function. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk); - -/// -/// @brief Signing function for compressed secret key of the cyclic rainbow. -/// -/// @param[out] signature - the signature. -/// @param[in] sk - the compressed secret key. -/// @param[in] digest - the digest. -/// -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_sign_cyclic(uint8_t *signature, const csk_t *sk, const uint8_t *digest); - -/// -/// @brief Verifying function for cyclic public keys. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key of cyclic rainbow. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *pk); - -#endif // _RAINBOW_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/rainbow_blas.h b/crypto_sign/rainbowIII-compressed/clean/rainbow_blas.h deleted file mode 100644 index cc97b929..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/rainbow_blas.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef _RAINBOW_BLAS_H_ -#define _RAINBOW_BLAS_H_ -/// @file rainbow_blas.h -/// @brief Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h -/// -/// Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h - -#include "blas.h" -#include "blas_comm.h" -#include "parallel_matrix_op.h" -#include "rainbow_config.h" - - -#define gfv_get_ele PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_get_ele -#define gfv_mul_scalar PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_mul_scalar -#define gfv_madd PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_madd - -#define gfmat_prod PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_prod -#define gfmat_inv PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256mat_inv - -#define batch_trimat_madd PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_trimat_madd_gf256 -#define batch_trimatTr_madd PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_trimatTr_madd_gf256 -#define batch_2trimat_madd PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_2trimat_madd_gf256 -#define batch_matTr_madd PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_matTr_madd_gf256 -#define batch_bmatTr_madd PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_bmatTr_madd_gf256 -#define batch_mat_madd PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_mat_madd_gf256 - -#define batch_quad_trimat_eval PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_quad_trimat_eval_gf256 -#define batch_quad_recmat_eval PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_batch_quad_recmat_eval_gf256 - - -#endif // _RAINBOW_BLAS_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/rainbow_config.h b/crypto_sign/rainbowIII-compressed/clean/rainbow_config.h deleted file mode 100644 index f3cbb700..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/rainbow_config.h +++ /dev/null @@ -1,48 +0,0 @@ -#ifndef _H_RAINBOW_CONFIG_H_ -#define _H_RAINBOW_CONFIG_H_ - -/// @file rainbow_config.h -/// @brief Defining the parameters of the Rainbow and the corresponding constants. -/// - -#define _GFSIZE 256 -#define _V1 68 -#define _O1 32 -#define _O2 48 -#define _MAX_O 48 -#define _HASH_LEN 48 - - -#define _V2 ((_V1) + (_O1)) - -/// size of N, in # of gf elements. -#define _PUB_N (_V1 + _O1 + _O2) - -/// size of M, in # gf elements. -#define _PUB_M (_O1 + _O2) - -/// size of variables, in # bytes. - -// GF256 -#define _V1_BYTE (_V1) -#define _V2_BYTE (_V2) -#define _O1_BYTE (_O1) -#define _O2_BYTE (_O2) -#define _MAX_O_BYTE (_MAX_O) -#define _PUB_N_BYTE (_PUB_N) -#define _PUB_M_BYTE (_PUB_M) - - -/// length of seed for public key, in # bytes -#define LEN_PKSEED 32 - -/// length of seed for secret key, in # bytes -#define LEN_SKSEED 32 - -/// length of salt for a signature, in # bytes -#define _SALT_BYTE 16 - -/// length of a signature -#define _SIGNATURE_BYTE (_PUB_N_BYTE + _SALT_BYTE) - -#endif // _H_RAINBOW_CONFIG_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair.c b/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair.c deleted file mode 100644 index cdd4f184..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair.c +++ /dev/null @@ -1,217 +0,0 @@ -/// @file rainbow_keypair.c -/// @brief implementations of functions in rainbow_keypair.h -/// - -#include "rainbow_keypair.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair_computation.h" -#include "utils_prng.h" -#include -#include -#include - -static -void generate_S_T( unsigned char *s_and_t, prng_t *prng0 ) { - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->s1); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t1); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t4); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t3); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); -} - - -static -unsigned generate_l1_F12( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l1_F1); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l1_F2); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static -unsigned generate_l2_F12356( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l2_F1); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F2); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F3); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F5); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F6); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static void generate_B1_B2(unsigned char *sk, prng_t *prng0) { - sk += generate_l1_F12(sk, prng0); - generate_l2_F12356(sk, prng0); -} - -static void calculate_t4(unsigned char *t2_to_t4, const unsigned char *t1, const unsigned char *t3) { - // t4 = T_sk.t1 * T_sk.t3 - T_sk.t2 - unsigned char temp[_V1_BYTE + 32]; - unsigned char *t4 = t2_to_t4; - for (unsigned int i = 0; i < _O2; i++) { /// t3 width - gfmat_prod(temp, t1, _V1_BYTE, _O1, t3); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(t4, temp, _V1_BYTE); - t4 += _V1_BYTE; - t3 += _O1_BYTE; - } -} - -static void obsfucate_l1_polys(unsigned char *l1_polys, const unsigned char *l2_polys, unsigned int n_terms, const unsigned char *s1) { - unsigned char temp[_O1_BYTE + 32]; - while (n_terms--) { - gfmat_prod(temp, s1, _O1_BYTE, _O2, l2_polys); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_gf256v_add(l1_polys, temp, _O1_BYTE); - l1_polys += _O1_BYTE; - l2_polys += _O2_BYTE; - } -} - -/////////////////// Classic ////////////////////////////////// - - -///////////////////// Cyclic ////////////////////////////////// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(pk->pk_seed, pk_seed, LEN_PKSEED); - memcpy(sk->sk_seed, sk_seed, LEN_SKSEED); - - // prng for sk - prng_t prng; - prng_t *prng0 = &prng; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_set(prng0, sk_seed, LEN_SKSEED); - generate_S_T(sk->s1, prng0); // S,T: only a part of sk - - unsigned char t2[sizeof(sk->t4)]; - memcpy(t2, sk->t4, _V1_BYTE * _O2); // temporarily store t2 - calculate_t4(sk->t4, sk->t1, sk->t3); // t2 <- t4 - - // prng for pk - sk_t inst_Qs; - sk_t *Qs = &inst_Qs; - prng_t *prng1 = &prng; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_set(prng1, pk_seed, LEN_PKSEED); - generate_B1_B2(Qs->l1_F1, prng1); // generating l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 - obsfucate_l1_polys(Qs->l1_F1, Qs->l2_F1, N_TRIANGLE_TERMS(_V1), sk->s1); - obsfucate_l1_polys(Qs->l1_F2, Qs->l2_F2, _V1 * _O1, sk->s1); - // so far, the Qs contains l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6. - - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_calculate_F_from_Q(sk, Qs, sk); // calcuate the rest parts of secret key from Qs and S,T - - unsigned char t4[sizeof(sk->t4)]; - memcpy(t4, sk->t4, _V1_BYTE * _O2); // temporarily store t4 - memcpy(sk->t4, t2, _V1_BYTE * _O2); // restore t2 - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_calculate_Q_from_F_cyclic(pk, sk, sk); // calculate the rest parts of public key: l1_Q3, l1_Q5, l1_Q6, l1_Q9, l2_Q9 - memcpy(sk->t4, t4, _V1_BYTE * _O2); // restore t4 - - obsfucate_l1_polys(pk->l1_Q3, Qs->l2_F3, _V1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q5, Qs->l2_F5, N_TRIANGLE_TERMS(_O1), sk->s1); - obsfucate_l1_polys(pk->l1_Q6, Qs->l2_F6, _O1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q9, pk->l2_Q9, N_TRIANGLE_TERMS(_O2), sk->s1); - - // clean - memset(&prng, 0, sizeof(prng_t)); -} - - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_generate_compact_keypair_cyclic(cpk_t *pk, csk_t *rsk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(rsk->pk_seed, pk_seed, LEN_PKSEED); - memcpy(rsk->sk_seed, sk_seed, LEN_SKSEED); - sk_t sk; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_generate_keypair_cyclic(pk, &sk, pk_seed, sk_seed); -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_generate_secretkey_cyclic(sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(sk->sk_seed, sk_seed, LEN_SKSEED); - - // prng for sk - prng_t prng0; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_set(&prng0, sk_seed, LEN_SKSEED); - generate_S_T(sk->s1, &prng0); - calculate_t4(sk->t4, sk->t1, sk->t3); - - // prng for pk - sk_t inst_Qs; - sk_t *Qs = &inst_Qs; - prng_t prng1; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_set(&prng1, pk_seed, LEN_PKSEED); - generate_B1_B2(Qs->l1_F1, &prng1); - - obsfucate_l1_polys(Qs->l1_F1, Qs->l2_F1, N_TRIANGLE_TERMS(_V1), sk->s1); - obsfucate_l1_polys(Qs->l1_F2, Qs->l2_F2, _V1 * _O1, sk->s1); - - // calcuate the parts of sk according to pk. - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_calculate_F_from_Q(sk, Qs, sk); - - // clean prng for sk - memset(&prng0, 0, sizeof(prng_t)); -} -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_cpk_to_pk(pk_t *rpk, const cpk_t *cpk) { - // procedure: cpk_t --> extcpk_t --> pk_t - - // convert from cpk_t to extcpk_t - ext_cpk_t pk; - - // setup prng - prng_t prng0; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_set(&prng0, cpk->pk_seed, LEN_SKSEED); - - // generating parts of key with prng - generate_l1_F12(pk.l1_Q1, &prng0); - // copying parts of key from input. l1_Q3, l1_Q5, l1_Q6, l1_Q9 - memcpy(pk.l1_Q3, cpk->l1_Q3, _O1_BYTE * (_V1 * _O2 + N_TRIANGLE_TERMS(_O1) + _O1 * _O2 + N_TRIANGLE_TERMS(_O2))); - - // generating parts of key with prng - generate_l2_F12356(pk.l2_Q1, &prng0); - // copying parts of key from input: l2_Q9 - memcpy(pk.l2_Q9, cpk->l2_Q9, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - - // convert from extcpk_t to pk_t - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_extcpk_to_pk(rpk, &pk); -} diff --git a/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair.h b/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair.h deleted file mode 100644 index 59933f32..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair.h +++ /dev/null @@ -1,111 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_H_ -#define _RAINBOW_KEYPAIR_H_ -/// @file rainbow_keypair.h -/// @brief Formats of key pairs and functions for generating key pairs. -/// Formats of key pairs and functions for generating key pairs. -/// - -#include "rainbow_config.h" - -#define N_TRIANGLE_TERMS(n_var) ((n_var) * ((n_var) + 1) / 2) - -/// @brief public key for classic rainbow -/// -/// public key for classic rainbow -/// -typedef struct rainbow_publickey { - unsigned char pk[(_PUB_M_BYTE)*N_TRIANGLE_TERMS(_PUB_N)]; -} pk_t; - -/// @brief secret key for classic rainbow -/// -/// secret key for classic rainbow -/// -typedef struct rainbow_secretkey { - /// - /// seed for generating secret key. - /// Generating S, T, and F for classic rainbow. - /// Generating S and T only for cyclic rainbow. - unsigned char sk_seed[LEN_SKSEED]; - - unsigned char s1[_O1_BYTE * _O2]; ///< part of S map - unsigned char t1[_V1_BYTE * _O1]; ///< part of T map - unsigned char t4[_V1_BYTE * _O2]; ///< part of T map - unsigned char t3[_O1_BYTE * _O2]; ///< part of T map - - unsigned char l1_F1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer1 - unsigned char l1_F2[_O1_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer1 - - unsigned char l2_F1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer2 - unsigned char l2_F2[_O2_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer2 - - unsigned char l2_F3[_O2_BYTE * _V1 * _O2]; ///< part of C-map, F3, Layer2 - unsigned char l2_F5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< part of C-map, F5, Layer2 - unsigned char l2_F6[_O2_BYTE * _O1 * _O2]; ///< part of C-map, F6, Layer2 -} sk_t; - -/// @brief public key for cyclic rainbow -/// -/// public key for cyclic rainbow -/// -typedef struct rainbow_publickey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating l1_Q1,l1_Q2,l2_Q1,l2_Q2,l2_Q3,l2_Q5,l2_Q6 - - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; ///< Q3, layer1 - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< Q5, layer1 - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; ///< Q6, layer1 - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer1 - - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer2 -} cpk_t; - -/// @brief compressed secret key for cyclic rainbow -/// -/// compressed secret key for cyclic rainbow -/// -typedef struct rainbow_secretkey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating a part of public key. - unsigned char sk_seed[LEN_SKSEED]; ///< seed for generating a part of secret key. -} csk_t; - - -/// -/// @brief Generate key pairs for cyclic rainbow. -/// -/// @param[out] pk - the public key. -/// @param[out] sk - the secret key. -/// @param[in] pk_seed - seed for generating parts of public key. -/// @param[in] sk_seed - seed for generating secret key. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - -/// -/// @brief Generate compressed key pairs for cyclic rainbow. -/// -/// @param[out] pk - the public key. -/// @param[out] sk - the compressed secret key. -/// @param[in] pk_seed - seed for generating parts of the public key. -/// @param[in] sk_seed - seed for generating the secret key. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_generate_compact_keypair_cyclic(cpk_t *pk, csk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - -/// -/// @brief Generate secret key for cyclic rainbow. -/// -/// @param[out] sk - the secret key. -/// @param[in] pk_seed - seed for generating parts of the pbulic key. -/// @param[in] sk_seed - seed for generating the secret key. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_generate_secretkey_cyclic(sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - -//////////////////////////////////// - -/// -/// @brief converting formats of public keys : from cyclic version to classic key -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the cyclic public key. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_cpk_to_pk(pk_t *pk, const cpk_t *cpk); - -#endif // _RAINBOW_KEYPAIR_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair_computation.c b/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair_computation.c deleted file mode 100644 index e4c0666c..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair_computation.c +++ /dev/null @@ -1,213 +0,0 @@ -/// @file rainbow_keypair_computation.c -/// @brief Implementations for functions in rainbow_keypair_computation.h -/// - -#include "rainbow_keypair_computation.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair.h" -#include -#include -#include - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk) { - const unsigned char *idx_l1 = cpk->l1_Q1; - const unsigned char *idx_l2 = cpk->l2_Q1; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = i; j < _V1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q2; - idx_l2 = cpk->l2_Q2; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q3; - idx_l2 = cpk->l2_Q3; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q5; - idx_l2 = cpk->l2_Q5; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = i; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q6; - idx_l2 = cpk->l2_Q6; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q9; - idx_l2 = cpk->l2_Q9; - for (unsigned int i = _V1 + _O1; i < _PUB_N; i++) { - for (unsigned int j = i; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } -} - -static void calculate_F_from_Q_ref(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - // Layer 1 - // F_sk.l1_F1s[i] = Q_pk.l1_F1s[i] - memcpy(Fs->l1_F1, Qs->l1_F1, _O1_BYTE * N_TRIANGLE_TERMS(_V1)); - - // F_sk.l1_F2s[i] = ( Q_pk.l1_F1s[i] + Q_pk.l1_F1s[i].transpose() ) * T_sk.t1 + Q_pk.l1_F2s[i] - memcpy(Fs->l1_F2, Qs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_2trimat_madd(Fs->l1_F2, Qs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); - - /* - Layer 2 - computations: - - F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - Q1_T1 = Q_pk.l2_F1s[i]*T_sk.t1 - F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - - Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - #Q1_Q1T_T4 = Q1_Q1T * t4 - Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - + Q_pk.l2_F2s[i].transpose() * t4 - + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - - */ - memcpy(Fs->l2_F1, Qs->l2_F1, _O2_BYTE * N_TRIANGLE_TERMS(_V1)); // F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - // F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - // F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - memcpy(Fs->l2_F2, Qs->l2_F2, _O2_BYTE * _V1 * _O1); - batch_trimat_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // Q1_T1+ Q2 - - unsigned char tempQ[_O1 * _O1 * _O2_BYTE + 32]; - memset(tempQ, 0, _O1 * _O1 * _O2_BYTE); - batch_matTr_madd(tempQ, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F2, _O1, _O2_BYTE); // t1_tr*(Q1_T1+Q2) - memcpy(Fs->l2_F5, Qs->l2_F5, _O2_BYTE * N_TRIANGLE_TERMS(_O1)); // F5 - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_UpperTrianglize(Fs->l2_F5, tempQ, _O1, _O2_BYTE); // UT( ... ) - - batch_trimatTr_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // F2 = Q1_T1 + Q2 + Q1^tr*t1 - - // Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - // Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - // F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - memcpy(Fs->l2_F3, Qs->l2_F3, _V1 * _O2 * _O2_BYTE); - batch_2trimat_madd(Fs->l2_F3, Qs->l2_F1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); // Q1_Q1T_T4 - batch_mat_madd(Fs->l2_F3, Qs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // Q2_T3 - - // F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - // + Q_pk.l2_F2s[i].transpose() * t4 - // + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - memcpy(Fs->l2_F6, Qs->l2_F6, _O1 * _O2 * _O2_BYTE); - batch_matTr_madd(Fs->l2_F6, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F3, _O2, _O2_BYTE); // t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - batch_2trimat_madd(Fs->l2_F6, Qs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 - batch_bmatTr_madd(Fs->l2_F6, Qs->l2_F2, _O1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); -} - -#define _SIZE_BUFFER_F2 (_O2_BYTE * _V1 * _O2) -#define _SIZE_BUFFER_F3 (_O2_BYTE * _V1 * _O2) -static void calculate_Q_from_F_cyclic_ref(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - // Layer 1: Computing Q5, Q3, Q6, Q9 - - // Q_pk.l1_F5s[i] = UT( T1tr* (F1 * T1 + F2) ) - const unsigned char *t2 = Ts->t4; - - // assuming _O2 >= _O1 - - unsigned char buffer_F2[_SIZE_BUFFER_F2]; - memcpy(buffer_F2, Fs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_trimat_madd( buffer_F2, Fs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); // F1*T1 + F2 - - // assuming _O2 >= _O1 - unsigned char buffer_F3[_SIZE_BUFFER_F3]; - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, Ts->t1, _V1, _V1_BYTE, _O1, buffer_F2, _O1, _O1_BYTE); // T1tr*(F1*T1 + F2) , release buffer_F2 - memset(Qs->l1_Q5, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O1)); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_UpperTrianglize(Qs->l1_Q5, buffer_F3, _O1, _O1_BYTE); // UT( ... ) // Q5 , release buffer_F3 - /* - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - F1_F1T_T2 + F2_T3 = F1_T2 + F2_T3 + F1tr * t2 - Q_pk.l1_F3s[i] = F1_F1T_T2 + F2_T3 - Q_pk.l1_F6s[i] = T1tr* ( F1_F1T_T2 + F2_T3 ) + F2tr * t2 - Q_pk.l1_F9s[i] = UT( T2tr* ( F1_T2 + F2_T3 ) ) - */ - memset(Qs->l1_Q3, 0, _O1_BYTE * _V1 * _O2); - memset(Qs->l1_Q6, 0, _O1_BYTE * _O1 * _O2); - memset(Qs->l1_Q9, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O2)); - - batch_trimat_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1*T2 - batch_mat_madd(Qs->l1_Q3, Fs->l1_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O1_BYTE); // F1_T2 + F - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, t2, _V1, _V1_BYTE, _O2, Qs->l1_Q3, _O2, _O1_BYTE); // T2tr * ( F1_T2 + F2_T3 ) - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_UpperTrianglize(Qs->l1_Q9, buffer_F3, _O2, _O1_BYTE); // Q9 , release buffe - batch_trimatTr_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1_F1T_T2 + F2_T3 / - batch_bmatTr_madd(Qs->l1_Q6, Fs->l1_F2, _O1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F2tr*T2 - batch_matTr_madd(Qs->l1_Q6, Ts->t1, _V1, _V1_BYTE, _O1, Qs->l1_Q3, _O2, _O1_BYTE); // Q6 - /* - Layer 2 - Computing - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - Q9 = UT( T2tr*( F1*T2 + F2*T3 + F3 ) + T3tr*( F5*T3 + F6 ) ) - */ - memcpy(buffer_F3, Fs->l2_F3, _O2_BYTE * _V1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F1, t2, _V1, _V1_BYTE, _O2, _O2_BYTE); // F1*T2 + F3 - batch_mat_madd(buffer_F3, Fs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F1_T2 + F2_T3 - memset(buffer_F2, 0, _O2_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F2, t2, _V1, _V1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr * ( ..... ) , release buffe - memcpy(buffer_F3, Fs->l2_F6, _O2_BYTE * _O1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F5*T3 + F6 - batch_matTr_madd(buffer_F2, Ts->t3, _O1, _O1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr*( ..... ) + T3tr*( ..... ) - memset(Qs->l2_Q9, 0, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_UpperTrianglize(Qs->l2_Q9, buffer_F2, _O2, _O2_BYTE); // Q9 - memset(buffer_F2, 0, _SIZE_BUFFER_F2); - memset(buffer_F3, 0, _SIZE_BUFFER_F3); -} - -// Choosing implementations depends on the macros: _BLAS_SSE_ and _BLAS_AVX2_ -#define calculate_F_from_Q_impl calculate_F_from_Q_ref -#define calculate_Q_from_F_cyclic_impl calculate_Q_from_F_cyclic_ref - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - calculate_F_from_Q_impl(Fs, Qs, Ts); -} - -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - calculate_Q_from_F_cyclic_impl(Qs, Fs, Ts); -} diff --git a/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair_computation.h b/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair_computation.h deleted file mode 100644 index 760a691e..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/rainbow_keypair_computation.h +++ /dev/null @@ -1,71 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_COMP_H_ -#define _RAINBOW_KEYPAIR_COMP_H_ -/// @file rainbow_keypair_computation.h -/// @brief Functions for calculating pk/sk while generating keys. -/// -/// Defining an internal structure of public key. -/// Functions for calculating pk/sk for key generation. -/// - -#include "rainbow_keypair.h" - -/// @brief The (internal use) public key for rainbow -/// -/// The (internal use) public key for rainbow. The public -/// polynomials are divided into l1_Q1, l1_Q2, ... l1_Q9, -/// l2_Q1, .... , l2_Q9. -/// -typedef struct rainbow_extend_publickey { - unsigned char l1_Q1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l1_Q2[_O1_BYTE * _V1 * _O1]; - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; - - unsigned char l2_Q1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l2_Q2[_O2_BYTE * _V1 * _O1]; - unsigned char l2_Q3[_O2_BYTE * _V1 * _O2]; - unsigned char l2_Q5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l2_Q6[_O2_BYTE * _O1 * _O2]; - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; -} ext_cpk_t; - -/// -/// @brief converting formats of public keys : from ext_cpk_t version to pk_t -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the internel public key. -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk); -///////////////////////////////////////////////// - -/// -/// @brief Computing public key from secret key -/// -/// @param[out] Qs - the public key -/// @param[in] Fs - parts of the secret key: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the secret key: T1, T4, T3 -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_calculate_Q_from_F(ext_cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - - -/// -/// @brief Computing parts of the sk from parts of pk and sk -/// -/// @param[out] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Qs - parts of the pk: l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts); - -/// -/// @brief Computing parts of the pk from the secret key -/// -/// @param[out] Qs - parts of the pk: l1_Q3, l1_Q5, l2_Q6, l1_Q9, l2_Q9 -/// @param[in] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - -#endif // _RAINBOW_KEYPAIR_COMP_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/sign.c b/crypto_sign/rainbowIII-compressed/clean/sign.c deleted file mode 100644 index 59eb8991..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/sign.c +++ /dev/null @@ -1,76 +0,0 @@ -/// @file sign.c -/// @brief the implementations for functions in api.h -/// -/// - -#include "api.h" -#include "rainbow.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { - unsigned char sk_seed[LEN_SKSEED] = {0}; - randombytes(sk_seed, LEN_SKSEED); - - unsigned char pk_seed[LEN_PKSEED] = {0}; - randombytes(pk_seed, LEN_PKSEED); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_generate_compact_keypair_cyclic((cpk_t *)pk, (csk_t *)sk, pk_seed, sk_seed); - return 0; -} - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign(unsigned char *sm, size_t *smlen, const unsigned char *m, size_t mlen, const unsigned char *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - - memcpy(sm, m, mlen); - smlen[0] = mlen + _SIGNATURE_BYTE; - - return PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_sign_cyclic(sm + mlen, (const csk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign_open(unsigned char *m, size_t *mlen, const unsigned char *sm, size_t smlen, const unsigned char *pk) { - int rc; - if (_SIGNATURE_BYTE > smlen) { - rc = -1; - } else { - *mlen = smlen - _SIGNATURE_BYTE; - - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, sm, *mlen); - - rc = PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_verify_cyclic(digest, sm + mlen[0], (const cpk_t *)pk); - } - if (!rc) { - memmove(m, sm, smlen - _SIGNATURE_BYTE); - } else { // bad signature - *mlen = (size_t) -1; - memset(m, 0, smlen); - } - return rc; -} - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - *siglen = _SIGNATURE_BYTE; - return PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_sign_cyclic(sig, (const csk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - if (siglen != _SIGNATURE_BYTE) { - return -1; - } - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - return PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_rainbow_verify_cyclic(digest, sig, (const cpk_t *)pk); -} diff --git a/crypto_sign/rainbowIII-compressed/clean/utils_hash.c b/crypto_sign/rainbowIII-compressed/clean/utils_hash.c deleted file mode 100644 index 74f5596e..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/utils_hash.c +++ /dev/null @@ -1,50 +0,0 @@ -/// @file utils_hash.c -/// @brief the adapter for SHA2 families. -/// -/// - -#include "utils_hash.h" -#include "rainbow_config.h" -#include "sha2.h" - -static inline int h(unsigned char *digest, const unsigned char *m, size_t mlen) { - sha384(digest, m, mlen); - return 0; -} - -static inline int expand_hash(unsigned char *digest, size_t n_digest, const unsigned char *hash) { - if (_HASH_LEN >= n_digest) { - for (size_t i = 0; i < n_digest; i++) { - digest[i] = hash[i]; - } - return 0; - } - for (size_t i = 0; i < _HASH_LEN; i++) { - digest[i] = hash[i]; - } - n_digest -= _HASH_LEN; - - while (_HASH_LEN <= n_digest) { - h(digest + _HASH_LEN, digest, _HASH_LEN); - - n_digest -= _HASH_LEN; - digest += _HASH_LEN; - } - unsigned char temp[_HASH_LEN]; - if (n_digest) { - h(temp, digest, _HASH_LEN); - for (size_t i = 0; i < n_digest; i++) { - digest[_HASH_LEN + i] = temp[i]; - } - } - return 0; -} - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(unsigned char *digest, - size_t len_digest, - const unsigned char *m, - size_t mlen) { - unsigned char buf[_HASH_LEN]; - h(buf, m, mlen); - return expand_hash(digest, len_digest, buf); -} diff --git a/crypto_sign/rainbowIII-compressed/clean/utils_hash.h b/crypto_sign/rainbowIII-compressed/clean/utils_hash.h deleted file mode 100644 index aa127899..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/utils_hash.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _UTILS_HASH_H_ -#define _UTILS_HASH_H_ -/// @file utils_hash.h -/// @brief the interface for adapting hash functions. -/// - -#include - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(unsigned char *digest, size_t len_digest, const unsigned char *m, size_t mlen); - -#endif // _UTILS_HASH_H_ diff --git a/crypto_sign/rainbowIII-compressed/clean/utils_prng.c b/crypto_sign/rainbowIII-compressed/clean/utils_prng.c deleted file mode 100644 index c865fd1e..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/utils_prng.c +++ /dev/null @@ -1,97 +0,0 @@ -/// @file utils_prng.c -/// @brief The implementation of PRNG related functions. -/// - -#include "utils_prng.h" -#include "aes.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -static void prng_update(const unsigned char *provided_data, - unsigned char *Key, - unsigned char *V) { - unsigned char temp[48]; - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, Key); - for (int i = 0; i < 3; i++) { - //increment V - for (int j = 15; j >= 0; j--) { - if (V[j] == 0xff) { - V[j] = 0x00; - } else { - V[j]++; - break; - } - } - aes256_ecb(temp + 16 * i, V, 1, &ctx); - } - if (provided_data != NULL) { - for (int i = 0; i < 48; i++) { - temp[i] ^= provided_data[i]; - } - } - aes256_ctx_release(&ctx); - memcpy(Key, temp, 32); - memcpy(V, temp + 32, 16); -} -static void randombytes_init_with_state(prng_t *state, - unsigned char *entropy_input_48bytes) { - memset(state->Key, 0x00, 32); - memset(state->V, 0x00, 16); - prng_update(entropy_input_48bytes, state->Key, state->V); -} - -static int randombytes_with_state(prng_t *state, - unsigned char *x, - size_t xlen) { - - unsigned char block[16]; - int i = 0; - - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, state->Key); - - while (xlen > 0) { - //increment V - for (int j = 15; j >= 0; j--) { - if (state->V[j] == 0xff) { - state->V[j] = 0x00; - } else { - state->V[j]++; - break; - } - } - aes256_ecb(block, state->V, 1, &ctx); - if (xlen > 15) { - memcpy(x + i, block, 16); - i += 16; - xlen -= 16; - } else { - memcpy(x + i, block, xlen); - xlen = 0; - } - } - aes256_ctx_release(&ctx); - prng_update(NULL, state->Key, state->V); - return 0; -} - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen) { - unsigned char seed[48]; - if (prng_seedlen >= 48) { - memcpy(seed, prng_seed, 48); - } else { - memcpy(seed, prng_seed, prng_seedlen); - PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_hash_msg(seed + prng_seedlen, 48 - (unsigned)prng_seedlen, (const unsigned char *)prng_seed, prng_seedlen); - } - - randombytes_init_with_state(ctx, seed); - - return 0; -} - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen) { - return randombytes_with_state(ctx, out, outlen); -} diff --git a/crypto_sign/rainbowIII-compressed/clean/utils_prng.h b/crypto_sign/rainbowIII-compressed/clean/utils_prng.h deleted file mode 100644 index c7f76c46..00000000 --- a/crypto_sign/rainbowIII-compressed/clean/utils_prng.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _UTILS_PRNG_H_ -#define _UTILS_PRNG_H_ -/// @file utils_prng.h -/// @brief the interface for adapting PRNG functions. -/// -/// - -#include "randombytes.h" - -typedef struct { - unsigned char Key[32]; - unsigned char V[16]; -} prng_t; - -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen); -int PQCLEAN_RAINBOWIIICOMPRESSED_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen); - -#endif // _UTILS_PRNG_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/META.yml b/crypto_sign/rainbowV-circumzenithal/META.yml deleted file mode 100644 index d3b8f7e9..00000000 --- a/crypto_sign/rainbowV-circumzenithal/META.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "RAINBOW(256,96,36,64) - circumzenithal" -type: signature -claimed-nist-level: 5 -length-public-key: 536136 -length-secret-key: 1408736 -length-signature: 212 -nistkat-sha256: fba7a186c7f809da0d7ee0dcbc64d2573d824b44e539539b30c7ef1a36911760 -testvectors-sha256: 917d50fa2bd37eacbc977a877bc50b5f3dcbed7c5d9e7baf02bde13f25b0fbc7 -principal-submitters: - - Jintai Ding -auxiliary-submitters: - - Ming-Shing Chen - - Matthias Kannwischer - - Jacques Patarin - - Albrecht Petzoldt - - Dieter Schmidt - - Bo-Yin Yang -implementations: - - name: clean - version: https://github.com/fast-crypto-lab/rainbow-submission-round2/commit/173ada0e077e1b9dbd8e4a78994f87acc0c92263 diff --git a/crypto_sign/rainbowV-circumzenithal/clean/LICENSE b/crypto_sign/rainbowV-circumzenithal/clean/LICENSE deleted file mode 100644 index cb00a6e3..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/LICENSE +++ /dev/null @@ -1,8 +0,0 @@ -`Software implementation of Rainbow for NIST R2 submission' by Ming-Shing Chen - -To the extent possible under law, the person who associated CC0 with -`Software implementation of Rainbow for NIST R2 submission' has waived all copyright and related or neighboring rights -to `Software implementation of Rainbow for NIST R2 submission'. - -You should have received a copy of the CC0 legalcode along with this -work. If not, see . diff --git a/crypto_sign/rainbowV-circumzenithal/clean/Makefile.Microsoft_nmake b/crypto_sign/rainbowV-circumzenithal/clean/Makefile.Microsoft_nmake deleted file mode 100644 index df8b952e..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=librainbowV-circumzenithal_clean.lib -OBJECTS = blas_comm.obj parallel_matrix_op.obj rainbow.obj rainbow_keypair.obj rainbow_keypair_computation.obj sign.obj utils_hash.obj utils_prng.obj blas.obj gf.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/rainbowV-circumzenithal/clean/api.h b/crypto_sign/rainbowV-circumzenithal/clean/api.h deleted file mode 100644 index f5f49c79..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/api.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_API_H -#define PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_API_H - -#include -#include - -#define PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_CRYPTO_SECRETKEYBYTES 1408736 -#define PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_CRYPTO_PUBLICKEYBYTES 536136 -#define PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_CRYPTO_BYTES 212 -#define PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_CRYPTO_ALGNAME "RAINBOW(256,96,36,64) - circumzenithal" - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - - -#endif diff --git a/crypto_sign/rainbowV-circumzenithal/clean/blas.c b/crypto_sign/rainbowV-circumzenithal/clean/blas.c deleted file mode 100644 index 8a3fa971..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/blas.c +++ /dev/null @@ -1,31 +0,0 @@ -#include "blas.h" -#include "gf.h" - -#include - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte) { - uint8_t pr_u8 = (uint8_t) ((uint8_t) 0 - predicate); - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= (a[i] & pr_u8); - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= a[i]; - } -} - - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_mul_scalar(uint8_t *a, uint8_t b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - a[i] = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_mul(a[i], b); - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf256_b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_c[i] ^= PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_mul(a[i], gf256_b); - } -} - diff --git a/crypto_sign/rainbowV-circumzenithal/clean/blas.h b/crypto_sign/rainbowV-circumzenithal/clean/blas.h deleted file mode 100644 index dffa9531..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/blas.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _BLAS_H_ -#define _BLAS_H_ -/// @file blas.h -/// @brief Functions for implementing basic linear algebra functions. -/// - -#include "rainbow_config.h" -#include -#include - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte); -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte); - - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_mul_scalar(uint8_t *a, uint8_t b, size_t _num_byte); -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf256_b, size_t _num_byte); - - -#endif // _BLAS_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/blas_comm.c b/crypto_sign/rainbowV-circumzenithal/clean/blas_comm.c deleted file mode 100644 index 5cd14d03..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/blas_comm.c +++ /dev/null @@ -1,144 +0,0 @@ -/// @file blas_comm.c -/// @brief The standard implementations for blas_comm.h -/// - -#include "blas_comm.h" -#include "blas.h" -#include "gf.h" -#include "rainbow_config.h" - -#include -#include - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - b[i] = 0; - } -} -/// @brief get an element from GF(256) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(const uint8_t *a, unsigned int i) { - return a[i]; -} - -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_is_zero(const uint8_t *a, unsigned int _num_byte) { - uint8_t r = 0; - while (_num_byte--) { - r |= a[0]; - a++; - } - return (0 == r); -} - -/// polynomial multplication -/// School boook -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_polymul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int _num) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(c, _num * 2 - 1); - for (unsigned int i = 0; i < _num; i++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(c + i, a, b[i], _num); - } -} - -static void gf256mat_prod_ref(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(c, n_A_vec_byte); - for (unsigned int i = 0; i < n_A_width; i++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(c, matA, b[i], n_A_vec_byte); - matA += n_A_vec_byte; - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec) { - unsigned int n_vec_byte = len_vec; - for (unsigned int k = 0; k < len_vec; k++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(c, n_vec_byte); - const uint8_t *bk = b + n_vec_byte * k; - for (unsigned int i = 0; i < len_vec; i++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(c, a + n_vec_byte * i, bk[i], n_vec_byte); - } - c += n_vec_byte; - } -} - -static unsigned int gf256mat_gauss_elim_ref(uint8_t *mat, unsigned int h, unsigned int w) { - unsigned int r8 = 1; - - for (unsigned int i = 0; i < h; i++) { - uint8_t *ai = mat + w * i; - unsigned int skip_len_align4 = i & ((unsigned int)~0x3); - - for (unsigned int j = i + 1; j < h; j++) { - uint8_t *aj = mat + w * j; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_predicated_add(ai + skip_len_align4, 1 ^ PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_is_nonzero(ai[i]), aj + skip_len_align4, w - skip_len_align4); - } - r8 &= PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_is_nonzero(ai[i]); - uint8_t pivot = ai[i]; - pivot = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_inv(pivot); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_mul_scalar(ai + skip_len_align4, pivot, w - skip_len_align4); - for (unsigned int j = 0; j < h; j++) { - if (i == j) { - continue; - } - uint8_t *aj = mat + w * j; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(aj + skip_len_align4, ai + skip_len_align4, aj[i], w - skip_len_align4); - } - } - - return r8; -} - -static unsigned int gf256mat_solve_linear_eq_ref(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - uint8_t mat[64 * 64]; - for (unsigned int i = 0; i < n; i++) { - memcpy(mat + i * (n + 1), inp_mat + i * n, n); - mat[i * (n + 1) + n] = c_terms[i]; - } - unsigned int r8 = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_gauss_elim(mat, n, n + 1); - for (unsigned int i = 0; i < n; i++) { - sol[i] = mat[i * (n + 1) + n]; - } - return r8; -} - -static inline void gf256mat_submat(uint8_t *mat2, unsigned int w2, unsigned int st, const uint8_t *mat, unsigned int w, unsigned int h) { - for (unsigned int i = 0; i < h; i++) { - for (unsigned int j = 0; j < w2; j++) { - mat2[i * w2 + j] = mat[i * w + st + j]; - } - } -} - -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer) { - uint8_t *aa = buffer; - for (unsigned int i = 0; i < H; i++) { - uint8_t *ai = aa + i * 2 * H; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(ai, 2 * H); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(ai, a + i * H, H); - ai[H + i] = 1; - } - unsigned int r8 = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_gauss_elim(aa, H, 2 * H); - gf256mat_submat(inv_a, H, H, aa, 2 * H, H); - return r8; -} - - -// choosing the implementations depends on the macros _BLAS_AVX2_ and _BLAS_SSE - -#define gf256mat_prod_impl gf256mat_prod_ref -#define gf256mat_gauss_elim_impl gf256mat_gauss_elim_ref -#define gf256mat_solve_linear_eq_impl gf256mat_solve_linear_eq_ref -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - gf256mat_prod_impl(c, matA, n_A_vec_byte, n_A_width, b); -} - -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w) { - return gf256mat_gauss_elim_impl(mat, h, w); -} - -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - return gf256mat_solve_linear_eq_impl(sol, inp_mat, c_terms, n); -} - diff --git a/crypto_sign/rainbowV-circumzenithal/clean/blas_comm.h b/crypto_sign/rainbowV-circumzenithal/clean/blas_comm.h deleted file mode 100644 index 195010ad..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/blas_comm.h +++ /dev/null @@ -1,90 +0,0 @@ -#ifndef _BLAS_COMM_H_ -#define _BLAS_COMM_H_ -/// @file blas_comm.h -/// @brief Common functions for linear algebra. -/// - -#include "rainbow_config.h" -#include - -/// @brief set a vector to 0. -/// -/// @param[in,out] b - the vector b. -/// @param[in] _num_byte - number of bytes for the vector b. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte); - -/// @brief get an element from GF(256) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(const uint8_t *a, unsigned int i); - -/// @brief check if a vector is 0. -/// -/// @param[in] a - the vector a. -/// @param[in] _num_byte - number of bytes for the vector a. -/// @return 1(true) if a is 0. 0(false) else. -/// -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_is_zero(const uint8_t *a, unsigned int _num_byte); - -/// @brief polynomial multiplication: c = a*b -/// -/// @param[out] c - the output polynomial c -/// @param[in] a - the vector a. -/// @param[in] b - the vector b. -/// @param[in] _num - number of elements for the polynomials a and b. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_polymul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int _num); - -/// @brief matrix-vector multiplication: c = matA * b , in GF(256) -/// -/// @param[out] c - the output vector c -/// @param[in] matA - a column-major matrix A. -/// @param[in] n_A_vec_byte - the size of column vectors in bytes. -/// @param[in] n_A_width - the width of matrix A. -/// @param[in] b - the vector b. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b); - -/// @brief matrix-matrix multiplication: c = a * b , in GF(256) -/// -/// @param[out] c - the output matrix c -/// @param[in] c - a matrix a. -/// @param[in] b - a matrix b. -/// @param[in] len_vec - the length of column vectors. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec); - -/// @brief Gauss elimination for a matrix, in GF(256) -/// -/// @param[in,out] mat - the matrix. -/// @param[in] h - the height of the matrix. -/// @param[in] w - the width of the matrix. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w); - -/// @brief Solving linear equations, in GF(256) -/// -/// @param[out] sol - the solutions. -/// @param[in] inp_mat - the matrix parts of input equations. -/// @param[in] c_terms - the constant terms of the input equations. -/// @param[in] n - the number of equations. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n); - -/// @brief Computing the inverse matrix, in GF(256) -/// -/// @param[out] inv_a - the output of matrix a. -/// @param[in] a - a matrix a. -/// @param[in] H - height of matrix a, i.e., matrix a is an HxH matrix. -/// @param[in] buffer - The buffer for computations. it has to be as large as 2 input matrixes. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer); - -#endif // _BLAS_COMM_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/gf.c b/crypto_sign/rainbowV-circumzenithal/clean/gf.c deleted file mode 100644 index db522649..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/gf.c +++ /dev/null @@ -1,91 +0,0 @@ -#include "gf.h" - -//// gf4 := gf2[x]/x^2+x+1 -static inline uint8_t gf4_mul_2(uint8_t a) { - uint8_t r = (uint8_t)(a << 1); - r ^= (uint8_t)((a >> 1) * 7); - return r; -} - -static inline uint8_t gf4_mul(uint8_t a, uint8_t b) { - uint8_t r = (uint8_t)(a * (b & 1)); - return r ^ (uint8_t)(gf4_mul_2(a) * (b >> 1)); -} - -static inline uint8_t gf4_squ(uint8_t a) { - return a ^ (a >> 1); -} - -//// gf16 := gf4[y]/y^2+y+x -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf16_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - uint8_t b0 = b & 3; - uint8_t b1 = (b >> 2); - uint8_t a0b0 = gf4_mul(a0, b0); - uint8_t a1b1 = gf4_mul(a1, b1); - uint8_t a0b1_a1b0 = gf4_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x2 = gf4_mul_2(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 2 ^ a0b0 ^ a1b1_x2); -} - -static inline uint8_t gf16_squ(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - a1 = gf4_squ(a1); - uint8_t a1squ_x2 = gf4_mul_2(a1); - return (uint8_t)((a1 << 2) ^ a1squ_x2 ^ gf4_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_is_nonzero(uint8_t a) { - unsigned int a8 = a; - unsigned int r = ((unsigned int)0) - a8; - r >>= 8; - return r & 1; -} - -static inline uint8_t gf4_mul_3(uint8_t a) { - uint8_t msk = (uint8_t)((a - 2) >> 1); - return (uint8_t)((msk & ((int)a * 3)) | ((~msk) & ((int)a - 1))); -} -static inline uint8_t gf16_mul_8(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = a >> 2; - return (uint8_t)((gf4_mul_2(a0 ^ a1) << 2) | gf4_mul_3(a1)); -} - -// gf256 := gf16[X]/X^2+X+xy -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 15; - uint8_t a1 = (a >> 4); - uint8_t b0 = b & 15; - uint8_t b1 = (b >> 4); - uint8_t a0b0 = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf16_mul(a0, b0); - uint8_t a1b1 = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf16_mul(a1, b1); - uint8_t a0b1_a1b0 = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf16_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x8 = gf16_mul_8(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 4 ^ a0b0 ^ a1b1_x8); -} - -static inline uint8_t gf256_squ(uint8_t a) { - uint8_t a0 = a & 15; - uint8_t a1 = (a >> 4); - a1 = gf16_squ(a1); - uint8_t a1squ_x8 = gf16_mul_8(a1); - return (uint8_t)((a1 << 4) ^ a1squ_x8 ^ gf16_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_inv(uint8_t a) { - // 128+64+32+16+8+4+2 = 254 - uint8_t a2 = gf256_squ(a); - uint8_t a4 = gf256_squ(a2); - uint8_t a8 = gf256_squ(a4); - uint8_t a4_2 = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_mul(a4, a2); - uint8_t a8_4_2 = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_mul(a4_2, a8); - uint8_t a64_ = gf256_squ(a8_4_2); - a64_ = gf256_squ(a64_); - a64_ = gf256_squ(a64_); - uint8_t a64_2 = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_mul(a64_, a8_4_2); - uint8_t a128_ = gf256_squ(a64_2); - return PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_mul(a2, a128_); -} diff --git a/crypto_sign/rainbowV-circumzenithal/clean/gf.h b/crypto_sign/rainbowV-circumzenithal/clean/gf.h deleted file mode 100644 index f5247053..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/gf.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _GF16_H_ -#define _GF16_H_ - -#include "rainbow_config.h" -#include - -/// @file gf16.h -/// @brief Library for arithmetics in GF(16) and GF(256) -/// - -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf16_mul(uint8_t a, uint8_t b); - - -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_is_nonzero(uint8_t a); -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_inv(uint8_t a); -uint8_t PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256_mul(uint8_t a, uint8_t b); - - -#endif // _GF16_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/parallel_matrix_op.c b/crypto_sign/rainbowV-circumzenithal/clean/parallel_matrix_op.c deleted file mode 100644 index 2143c47e..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/parallel_matrix_op.c +++ /dev/null @@ -1,183 +0,0 @@ -/// @file parallel_matrix_op.c -/// @brief the standard implementations for functions in parallel_matrix_op.h -/// -/// the standard implementations for functions in parallel_matrix_op.h -/// - -#include "parallel_matrix_op.h" -#include "blas.h" -#include "blas_comm.h" - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim) { - return (dim + dim - i_row + 1) * i_row / 2 + j_col - i_row; -} - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle or lower-triangle matrix. -/// -/// @param[in] i_row - the i-th row in a triangle matrix. -/// @param[in] j_col - the j-th column in a triangle matrix. -/// @param[in] dim - the dimension of the triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -static inline unsigned int idx_of_2trimat(unsigned int i_row, unsigned int j_col, unsigned int n_var) { - if (i_row > j_col) { - return PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(j_col, i_row, n_var); - } - return PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(i_row, j_col, n_var); -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch) { - unsigned char *runningC = btriC; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < i; j++) { - unsigned int idx = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(j, i, Aheight); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(btriC + idx * size_batch, bA + size_batch * (i * Awidth + j), size_batch); - } - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(runningC, bA + size_batch * (i * Awidth + i), size_batch * (Aheight - i)); - runningC += size_batch * (Aheight - i); - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (k < i) { - continue; - } - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &btriA[(k - i) * size_batch], PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - btriA += (Aheight - i) * size_batch; - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i < k) { - continue; - } - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &btriA[size_batch * (PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(k, i, Aheight))], PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i == k) { - continue; - } - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &btriA[size_batch * (idx_of_2trimat(i, k, Aheight))], PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Atr_height = Awidth; - unsigned int Atr_width = Aheight; - for (unsigned int i = 0; i < Atr_height; i++) { - for (unsigned int j = 0; j < Atr_width; j++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &bB[j * Bwidth * size_batch], PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(&A_to_tr[size_Acolvec * i], j), size_batch * Bwidth); - } - bC += size_batch * Bwidth; - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - const unsigned char *bA = bA_to_tr; - unsigned int Aheight = Awidth_before_tr; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &bA[size_batch * (i + k * Aheight)], PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(bC, &bA[k * size_batch], PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - bA += (Awidth) * size_batch; - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch) { - unsigned char tmp[256]; - - unsigned char _x[256]; - for (unsigned int i = 0; i < dim; i++) { - _x[i] = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(x, i); - } - - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(y, size_batch); - for (unsigned int i = 0; i < dim; i++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = i; j < dim; j++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(tmp, trimat, _x[j], size_batch); - trimat += size_batch; - } - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(y, tmp, _x[i], size_batch); - } -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, const unsigned char *mat, - const unsigned char *x, unsigned dim_x, unsigned size_batch) { - unsigned char tmp[128]; - - unsigned char _x[128]; - for (unsigned int i = 0; i < dim_x; i++) { - _x[i] = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(x, i); - } - unsigned char _y[128]; - for (unsigned int i = 0; i < dim_y; i++) { - _y[i] = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele(y, i); - } - - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(z, size_batch); - for (unsigned int i = 0; i < dim_y; i++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = 0; j < dim_x; j++) { - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(tmp, mat, _x[j], size_batch); - mat += size_batch; - } - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd(z, tmp, _y[i], size_batch); - } -} - diff --git a/crypto_sign/rainbowV-circumzenithal/clean/parallel_matrix_op.h b/crypto_sign/rainbowV-circumzenithal/clean/parallel_matrix_op.h deleted file mode 100644 index 02209235..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/parallel_matrix_op.h +++ /dev/null @@ -1,260 +0,0 @@ -#ifndef _P_MATRIX_OP_H_ -#define _P_MATRIX_OP_H_ -/// @file parallel_matrix_op.h -/// @brief Librarys for operations of batched matrixes. -/// -/// - -//////////////// Section: triangle matrix <-> rectangle matrix /////////////////////////////////// - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim); - -/// -/// @brief Upper trianglize a rectangle matrix to the corresponding upper-trangle matrix. -/// -/// @param[out] btriC - the batched upper-trianglized matrix C. -/// @param[in] bA - a batched retangle matrix A. -/// @param[in] bwidth - the width of the batched matrix A, i.e., A is a Awidth x Awidth matrix. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch); - -//////////////////// Section: matrix multiplications /////////////////////////////// - -/// -/// @brief bC += btriA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. A will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A, which will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf16(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf16(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_mat_madd_gf16(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -//////////////////// Section: "quadratric" matrix evaluation /////////////////////////////// - -/// -/// @brief y = x^Tr * trimat * x , in GF(16) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf16(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief y = x^Tr * trimat * x , in GF(256) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(16) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf16(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(256) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -#endif // _P_MATRIX_OP_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/rainbow.c b/crypto_sign/rainbowV-circumzenithal/clean/rainbow.c deleted file mode 100644 index 93ee9726..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/rainbow.c +++ /dev/null @@ -1,173 +0,0 @@ -/// @file rainbow.c -/// @brief The standard implementations for functions in rainbow.h -/// - -#include "blas.h" -#include "parallel_matrix_op.h" -#include "rainbow.h" -#include "rainbow_blas.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "utils_hash.h" -#include "utils_prng.h" -#include -#include -#include - -#define MAX_ATTEMPT_FRMAT 128 - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *_digest) { - uint8_t mat_l1[_O1 * _O1_BYTE]; - uint8_t mat_l2[_O2 * _O2_BYTE]; - uint8_t mat_buffer[2 * _MAX_O * _MAX_O_BYTE]; - - // setup PRNG - prng_t prng_sign; - uint8_t prng_preseed[LEN_SKSEED + _HASH_LEN]; - memcpy(prng_preseed, sk->sk_seed, LEN_SKSEED); - memcpy(prng_preseed + LEN_SKSEED, _digest, _HASH_LEN); // prng_preseed = sk_seed || digest - uint8_t prng_seed[_HASH_LEN]; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(prng_seed, _HASH_LEN, prng_preseed, _HASH_LEN + LEN_SKSEED); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_set(&prng_sign, prng_seed, _HASH_LEN); // seed = H( sk_seed || digest ) - for (unsigned int i = 0; i < LEN_SKSEED + _HASH_LEN; i++) { - prng_preseed[i] ^= prng_preseed[i]; // clean - } - for (unsigned int i = 0; i < _HASH_LEN; i++) { - prng_seed[i] ^= prng_seed[i]; // clean - } - - // roll vinegars. - uint8_t vinegar[_V1_BYTE]; - unsigned int n_attempt = 0; - unsigned int l1_succ = 0; - while (!l1_succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen(&prng_sign, vinegar, _V1_BYTE); // generating vinegars - gfmat_prod(mat_l1, sk->l1_F2, _O1 * _O1_BYTE, _V1, vinegar); // generating the linear equations for layer 1 - l1_succ = gfmat_inv(mat_l1, mat_l1, _O1, mat_buffer); // check if the linear equation solvable - n_attempt++; - } - - // Given the vinegars, pre-compute variables needed for layer 2 - uint8_t r_l1_F1[_O1_BYTE] = {0}; - uint8_t r_l2_F1[_O2_BYTE] = {0}; - batch_quad_trimat_eval(r_l1_F1, sk->l1_F1, vinegar, _V1, _O1_BYTE); - batch_quad_trimat_eval(r_l2_F1, sk->l2_F1, vinegar, _V1, _O2_BYTE); - uint8_t mat_l2_F3[_O2 * _O2_BYTE]; - uint8_t mat_l2_F2[_O1 * _O2_BYTE]; - gfmat_prod(mat_l2_F3, sk->l2_F3, _O2 * _O2_BYTE, _V1, vinegar); - gfmat_prod(mat_l2_F2, sk->l2_F2, _O1 * _O2_BYTE, _V1, vinegar); - - // Some local variables. - uint8_t _z[_PUB_M_BYTE]; - uint8_t y[_PUB_M_BYTE]; - uint8_t *x_v1 = vinegar; - uint8_t x_o1[_O1_BYTE]; - uint8_t x_o2[_O2_BYTE]; - - uint8_t digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, _digest, _HASH_LEN); - uint8_t *salt = digest_salt + _HASH_LEN; - - uint8_t temp_o[_MAX_O_BYTE + 32] = {0}; - unsigned int succ = 0; - while (!succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - // The computation: H(digest||salt) --> z --S--> y --C-map--> x --T--> w - - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen(&prng_sign, salt, _SALT_BYTE); // roll the salt - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(_z, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H(digest||salt) - - // y = S^-1 * z - memcpy(y, _z, _PUB_M_BYTE); // identity part of S - gfmat_prod(temp_o, sk->s1, _O1_BYTE, _O2, _z + _O1_BYTE); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(y, temp_o, _O1_BYTE); - - // Central Map: - // layer 1: calculate x_o1 - memcpy(temp_o, r_l1_F1, _O1_BYTE); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, y, _O1_BYTE); - gfmat_prod(x_o1, mat_l1, _O1_BYTE, _O1, temp_o); - - // layer 2: calculate x_o2 - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_set_zero(temp_o, _O2_BYTE); - gfmat_prod(temp_o, mat_l2_F2, _O2_BYTE, _O1, x_o1); // F2 - batch_quad_trimat_eval(mat_l2, sk->l2_F5, x_o1, _O1, _O2_BYTE); // F5 - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, mat_l2, _O2_BYTE); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, r_l2_F1, _O2_BYTE); // F1 - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(temp_o, y + _O1_BYTE, _O2_BYTE); - - // generate the linear equations of the 2nd layer - gfmat_prod(mat_l2, sk->l2_F6, _O2 * _O2_BYTE, _O1, x_o1); // F6 - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(mat_l2, mat_l2_F3, _O2 * _O2_BYTE); // F3 - succ = gfmat_inv(mat_l2, mat_l2, _O2, mat_buffer); - gfmat_prod(x_o2, mat_l2, _O2_BYTE, _O2, temp_o); // solve l2 eqs - - n_attempt++; - }; - // w = T^-1 * y - uint8_t w[_PUB_N_BYTE]; - // identity part of T. - memcpy(w, x_v1, _V1_BYTE); - memcpy(w + _V1_BYTE, x_o1, _O1_BYTE); - memcpy(w + _V2_BYTE, x_o2, _O2_BYTE); - // Computing the t1 part. - gfmat_prod(y, sk->t1, _V1_BYTE, _O1, x_o1); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t4 part. - gfmat_prod(y, sk->t4, _V1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t3 part. - gfmat_prod(y, sk->t3, _O1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(w + _V1_BYTE, y, _O1_BYTE); - - memset(signature, 0, _SIGNATURE_BYTE); // set the output 0 - // clean - memset(&prng_sign, 0, sizeof(prng_t)); - memset(vinegar, 0, _V1_BYTE); - memset(r_l1_F1, 0, _O1_BYTE); - memset(r_l2_F1, 0, _O2_BYTE); - memset(_z, 0, _PUB_M_BYTE); - memset(y, 0, _PUB_M_BYTE); - memset(x_o1, 0, _O1_BYTE); - memset(x_o2, 0, _O2_BYTE); - memset(temp_o, 0, sizeof(temp_o)); - - // return: copy w and salt to the signature. - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - return -1; - } - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(signature, w, _PUB_N_BYTE); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(signature + _PUB_N_BYTE, salt, _SALT_BYTE); - return 0; -} - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk) { - unsigned char digest_ck[_PUB_M_BYTE]; - // public_map( digest_ck , pk , signature ); Evaluating the quadratic public polynomials. - batch_quad_trimat_eval(digest_ck, pk->pk, signature, _PUB_N, _PUB_M_BYTE); - - unsigned char correct[_PUB_M_BYTE]; - unsigned char digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, digest, _HASH_LEN); - memcpy(digest_salt + _HASH_LEN, signature + _PUB_N_BYTE, _SALT_BYTE); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(correct, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H( digest || salt ) - - // check consistancy. - unsigned char cc = 0; - for (unsigned int i = 0; i < _PUB_M_BYTE; i++) { - cc |= (digest_ck[i] ^ correct[i]); - } - return (0 == cc) ? 0 : -1; -} - - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *_pk) { - unsigned char pk[sizeof(pk_t) + 32]; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_cpk_to_pk((pk_t *)pk, _pk); // generating classic public key. - return PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_verify(digest, signature, (pk_t *)pk); -} diff --git a/crypto_sign/rainbowV-circumzenithal/clean/rainbow.h b/crypto_sign/rainbowV-circumzenithal/clean/rainbow.h deleted file mode 100644 index 36763f09..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/rainbow.h +++ /dev/null @@ -1,42 +0,0 @@ -#ifndef _RAINBOW_H_ -#define _RAINBOW_H_ -/// @file rainbow.h -/// @brief APIs for rainbow. -/// - -#include "rainbow_config.h" -#include "rainbow_keypair.h" - -#include - -/// -/// @brief Signing function for classical secret key. -/// -/// @param[out] signature - the signature. -/// @param[in] sk - the secret key. -/// @param[in] digest - the digest. -/// -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *digest); - -/// -/// @brief Verifying function. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk); - - -/// -/// @brief Verifying function for cyclic public keys. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key of cyclic rainbow. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *pk); - -#endif // _RAINBOW_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_blas.h b/crypto_sign/rainbowV-circumzenithal/clean/rainbow_blas.h deleted file mode 100644 index 2d28765c..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_blas.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef _RAINBOW_BLAS_H_ -#define _RAINBOW_BLAS_H_ -/// @file rainbow_blas.h -/// @brief Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h -/// -/// Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h - -#include "blas.h" -#include "blas_comm.h" -#include "parallel_matrix_op.h" -#include "rainbow_config.h" - - -#define gfv_get_ele PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_get_ele -#define gfv_mul_scalar PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_mul_scalar -#define gfv_madd PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_madd - -#define gfmat_prod PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_prod -#define gfmat_inv PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256mat_inv - -#define batch_trimat_madd PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_trimat_madd_gf256 -#define batch_trimatTr_madd PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_trimatTr_madd_gf256 -#define batch_2trimat_madd PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_2trimat_madd_gf256 -#define batch_matTr_madd PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_matTr_madd_gf256 -#define batch_bmatTr_madd PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_bmatTr_madd_gf256 -#define batch_mat_madd PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_mat_madd_gf256 - -#define batch_quad_trimat_eval PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_quad_trimat_eval_gf256 -#define batch_quad_recmat_eval PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_batch_quad_recmat_eval_gf256 - - -#endif // _RAINBOW_BLAS_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_config.h b/crypto_sign/rainbowV-circumzenithal/clean/rainbow_config.h deleted file mode 100644 index e668ff3c..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_config.h +++ /dev/null @@ -1,48 +0,0 @@ -#ifndef _H_RAINBOW_CONFIG_H_ -#define _H_RAINBOW_CONFIG_H_ - -/// @file rainbow_config.h -/// @brief Defining the parameters of the Rainbow and the corresponding constants. -/// - -#define _GFSIZE 256 -#define _V1 96 -#define _O1 36 -#define _O2 64 -#define _MAX_O 64 -#define _HASH_LEN 64 - - -#define _V2 ((_V1) + (_O1)) - -/// size of N, in # of gf elements. -#define _PUB_N (_V1 + _O1 + _O2) - -/// size of M, in # gf elements. -#define _PUB_M (_O1 + _O2) - -/// size of variables, in # bytes. - -// GF256 -#define _V1_BYTE (_V1) -#define _V2_BYTE (_V2) -#define _O1_BYTE (_O1) -#define _O2_BYTE (_O2) -#define _MAX_O_BYTE (_MAX_O) -#define _PUB_N_BYTE (_PUB_N) -#define _PUB_M_BYTE (_PUB_M) - - -/// length of seed for public key, in # bytes -#define LEN_PKSEED 32 - -/// length of seed for secret key, in # bytes -#define LEN_SKSEED 32 - -/// length of salt for a signature, in # bytes -#define _SALT_BYTE 16 - -/// length of a signature -#define _SIGNATURE_BYTE (_PUB_N_BYTE + _SALT_BYTE) - -#endif // _H_RAINBOW_CONFIG_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair.c b/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair.c deleted file mode 100644 index 5ee23bdf..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair.c +++ /dev/null @@ -1,186 +0,0 @@ -/// @file rainbow_keypair.c -/// @brief implementations of functions in rainbow_keypair.h -/// - -#include "rainbow_keypair.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair_computation.h" -#include "utils_prng.h" -#include -#include -#include - -static -void generate_S_T( unsigned char *s_and_t, prng_t *prng0 ) { - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->s1); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t1); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t4); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t3); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, s_and_t, size ); -} - - -static -unsigned generate_l1_F12( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l1_F1); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l1_F2); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static -unsigned generate_l2_F12356( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l2_F1); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F2); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F3); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F5); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F6); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static void generate_B1_B2(unsigned char *sk, prng_t *prng0) { - sk += generate_l1_F12(sk, prng0); - generate_l2_F12356(sk, prng0); -} - -static void calculate_t4(unsigned char *t2_to_t4, const unsigned char *t1, const unsigned char *t3) { - // t4 = T_sk.t1 * T_sk.t3 - T_sk.t2 - unsigned char temp[_V1_BYTE + 32]; - unsigned char *t4 = t2_to_t4; - for (unsigned int i = 0; i < _O2; i++) { /// t3 width - gfmat_prod(temp, t1, _V1_BYTE, _O1, t3); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(t4, temp, _V1_BYTE); - t4 += _V1_BYTE; - t3 += _O1_BYTE; - } -} - -static void obsfucate_l1_polys(unsigned char *l1_polys, const unsigned char *l2_polys, unsigned int n_terms, const unsigned char *s1) { - unsigned char temp[_O1_BYTE + 32]; - while (n_terms--) { - gfmat_prod(temp, s1, _O1_BYTE, _O2, l2_polys); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_gf256v_add(l1_polys, temp, _O1_BYTE); - l1_polys += _O1_BYTE; - l2_polys += _O2_BYTE; - } -} - -/////////////////// Classic ////////////////////////////////// - - -///////////////////// Cyclic ////////////////////////////////// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(pk->pk_seed, pk_seed, LEN_PKSEED); - memcpy(sk->sk_seed, sk_seed, LEN_SKSEED); - - // prng for sk - prng_t prng; - prng_t *prng0 = &prng; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_set(prng0, sk_seed, LEN_SKSEED); - generate_S_T(sk->s1, prng0); // S,T: only a part of sk - - unsigned char t2[sizeof(sk->t4)]; - memcpy(t2, sk->t4, _V1_BYTE * _O2); // temporarily store t2 - calculate_t4(sk->t4, sk->t1, sk->t3); // t2 <- t4 - - // prng for pk - sk_t inst_Qs; - sk_t *Qs = &inst_Qs; - prng_t *prng1 = &prng; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_set(prng1, pk_seed, LEN_PKSEED); - generate_B1_B2(Qs->l1_F1, prng1); // generating l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 - obsfucate_l1_polys(Qs->l1_F1, Qs->l2_F1, N_TRIANGLE_TERMS(_V1), sk->s1); - obsfucate_l1_polys(Qs->l1_F2, Qs->l2_F2, _V1 * _O1, sk->s1); - // so far, the Qs contains l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6. - - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_calculate_F_from_Q(sk, Qs, sk); // calcuate the rest parts of secret key from Qs and S,T - - unsigned char t4[sizeof(sk->t4)]; - memcpy(t4, sk->t4, _V1_BYTE * _O2); // temporarily store t4 - memcpy(sk->t4, t2, _V1_BYTE * _O2); // restore t2 - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_calculate_Q_from_F_cyclic(pk, sk, sk); // calculate the rest parts of public key: l1_Q3, l1_Q5, l1_Q6, l1_Q9, l2_Q9 - memcpy(sk->t4, t4, _V1_BYTE * _O2); // restore t4 - - obsfucate_l1_polys(pk->l1_Q3, Qs->l2_F3, _V1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q5, Qs->l2_F5, N_TRIANGLE_TERMS(_O1), sk->s1); - obsfucate_l1_polys(pk->l1_Q6, Qs->l2_F6, _O1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q9, pk->l2_Q9, N_TRIANGLE_TERMS(_O2), sk->s1); - - // clean - memset(&prng, 0, sizeof(prng_t)); -} - - - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_cpk_to_pk(pk_t *rpk, const cpk_t *cpk) { - // procedure: cpk_t --> extcpk_t --> pk_t - - // convert from cpk_t to extcpk_t - ext_cpk_t pk; - - // setup prng - prng_t prng0; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_set(&prng0, cpk->pk_seed, LEN_SKSEED); - - // generating parts of key with prng - generate_l1_F12(pk.l1_Q1, &prng0); - // copying parts of key from input. l1_Q3, l1_Q5, l1_Q6, l1_Q9 - memcpy(pk.l1_Q3, cpk->l1_Q3, _O1_BYTE * (_V1 * _O2 + N_TRIANGLE_TERMS(_O1) + _O1 * _O2 + N_TRIANGLE_TERMS(_O2))); - - // generating parts of key with prng - generate_l2_F12356(pk.l2_Q1, &prng0); - // copying parts of key from input: l2_Q9 - memcpy(pk.l2_Q9, cpk->l2_Q9, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - - // convert from extcpk_t to pk_t - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_extcpk_to_pk(rpk, &pk); -} diff --git a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair.h b/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair.h deleted file mode 100644 index 16e0e1b9..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair.h +++ /dev/null @@ -1,94 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_H_ -#define _RAINBOW_KEYPAIR_H_ -/// @file rainbow_keypair.h -/// @brief Formats of key pairs and functions for generating key pairs. -/// Formats of key pairs and functions for generating key pairs. -/// - -#include "rainbow_config.h" - -#define N_TRIANGLE_TERMS(n_var) ((n_var) * ((n_var) + 1) / 2) - -/// @brief public key for classic rainbow -/// -/// public key for classic rainbow -/// -typedef struct rainbow_publickey { - unsigned char pk[(_PUB_M_BYTE)*N_TRIANGLE_TERMS(_PUB_N)]; -} pk_t; - -/// @brief secret key for classic rainbow -/// -/// secret key for classic rainbow -/// -typedef struct rainbow_secretkey { - /// - /// seed for generating secret key. - /// Generating S, T, and F for classic rainbow. - /// Generating S and T only for cyclic rainbow. - unsigned char sk_seed[LEN_SKSEED]; - - unsigned char s1[_O1_BYTE * _O2]; ///< part of S map - unsigned char t1[_V1_BYTE * _O1]; ///< part of T map - unsigned char t4[_V1_BYTE * _O2]; ///< part of T map - unsigned char t3[_O1_BYTE * _O2]; ///< part of T map - - unsigned char l1_F1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer1 - unsigned char l1_F2[_O1_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer1 - - unsigned char l2_F1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer2 - unsigned char l2_F2[_O2_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer2 - - unsigned char l2_F3[_O2_BYTE * _V1 * _O2]; ///< part of C-map, F3, Layer2 - unsigned char l2_F5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< part of C-map, F5, Layer2 - unsigned char l2_F6[_O2_BYTE * _O1 * _O2]; ///< part of C-map, F6, Layer2 -} sk_t; - -/// @brief public key for cyclic rainbow -/// -/// public key for cyclic rainbow -/// -typedef struct rainbow_publickey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating l1_Q1,l1_Q2,l2_Q1,l2_Q2,l2_Q3,l2_Q5,l2_Q6 - - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; ///< Q3, layer1 - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< Q5, layer1 - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; ///< Q6, layer1 - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer1 - - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer2 -} cpk_t; - -/// @brief compressed secret key for cyclic rainbow -/// -/// compressed secret key for cyclic rainbow -/// -typedef struct rainbow_secretkey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating a part of public key. - unsigned char sk_seed[LEN_SKSEED]; ///< seed for generating a part of secret key. -} csk_t; - - -/// -/// @brief Generate key pairs for cyclic rainbow. -/// -/// @param[out] pk - the public key. -/// @param[out] sk - the secret key. -/// @param[in] pk_seed - seed for generating parts of public key. -/// @param[in] sk_seed - seed for generating secret key. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - - - -//////////////////////////////////// - -/// -/// @brief converting formats of public keys : from cyclic version to classic key -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the cyclic public key. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_cpk_to_pk(pk_t *pk, const cpk_t *cpk); - -#endif // _RAINBOW_KEYPAIR_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair_computation.c b/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair_computation.c deleted file mode 100644 index 21fa58e0..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair_computation.c +++ /dev/null @@ -1,213 +0,0 @@ -/// @file rainbow_keypair_computation.c -/// @brief Implementations for functions in rainbow_keypair_computation.h -/// - -#include "rainbow_keypair_computation.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair.h" -#include -#include -#include - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk) { - const unsigned char *idx_l1 = cpk->l1_Q1; - const unsigned char *idx_l2 = cpk->l2_Q1; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = i; j < _V1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q2; - idx_l2 = cpk->l2_Q2; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q3; - idx_l2 = cpk->l2_Q3; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q5; - idx_l2 = cpk->l2_Q5; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = i; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q6; - idx_l2 = cpk->l2_Q6; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q9; - idx_l2 = cpk->l2_Q9; - for (unsigned int i = _V1 + _O1; i < _PUB_N; i++) { - for (unsigned int j = i; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } -} - -static void calculate_F_from_Q_ref(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - // Layer 1 - // F_sk.l1_F1s[i] = Q_pk.l1_F1s[i] - memcpy(Fs->l1_F1, Qs->l1_F1, _O1_BYTE * N_TRIANGLE_TERMS(_V1)); - - // F_sk.l1_F2s[i] = ( Q_pk.l1_F1s[i] + Q_pk.l1_F1s[i].transpose() ) * T_sk.t1 + Q_pk.l1_F2s[i] - memcpy(Fs->l1_F2, Qs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_2trimat_madd(Fs->l1_F2, Qs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); - - /* - Layer 2 - computations: - - F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - Q1_T1 = Q_pk.l2_F1s[i]*T_sk.t1 - F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - - Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - #Q1_Q1T_T4 = Q1_Q1T * t4 - Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - + Q_pk.l2_F2s[i].transpose() * t4 - + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - - */ - memcpy(Fs->l2_F1, Qs->l2_F1, _O2_BYTE * N_TRIANGLE_TERMS(_V1)); // F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - // F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - // F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - memcpy(Fs->l2_F2, Qs->l2_F2, _O2_BYTE * _V1 * _O1); - batch_trimat_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // Q1_T1+ Q2 - - unsigned char tempQ[_O1 * _O1 * _O2_BYTE + 32]; - memset(tempQ, 0, _O1 * _O1 * _O2_BYTE); - batch_matTr_madd(tempQ, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F2, _O1, _O2_BYTE); // t1_tr*(Q1_T1+Q2) - memcpy(Fs->l2_F5, Qs->l2_F5, _O2_BYTE * N_TRIANGLE_TERMS(_O1)); // F5 - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_UpperTrianglize(Fs->l2_F5, tempQ, _O1, _O2_BYTE); // UT( ... ) - - batch_trimatTr_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // F2 = Q1_T1 + Q2 + Q1^tr*t1 - - // Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - // Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - // F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - memcpy(Fs->l2_F3, Qs->l2_F3, _V1 * _O2 * _O2_BYTE); - batch_2trimat_madd(Fs->l2_F3, Qs->l2_F1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); // Q1_Q1T_T4 - batch_mat_madd(Fs->l2_F3, Qs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // Q2_T3 - - // F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - // + Q_pk.l2_F2s[i].transpose() * t4 - // + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - memcpy(Fs->l2_F6, Qs->l2_F6, _O1 * _O2 * _O2_BYTE); - batch_matTr_madd(Fs->l2_F6, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F3, _O2, _O2_BYTE); // t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - batch_2trimat_madd(Fs->l2_F6, Qs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 - batch_bmatTr_madd(Fs->l2_F6, Qs->l2_F2, _O1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); -} - -#define _SIZE_BUFFER_F2 (_O2_BYTE * _V1 * _O2) -#define _SIZE_BUFFER_F3 (_O2_BYTE * _V1 * _O2) -static void calculate_Q_from_F_cyclic_ref(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - // Layer 1: Computing Q5, Q3, Q6, Q9 - - // Q_pk.l1_F5s[i] = UT( T1tr* (F1 * T1 + F2) ) - const unsigned char *t2 = Ts->t4; - - // assuming _O2 >= _O1 - - unsigned char buffer_F2[_SIZE_BUFFER_F2]; - memcpy(buffer_F2, Fs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_trimat_madd( buffer_F2, Fs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); // F1*T1 + F2 - - // assuming _O2 >= _O1 - unsigned char buffer_F3[_SIZE_BUFFER_F3]; - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, Ts->t1, _V1, _V1_BYTE, _O1, buffer_F2, _O1, _O1_BYTE); // T1tr*(F1*T1 + F2) , release buffer_F2 - memset(Qs->l1_Q5, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O1)); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_UpperTrianglize(Qs->l1_Q5, buffer_F3, _O1, _O1_BYTE); // UT( ... ) // Q5 , release buffer_F3 - /* - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - F1_F1T_T2 + F2_T3 = F1_T2 + F2_T3 + F1tr * t2 - Q_pk.l1_F3s[i] = F1_F1T_T2 + F2_T3 - Q_pk.l1_F6s[i] = T1tr* ( F1_F1T_T2 + F2_T3 ) + F2tr * t2 - Q_pk.l1_F9s[i] = UT( T2tr* ( F1_T2 + F2_T3 ) ) - */ - memset(Qs->l1_Q3, 0, _O1_BYTE * _V1 * _O2); - memset(Qs->l1_Q6, 0, _O1_BYTE * _O1 * _O2); - memset(Qs->l1_Q9, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O2)); - - batch_trimat_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1*T2 - batch_mat_madd(Qs->l1_Q3, Fs->l1_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O1_BYTE); // F1_T2 + F - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, t2, _V1, _V1_BYTE, _O2, Qs->l1_Q3, _O2, _O1_BYTE); // T2tr * ( F1_T2 + F2_T3 ) - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_UpperTrianglize(Qs->l1_Q9, buffer_F3, _O2, _O1_BYTE); // Q9 , release buffe - batch_trimatTr_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1_F1T_T2 + F2_T3 / - batch_bmatTr_madd(Qs->l1_Q6, Fs->l1_F2, _O1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F2tr*T2 - batch_matTr_madd(Qs->l1_Q6, Ts->t1, _V1, _V1_BYTE, _O1, Qs->l1_Q3, _O2, _O1_BYTE); // Q6 - /* - Layer 2 - Computing - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - Q9 = UT( T2tr*( F1*T2 + F2*T3 + F3 ) + T3tr*( F5*T3 + F6 ) ) - */ - memcpy(buffer_F3, Fs->l2_F3, _O2_BYTE * _V1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F1, t2, _V1, _V1_BYTE, _O2, _O2_BYTE); // F1*T2 + F3 - batch_mat_madd(buffer_F3, Fs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F1_T2 + F2_T3 - memset(buffer_F2, 0, _O2_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F2, t2, _V1, _V1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr * ( ..... ) , release buffe - memcpy(buffer_F3, Fs->l2_F6, _O2_BYTE * _O1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F5*T3 + F6 - batch_matTr_madd(buffer_F2, Ts->t3, _O1, _O1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr*( ..... ) + T3tr*( ..... ) - memset(Qs->l2_Q9, 0, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_UpperTrianglize(Qs->l2_Q9, buffer_F2, _O2, _O2_BYTE); // Q9 - memset(buffer_F2, 0, _SIZE_BUFFER_F2); - memset(buffer_F3, 0, _SIZE_BUFFER_F3); -} - -// Choosing implementations depends on the macros: _BLAS_SSE_ and _BLAS_AVX2_ -#define calculate_F_from_Q_impl calculate_F_from_Q_ref -#define calculate_Q_from_F_cyclic_impl calculate_Q_from_F_cyclic_ref - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - calculate_F_from_Q_impl(Fs, Qs, Ts); -} - -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - calculate_Q_from_F_cyclic_impl(Qs, Fs, Ts); -} diff --git a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair_computation.h b/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair_computation.h deleted file mode 100644 index be9fd685..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/rainbow_keypair_computation.h +++ /dev/null @@ -1,71 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_COMP_H_ -#define _RAINBOW_KEYPAIR_COMP_H_ -/// @file rainbow_keypair_computation.h -/// @brief Functions for calculating pk/sk while generating keys. -/// -/// Defining an internal structure of public key. -/// Functions for calculating pk/sk for key generation. -/// - -#include "rainbow_keypair.h" - -/// @brief The (internal use) public key for rainbow -/// -/// The (internal use) public key for rainbow. The public -/// polynomials are divided into l1_Q1, l1_Q2, ... l1_Q9, -/// l2_Q1, .... , l2_Q9. -/// -typedef struct rainbow_extend_publickey { - unsigned char l1_Q1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l1_Q2[_O1_BYTE * _V1 * _O1]; - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; - - unsigned char l2_Q1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l2_Q2[_O2_BYTE * _V1 * _O1]; - unsigned char l2_Q3[_O2_BYTE * _V1 * _O2]; - unsigned char l2_Q5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l2_Q6[_O2_BYTE * _O1 * _O2]; - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; -} ext_cpk_t; - -/// -/// @brief converting formats of public keys : from ext_cpk_t version to pk_t -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the internel public key. -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk); -///////////////////////////////////////////////// - -/// -/// @brief Computing public key from secret key -/// -/// @param[out] Qs - the public key -/// @param[in] Fs - parts of the secret key: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the secret key: T1, T4, T3 -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_calculate_Q_from_F(ext_cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - - -/// -/// @brief Computing parts of the sk from parts of pk and sk -/// -/// @param[out] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Qs - parts of the pk: l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts); - -/// -/// @brief Computing parts of the pk from the secret key -/// -/// @param[out] Qs - parts of the pk: l1_Q3, l1_Q5, l2_Q6, l1_Q9, l2_Q9 -/// @param[in] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - -#endif // _RAINBOW_KEYPAIR_COMP_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/sign.c b/crypto_sign/rainbowV-circumzenithal/clean/sign.c deleted file mode 100644 index 8d14a966..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/sign.c +++ /dev/null @@ -1,76 +0,0 @@ -/// @file sign.c -/// @brief the implementations for functions in api.h -/// -/// - -#include "api.h" -#include "rainbow.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { - unsigned char sk_seed[LEN_SKSEED] = {0}; - randombytes(sk_seed, LEN_SKSEED); - - unsigned char pk_seed[LEN_PKSEED] = {0}; - randombytes(pk_seed, LEN_PKSEED); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_generate_keypair_cyclic((cpk_t *)pk, (sk_t *)sk, pk_seed, sk_seed); - return 0; -} - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign(unsigned char *sm, size_t *smlen, const unsigned char *m, size_t mlen, const unsigned char *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - - memcpy(sm, m, mlen); - smlen[0] = mlen + _SIGNATURE_BYTE; - - return PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_sign(sm + mlen, (const sk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign_open(unsigned char *m, size_t *mlen, const unsigned char *sm, size_t smlen, const unsigned char *pk) { - int rc; - if (_SIGNATURE_BYTE > smlen) { - rc = -1; - } else { - *mlen = smlen - _SIGNATURE_BYTE; - - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, sm, *mlen); - - rc = PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(digest, sm + mlen[0], (const cpk_t *)pk); - } - if (!rc) { - memmove(m, sm, smlen - _SIGNATURE_BYTE); - } else { // bad signature - *mlen = (size_t) -1; - memset(m, 0, smlen); - } - return rc; -} - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - *siglen = _SIGNATURE_BYTE; - return PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_sign(sig, (const sk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - if (siglen != _SIGNATURE_BYTE) { - return -1; - } - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - return PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_rainbow_verify_cyclic(digest, sig, (const cpk_t *)pk); -} diff --git a/crypto_sign/rainbowV-circumzenithal/clean/utils_hash.c b/crypto_sign/rainbowV-circumzenithal/clean/utils_hash.c deleted file mode 100644 index 00082d97..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/utils_hash.c +++ /dev/null @@ -1,50 +0,0 @@ -/// @file utils_hash.c -/// @brief the adapter for SHA2 families. -/// -/// - -#include "utils_hash.h" -#include "rainbow_config.h" -#include "sha2.h" - -static inline int h(unsigned char *digest, const unsigned char *m, size_t mlen) { - sha512(digest, m, mlen); - return 0; -} - -static inline int expand_hash(unsigned char *digest, size_t n_digest, const unsigned char *hash) { - if (_HASH_LEN >= n_digest) { - for (size_t i = 0; i < n_digest; i++) { - digest[i] = hash[i]; - } - return 0; - } - for (size_t i = 0; i < _HASH_LEN; i++) { - digest[i] = hash[i]; - } - n_digest -= _HASH_LEN; - - while (_HASH_LEN <= n_digest) { - h(digest + _HASH_LEN, digest, _HASH_LEN); - - n_digest -= _HASH_LEN; - digest += _HASH_LEN; - } - unsigned char temp[_HASH_LEN]; - if (n_digest) { - h(temp, digest, _HASH_LEN); - for (size_t i = 0; i < n_digest; i++) { - digest[_HASH_LEN + i] = temp[i]; - } - } - return 0; -} - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(unsigned char *digest, - size_t len_digest, - const unsigned char *m, - size_t mlen) { - unsigned char buf[_HASH_LEN]; - h(buf, m, mlen); - return expand_hash(digest, len_digest, buf); -} diff --git a/crypto_sign/rainbowV-circumzenithal/clean/utils_hash.h b/crypto_sign/rainbowV-circumzenithal/clean/utils_hash.h deleted file mode 100644 index df4593d9..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/utils_hash.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _UTILS_HASH_H_ -#define _UTILS_HASH_H_ -/// @file utils_hash.h -/// @brief the interface for adapting hash functions. -/// - -#include - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(unsigned char *digest, size_t len_digest, const unsigned char *m, size_t mlen); - -#endif // _UTILS_HASH_H_ diff --git a/crypto_sign/rainbowV-circumzenithal/clean/utils_prng.c b/crypto_sign/rainbowV-circumzenithal/clean/utils_prng.c deleted file mode 100644 index 712dc301..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/utils_prng.c +++ /dev/null @@ -1,97 +0,0 @@ -/// @file utils_prng.c -/// @brief The implementation of PRNG related functions. -/// - -#include "utils_prng.h" -#include "aes.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -static void prng_update(const unsigned char *provided_data, - unsigned char *Key, - unsigned char *V) { - unsigned char temp[48]; - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, Key); - for (int i = 0; i < 3; i++) { - //increment V - for (int j = 15; j >= 0; j--) { - if (V[j] == 0xff) { - V[j] = 0x00; - } else { - V[j]++; - break; - } - } - aes256_ecb(temp + 16 * i, V, 1, &ctx); - } - if (provided_data != NULL) { - for (int i = 0; i < 48; i++) { - temp[i] ^= provided_data[i]; - } - } - aes256_ctx_release(&ctx); - memcpy(Key, temp, 32); - memcpy(V, temp + 32, 16); -} -static void randombytes_init_with_state(prng_t *state, - unsigned char *entropy_input_48bytes) { - memset(state->Key, 0x00, 32); - memset(state->V, 0x00, 16); - prng_update(entropy_input_48bytes, state->Key, state->V); -} - -static int randombytes_with_state(prng_t *state, - unsigned char *x, - size_t xlen) { - - unsigned char block[16]; - int i = 0; - - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, state->Key); - - while (xlen > 0) { - //increment V - for (int j = 15; j >= 0; j--) { - if (state->V[j] == 0xff) { - state->V[j] = 0x00; - } else { - state->V[j]++; - break; - } - } - aes256_ecb(block, state->V, 1, &ctx); - if (xlen > 15) { - memcpy(x + i, block, 16); - i += 16; - xlen -= 16; - } else { - memcpy(x + i, block, xlen); - xlen = 0; - } - } - aes256_ctx_release(&ctx); - prng_update(NULL, state->Key, state->V); - return 0; -} - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen) { - unsigned char seed[48]; - if (prng_seedlen >= 48) { - memcpy(seed, prng_seed, 48); - } else { - memcpy(seed, prng_seed, prng_seedlen); - PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_hash_msg(seed + prng_seedlen, 48 - (unsigned)prng_seedlen, (const unsigned char *)prng_seed, prng_seedlen); - } - - randombytes_init_with_state(ctx, seed); - - return 0; -} - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen) { - return randombytes_with_state(ctx, out, outlen); -} diff --git a/crypto_sign/rainbowV-circumzenithal/clean/utils_prng.h b/crypto_sign/rainbowV-circumzenithal/clean/utils_prng.h deleted file mode 100644 index 7acfc039..00000000 --- a/crypto_sign/rainbowV-circumzenithal/clean/utils_prng.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _UTILS_PRNG_H_ -#define _UTILS_PRNG_H_ -/// @file utils_prng.h -/// @brief the interface for adapting PRNG functions. -/// -/// - -#include "randombytes.h" - -typedef struct { - unsigned char Key[32]; - unsigned char V[16]; -} prng_t; - -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen); -int PQCLEAN_RAINBOWVCIRCUMZENITHAL_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen); - -#endif // _UTILS_PRNG_H_ diff --git a/crypto_sign/rainbowV-compressed/META.yml b/crypto_sign/rainbowV-compressed/META.yml deleted file mode 100644 index 1ef75280..00000000 --- a/crypto_sign/rainbowV-compressed/META.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: "RAINBOW(256,96,36,64) - compressed" -type: signature -claimed-nist-level: 5 -length-public-key: 536136 -length-secret-key: 64 -length-signature: 212 -nistkat-sha256: 452159bbc353bcb8e209d466df8c2ba3816d66a8dcf2059aa96185e10016feec -testvectors-sha256: 1262856e5aebcc2e9455f6fc6d88960df2999e18a41d69d9573eb56f00006278 -principal-submitters: - - Jintai Ding -auxiliary-submitters: - - Ming-Shing Chen - - Matthias Kannwischer - - Jacques Patarin - - Albrecht Petzoldt - - Dieter Schmidt - - Bo-Yin Yang -implementations: - - name: clean - version: https://github.com/fast-crypto-lab/rainbow-submission-round2/commit/173ada0e077e1b9dbd8e4a78994f87acc0c92263 diff --git a/crypto_sign/rainbowV-compressed/clean/LICENSE b/crypto_sign/rainbowV-compressed/clean/LICENSE deleted file mode 100644 index cb00a6e3..00000000 --- a/crypto_sign/rainbowV-compressed/clean/LICENSE +++ /dev/null @@ -1,8 +0,0 @@ -`Software implementation of Rainbow for NIST R2 submission' by Ming-Shing Chen - -To the extent possible under law, the person who associated CC0 with -`Software implementation of Rainbow for NIST R2 submission' has waived all copyright and related or neighboring rights -to `Software implementation of Rainbow for NIST R2 submission'. - -You should have received a copy of the CC0 legalcode along with this -work. If not, see . diff --git a/crypto_sign/rainbowV-compressed/clean/Makefile.Microsoft_nmake b/crypto_sign/rainbowV-compressed/clean/Makefile.Microsoft_nmake deleted file mode 100644 index f6a4489b..00000000 --- a/crypto_sign/rainbowV-compressed/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=librainbowV-compressed_clean.lib -OBJECTS = blas_comm.obj parallel_matrix_op.obj rainbow.obj rainbow_keypair.obj rainbow_keypair_computation.obj sign.obj utils_hash.obj utils_prng.obj blas.obj gf.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/rainbowV-compressed/clean/api.h b/crypto_sign/rainbowV-compressed/clean/api.h deleted file mode 100644 index 89e7b3d8..00000000 --- a/crypto_sign/rainbowV-compressed/clean/api.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_API_H -#define PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_API_H - -#include -#include - -#define PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_CRYPTO_PUBLICKEYBYTES 536136 -#define PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_CRYPTO_BYTES 212 -#define PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_CRYPTO_ALGNAME "RAINBOW(256,96,36,64) - compressed" - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk); - - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, - const uint8_t *sk); - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, - const uint8_t *pk); - - -#endif diff --git a/crypto_sign/rainbowV-compressed/clean/blas.c b/crypto_sign/rainbowV-compressed/clean/blas.c deleted file mode 100644 index 6a981547..00000000 --- a/crypto_sign/rainbowV-compressed/clean/blas.c +++ /dev/null @@ -1,31 +0,0 @@ -#include "blas.h" -#include "gf.h" - -#include - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte) { - uint8_t pr_u8 = (uint8_t) ((uint8_t) 0 - predicate); - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= (a[i] & pr_u8); - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_b[i] ^= a[i]; - } -} - - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_mul_scalar(uint8_t *a, uint8_t b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - a[i] = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_mul(a[i], b); - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf256_b, size_t _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - accu_c[i] ^= PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_mul(a[i], gf256_b); - } -} - diff --git a/crypto_sign/rainbowV-compressed/clean/blas.h b/crypto_sign/rainbowV-compressed/clean/blas.h deleted file mode 100644 index fba6cfef..00000000 --- a/crypto_sign/rainbowV-compressed/clean/blas.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _BLAS_H_ -#define _BLAS_H_ -/// @file blas.h -/// @brief Functions for implementing basic linear algebra functions. -/// - -#include "rainbow_config.h" -#include -#include - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_predicated_add(uint8_t *accu_b, uint8_t predicate, const uint8_t *a, size_t _num_byte); -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(uint8_t *accu_b, const uint8_t *a, size_t _num_byte); - - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_mul_scalar(uint8_t *a, uint8_t b, size_t _num_byte); -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(uint8_t *accu_c, const uint8_t *a, uint8_t gf256_b, size_t _num_byte); - - -#endif // _BLAS_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/blas_comm.c b/crypto_sign/rainbowV-compressed/clean/blas_comm.c deleted file mode 100644 index 1f9a40ce..00000000 --- a/crypto_sign/rainbowV-compressed/clean/blas_comm.c +++ /dev/null @@ -1,144 +0,0 @@ -/// @file blas_comm.c -/// @brief The standard implementations for blas_comm.h -/// - -#include "blas_comm.h" -#include "blas.h" -#include "gf.h" -#include "rainbow_config.h" - -#include -#include - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte) { - for (size_t i = 0; i < _num_byte; i++) { - b[i] = 0; - } -} -/// @brief get an element from GF(256) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(const uint8_t *a, unsigned int i) { - return a[i]; -} - -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_is_zero(const uint8_t *a, unsigned int _num_byte) { - uint8_t r = 0; - while (_num_byte--) { - r |= a[0]; - a++; - } - return (0 == r); -} - -/// polynomial multplication -/// School boook -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_polymul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int _num) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(c, _num * 2 - 1); - for (unsigned int i = 0; i < _num; i++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(c + i, a, b[i], _num); - } -} - -static void gf256mat_prod_ref(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(c, n_A_vec_byte); - for (unsigned int i = 0; i < n_A_width; i++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(c, matA, b[i], n_A_vec_byte); - matA += n_A_vec_byte; - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec) { - unsigned int n_vec_byte = len_vec; - for (unsigned int k = 0; k < len_vec; k++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(c, n_vec_byte); - const uint8_t *bk = b + n_vec_byte * k; - for (unsigned int i = 0; i < len_vec; i++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(c, a + n_vec_byte * i, bk[i], n_vec_byte); - } - c += n_vec_byte; - } -} - -static unsigned int gf256mat_gauss_elim_ref(uint8_t *mat, unsigned int h, unsigned int w) { - unsigned int r8 = 1; - - for (unsigned int i = 0; i < h; i++) { - uint8_t *ai = mat + w * i; - unsigned int skip_len_align4 = i & ((unsigned int)~0x3); - - for (unsigned int j = i + 1; j < h; j++) { - uint8_t *aj = mat + w * j; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_predicated_add(ai + skip_len_align4, 1 ^ PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_is_nonzero(ai[i]), aj + skip_len_align4, w - skip_len_align4); - } - r8 &= PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_is_nonzero(ai[i]); - uint8_t pivot = ai[i]; - pivot = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_inv(pivot); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_mul_scalar(ai + skip_len_align4, pivot, w - skip_len_align4); - for (unsigned int j = 0; j < h; j++) { - if (i == j) { - continue; - } - uint8_t *aj = mat + w * j; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(aj + skip_len_align4, ai + skip_len_align4, aj[i], w - skip_len_align4); - } - } - - return r8; -} - -static unsigned int gf256mat_solve_linear_eq_ref(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - uint8_t mat[64 * 64]; - for (unsigned int i = 0; i < n; i++) { - memcpy(mat + i * (n + 1), inp_mat + i * n, n); - mat[i * (n + 1) + n] = c_terms[i]; - } - unsigned int r8 = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_gauss_elim(mat, n, n + 1); - for (unsigned int i = 0; i < n; i++) { - sol[i] = mat[i * (n + 1) + n]; - } - return r8; -} - -static inline void gf256mat_submat(uint8_t *mat2, unsigned int w2, unsigned int st, const uint8_t *mat, unsigned int w, unsigned int h) { - for (unsigned int i = 0; i < h; i++) { - for (unsigned int j = 0; j < w2; j++) { - mat2[i * w2 + j] = mat[i * w + st + j]; - } - } -} - -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer) { - uint8_t *aa = buffer; - for (unsigned int i = 0; i < H; i++) { - uint8_t *ai = aa + i * 2 * H; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(ai, 2 * H); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(ai, a + i * H, H); - ai[H + i] = 1; - } - unsigned int r8 = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_gauss_elim(aa, H, 2 * H); - gf256mat_submat(inv_a, H, H, aa, 2 * H, H); - return r8; -} - - -// choosing the implementations depends on the macros _BLAS_AVX2_ and _BLAS_SSE - -#define gf256mat_prod_impl gf256mat_prod_ref -#define gf256mat_gauss_elim_impl gf256mat_gauss_elim_ref -#define gf256mat_solve_linear_eq_impl gf256mat_solve_linear_eq_ref -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b) { - gf256mat_prod_impl(c, matA, n_A_vec_byte, n_A_width, b); -} - -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w) { - return gf256mat_gauss_elim_impl(mat, h, w); -} - -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n) { - return gf256mat_solve_linear_eq_impl(sol, inp_mat, c_terms, n); -} - diff --git a/crypto_sign/rainbowV-compressed/clean/blas_comm.h b/crypto_sign/rainbowV-compressed/clean/blas_comm.h deleted file mode 100644 index 89fde09c..00000000 --- a/crypto_sign/rainbowV-compressed/clean/blas_comm.h +++ /dev/null @@ -1,90 +0,0 @@ -#ifndef _BLAS_COMM_H_ -#define _BLAS_COMM_H_ -/// @file blas_comm.h -/// @brief Common functions for linear algebra. -/// - -#include "rainbow_config.h" -#include - -/// @brief set a vector to 0. -/// -/// @param[in,out] b - the vector b. -/// @param[in] _num_byte - number of bytes for the vector b. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(uint8_t *b, unsigned int _num_byte); - -/// @brief get an element from GF(256) vector . -/// -/// @param[in] a - the input vector a. -/// @param[in] i - the index in the vector a. -/// @return the value of the element. -/// -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(const uint8_t *a, unsigned int i); - -/// @brief check if a vector is 0. -/// -/// @param[in] a - the vector a. -/// @param[in] _num_byte - number of bytes for the vector a. -/// @return 1(true) if a is 0. 0(false) else. -/// -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_is_zero(const uint8_t *a, unsigned int _num_byte); - -/// @brief polynomial multiplication: c = a*b -/// -/// @param[out] c - the output polynomial c -/// @param[in] a - the vector a. -/// @param[in] b - the vector b. -/// @param[in] _num - number of elements for the polynomials a and b. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_polymul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int _num); - -/// @brief matrix-vector multiplication: c = matA * b , in GF(256) -/// -/// @param[out] c - the output vector c -/// @param[in] matA - a column-major matrix A. -/// @param[in] n_A_vec_byte - the size of column vectors in bytes. -/// @param[in] n_A_width - the width of matrix A. -/// @param[in] b - the vector b. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_prod(uint8_t *c, const uint8_t *matA, unsigned int n_A_vec_byte, unsigned int n_A_width, const uint8_t *b); - -/// @brief matrix-matrix multiplication: c = a * b , in GF(256) -/// -/// @param[out] c - the output matrix c -/// @param[in] c - a matrix a. -/// @param[in] b - a matrix b. -/// @param[in] len_vec - the length of column vectors. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_mul(uint8_t *c, const uint8_t *a, const uint8_t *b, unsigned int len_vec); - -/// @brief Gauss elimination for a matrix, in GF(256) -/// -/// @param[in,out] mat - the matrix. -/// @param[in] h - the height of the matrix. -/// @param[in] w - the width of the matrix. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_gauss_elim(uint8_t *mat, unsigned int h, unsigned int w); - -/// @brief Solving linear equations, in GF(256) -/// -/// @param[out] sol - the solutions. -/// @param[in] inp_mat - the matrix parts of input equations. -/// @param[in] c_terms - the constant terms of the input equations. -/// @param[in] n - the number of equations. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_solve_linear_eq(uint8_t *sol, const uint8_t *inp_mat, const uint8_t *c_terms, unsigned int n); - -/// @brief Computing the inverse matrix, in GF(256) -/// -/// @param[out] inv_a - the output of matrix a. -/// @param[in] a - a matrix a. -/// @param[in] H - height of matrix a, i.e., matrix a is an HxH matrix. -/// @param[in] buffer - The buffer for computations. it has to be as large as 2 input matrixes. -/// @return 1(true) if success. 0(false) if the matrix is singular. -/// -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_inv(uint8_t *inv_a, const uint8_t *a, unsigned int H, uint8_t *buffer); - -#endif // _BLAS_COMM_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/gf.c b/crypto_sign/rainbowV-compressed/clean/gf.c deleted file mode 100644 index 1652b5bb..00000000 --- a/crypto_sign/rainbowV-compressed/clean/gf.c +++ /dev/null @@ -1,91 +0,0 @@ -#include "gf.h" - -//// gf4 := gf2[x]/x^2+x+1 -static inline uint8_t gf4_mul_2(uint8_t a) { - uint8_t r = (uint8_t)(a << 1); - r ^= (uint8_t)((a >> 1) * 7); - return r; -} - -static inline uint8_t gf4_mul(uint8_t a, uint8_t b) { - uint8_t r = (uint8_t)(a * (b & 1)); - return r ^ (uint8_t)(gf4_mul_2(a) * (b >> 1)); -} - -static inline uint8_t gf4_squ(uint8_t a) { - return a ^ (a >> 1); -} - -//// gf16 := gf4[y]/y^2+y+x -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf16_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - uint8_t b0 = b & 3; - uint8_t b1 = (b >> 2); - uint8_t a0b0 = gf4_mul(a0, b0); - uint8_t a1b1 = gf4_mul(a1, b1); - uint8_t a0b1_a1b0 = gf4_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x2 = gf4_mul_2(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 2 ^ a0b0 ^ a1b1_x2); -} - -static inline uint8_t gf16_squ(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = (a >> 2); - a1 = gf4_squ(a1); - uint8_t a1squ_x2 = gf4_mul_2(a1); - return (uint8_t)((a1 << 2) ^ a1squ_x2 ^ gf4_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_is_nonzero(uint8_t a) { - unsigned int a8 = a; - unsigned int r = ((unsigned int)0) - a8; - r >>= 8; - return r & 1; -} - -static inline uint8_t gf4_mul_3(uint8_t a) { - uint8_t msk = (uint8_t)((a - 2) >> 1); - return (uint8_t)((msk & ((int)a * 3)) | ((~msk) & ((int)a - 1))); -} -static inline uint8_t gf16_mul_8(uint8_t a) { - uint8_t a0 = a & 3; - uint8_t a1 = a >> 2; - return (uint8_t)((gf4_mul_2(a0 ^ a1) << 2) | gf4_mul_3(a1)); -} - -// gf256 := gf16[X]/X^2+X+xy -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_mul(uint8_t a, uint8_t b) { - uint8_t a0 = a & 15; - uint8_t a1 = (a >> 4); - uint8_t b0 = b & 15; - uint8_t b1 = (b >> 4); - uint8_t a0b0 = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf16_mul(a0, b0); - uint8_t a1b1 = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf16_mul(a1, b1); - uint8_t a0b1_a1b0 = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf16_mul(a0 ^ a1, b0 ^ b1) ^ a0b0 ^ a1b1; - uint8_t a1b1_x8 = gf16_mul_8(a1b1); - return (uint8_t)((a0b1_a1b0 ^ a1b1) << 4 ^ a0b0 ^ a1b1_x8); -} - -static inline uint8_t gf256_squ(uint8_t a) { - uint8_t a0 = a & 15; - uint8_t a1 = (a >> 4); - a1 = gf16_squ(a1); - uint8_t a1squ_x8 = gf16_mul_8(a1); - return (uint8_t)((a1 << 4) ^ a1squ_x8 ^ gf16_squ(a0)); -} - -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_inv(uint8_t a) { - // 128+64+32+16+8+4+2 = 254 - uint8_t a2 = gf256_squ(a); - uint8_t a4 = gf256_squ(a2); - uint8_t a8 = gf256_squ(a4); - uint8_t a4_2 = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_mul(a4, a2); - uint8_t a8_4_2 = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_mul(a4_2, a8); - uint8_t a64_ = gf256_squ(a8_4_2); - a64_ = gf256_squ(a64_); - a64_ = gf256_squ(a64_); - uint8_t a64_2 = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_mul(a64_, a8_4_2); - uint8_t a128_ = gf256_squ(a64_2); - return PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_mul(a2, a128_); -} diff --git a/crypto_sign/rainbowV-compressed/clean/gf.h b/crypto_sign/rainbowV-compressed/clean/gf.h deleted file mode 100644 index 07d7a54b..00000000 --- a/crypto_sign/rainbowV-compressed/clean/gf.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef _GF16_H_ -#define _GF16_H_ - -#include "rainbow_config.h" -#include - -/// @file gf16.h -/// @brief Library for arithmetics in GF(16) and GF(256) -/// - -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf16_mul(uint8_t a, uint8_t b); - - -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_is_nonzero(uint8_t a); -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_inv(uint8_t a); -uint8_t PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256_mul(uint8_t a, uint8_t b); - - -#endif // _GF16_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/parallel_matrix_op.c b/crypto_sign/rainbowV-compressed/clean/parallel_matrix_op.c deleted file mode 100644 index 9b8d4eac..00000000 --- a/crypto_sign/rainbowV-compressed/clean/parallel_matrix_op.c +++ /dev/null @@ -1,183 +0,0 @@ -/// @file parallel_matrix_op.c -/// @brief the standard implementations for functions in parallel_matrix_op.h -/// -/// the standard implementations for functions in parallel_matrix_op.h -/// - -#include "parallel_matrix_op.h" -#include "blas.h" -#include "blas_comm.h" - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim) { - return (dim + dim - i_row + 1) * i_row / 2 + j_col - i_row; -} - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle or lower-triangle matrix. -/// -/// @param[in] i_row - the i-th row in a triangle matrix. -/// @param[in] j_col - the j-th column in a triangle matrix. -/// @param[in] dim - the dimension of the triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -static inline unsigned int idx_of_2trimat(unsigned int i_row, unsigned int j_col, unsigned int n_var) { - if (i_row > j_col) { - return PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(j_col, i_row, n_var); - } - return PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(i_row, j_col, n_var); -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch) { - unsigned char *runningC = btriC; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < i; j++) { - unsigned int idx = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(j, i, Aheight); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(btriC + idx * size_batch, bA + size_batch * (i * Awidth + j), size_batch); - } - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(runningC, bA + size_batch * (i * Awidth + i), size_batch * (Aheight - i)); - runningC += size_batch * (Aheight - i); - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - unsigned int Aheight = Awidth; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (k < i) { - continue; - } - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(bC, &btriA[(k - i) * size_batch], PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - btriA += (Aheight - i) * size_batch; - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i < k) { - continue; - } - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(bC, &btriA[size_batch * (PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(k, i, Aheight))], PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Aheight = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - if (i == k) { - continue; - } - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(bC, &btriA[size_batch * (idx_of_2trimat(i, k, Aheight))], PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Atr_height = Awidth; - unsigned int Atr_width = Aheight; - for (unsigned int i = 0; i < Atr_height; i++) { - for (unsigned int j = 0; j < Atr_width; j++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(bC, &bB[j * Bwidth * size_batch], PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(&A_to_tr[size_Acolvec * i], j), size_batch * Bwidth); - } - bC += size_batch * Bwidth; - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - const unsigned char *bA = bA_to_tr; - unsigned int Aheight = Awidth_before_tr; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(bC, &bA[size_batch * (i + k * Aheight)], PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch) { - unsigned int Awidth = Bheight; - for (unsigned int i = 0; i < Aheight; i++) { - for (unsigned int j = 0; j < Bwidth; j++) { - for (unsigned int k = 0; k < Bheight; k++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(bC, &bA[k * size_batch], PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(&B[j * size_Bcolvec], k), size_batch); - } - bC += size_batch; - } - bA += (Awidth) * size_batch; - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch) { - unsigned char tmp[256]; - - unsigned char _x[256]; - for (unsigned int i = 0; i < dim; i++) { - _x[i] = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(x, i); - } - - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(y, size_batch); - for (unsigned int i = 0; i < dim; i++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = i; j < dim; j++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(tmp, trimat, _x[j], size_batch); - trimat += size_batch; - } - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(y, tmp, _x[i], size_batch); - } -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, const unsigned char *mat, - const unsigned char *x, unsigned dim_x, unsigned size_batch) { - unsigned char tmp[128]; - - unsigned char _x[128]; - for (unsigned int i = 0; i < dim_x; i++) { - _x[i] = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(x, i); - } - unsigned char _y[128]; - for (unsigned int i = 0; i < dim_y; i++) { - _y[i] = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele(y, i); - } - - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(z, size_batch); - for (unsigned int i = 0; i < dim_y; i++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(tmp, size_batch); - for (unsigned int j = 0; j < dim_x; j++) { - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(tmp, mat, _x[j], size_batch); - mat += size_batch; - } - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd(z, tmp, _y[i], size_batch); - } -} - diff --git a/crypto_sign/rainbowV-compressed/clean/parallel_matrix_op.h b/crypto_sign/rainbowV-compressed/clean/parallel_matrix_op.h deleted file mode 100644 index 5d7d632d..00000000 --- a/crypto_sign/rainbowV-compressed/clean/parallel_matrix_op.h +++ /dev/null @@ -1,260 +0,0 @@ -#ifndef _P_MATRIX_OP_H_ -#define _P_MATRIX_OP_H_ -/// @file parallel_matrix_op.h -/// @brief Librarys for operations of batched matrixes. -/// -/// - -//////////////// Section: triangle matrix <-> rectangle matrix /////////////////////////////////// - -/// -/// @brief Calculate the corresponding index in an array for an upper-triangle(UT) matrix. -/// -/// @param[in] i_row - the i-th row in an upper-triangle matrix. -/// @param[in] j_col - the j-th column in an upper-triangle matrix. -/// @param[in] dim - the dimension of the upper-triangle matrix, i.e., an dim x dim matrix. -/// @return the corresponding index in an array storage. -/// -unsigned int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(unsigned int i_row, unsigned int j_col, unsigned int dim); - -/// -/// @brief Upper trianglize a rectangle matrix to the corresponding upper-trangle matrix. -/// -/// @param[out] btriC - the batched upper-trianglized matrix C. -/// @param[in] bA - a batched retangle matrix A. -/// @param[in] bwidth - the width of the batched matrix A, i.e., A is a Awidth x Awidth matrix. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_UpperTrianglize(unsigned char *btriC, const unsigned char *bA, unsigned int Awidth, unsigned int size_batch); - -//////////////////// Section: matrix multiplications /////////////////////////////// - -/// -/// @brief bC += btriA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. A will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_trimatTr_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += btriA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A, which will be transposed while multiplying. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_trimatTr_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_2trimat_madd_gf16(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += (btriA + btriA^Tr) *B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] btriA - a batched UT matrix A. The operand for multiplication is (btriA + btriA^Tr). -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_2trimat_madd_gf256(unsigned char *bC, const unsigned char *btriA, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_matTr_madd_gf16(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += A^Tr * bB , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] A_to_tr - a column-major matrix A. The operand for multiplication is A^Tr. -/// @param[in] Aheight - the height of A. -/// @param[in] size_Acolvec - the size of a column vector in A. -/// @param[in] Awidth - the width of A. -/// @param[in] bB - a batched matrix B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_matTr_madd_gf256(unsigned char *bC, - const unsigned char *A_to_tr, unsigned int Aheight, unsigned int size_Acolvec, unsigned int Awidth, - const unsigned char *bB, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_bmatTr_madd_gf16(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA^Tr * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA_to_tr - a batched matrix A. The operand for multiplication is (bA^Tr). -/// @param[in] Awidth_befor_tr - the width of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_bmatTr_madd_gf256(unsigned char *bC, const unsigned char *bA_to_tr, unsigned int Awidth_before_tr, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(16) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_mat_madd_gf16(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -/// -/// @brief bC += bA * B , in GF(256) -/// -/// @param[out] bC - the batched matrix C. -/// @param[in] bA - a batched matrix A. -/// @param[in] Aheigh - the height of A. -/// @param[in] B - a column-major matrix B. -/// @param[in] Bheight - the height of B. -/// @param[in] size_Bcolvec - the size of the column vector in B. -/// @param[in] Bwidth - the width of B. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_mat_madd_gf256(unsigned char *bC, const unsigned char *bA, unsigned int Aheight, - const unsigned char *B, unsigned int Bheight, unsigned int size_Bcolvec, unsigned int Bwidth, unsigned int size_batch); - -//////////////////// Section: "quadratric" matrix evaluation /////////////////////////////// - -/// -/// @brief y = x^Tr * trimat * x , in GF(16) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_quad_trimat_eval_gf16(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief y = x^Tr * trimat * x , in GF(256) -/// -/// @param[out] y - the returned batched element y. -/// @param[in] trimat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim - the dimension of matrix trimat (and x). -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_quad_trimat_eval_gf256(unsigned char *y, const unsigned char *trimat, const unsigned char *x, unsigned int dim, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(16) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_quad_recmat_eval_gf16(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -/// -/// @brief z = y^Tr * mat * x , in GF(256) -/// -/// @param[out] z - the returned batched element z. -/// @param[in] y - an input vector y. -/// @param[in] dim_y - the length of y. -/// @param[in] mat - a batched matrix. -/// @param[in] x - an input vector x. -/// @param[in] dim_x - the length of x. -/// @param[in] size_batch - number of the batched elements in the corresponding position of the matrix. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_quad_recmat_eval_gf256(unsigned char *z, const unsigned char *y, unsigned int dim_y, - const unsigned char *mat, const unsigned char *x, unsigned int dim_x, unsigned int size_batch); - -#endif // _P_MATRIX_OP_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/rainbow.c b/crypto_sign/rainbowV-compressed/clean/rainbow.c deleted file mode 100644 index ca8e6f80..00000000 --- a/crypto_sign/rainbowV-compressed/clean/rainbow.c +++ /dev/null @@ -1,179 +0,0 @@ -/// @file rainbow.c -/// @brief The standard implementations for functions in rainbow.h -/// - -#include "blas.h" -#include "parallel_matrix_op.h" -#include "rainbow.h" -#include "rainbow_blas.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "utils_hash.h" -#include "utils_prng.h" -#include -#include -#include - -#define MAX_ATTEMPT_FRMAT 128 - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *_digest) { - uint8_t mat_l1[_O1 * _O1_BYTE]; - uint8_t mat_l2[_O2 * _O2_BYTE]; - uint8_t mat_buffer[2 * _MAX_O * _MAX_O_BYTE]; - - // setup PRNG - prng_t prng_sign; - uint8_t prng_preseed[LEN_SKSEED + _HASH_LEN]; - memcpy(prng_preseed, sk->sk_seed, LEN_SKSEED); - memcpy(prng_preseed + LEN_SKSEED, _digest, _HASH_LEN); // prng_preseed = sk_seed || digest - uint8_t prng_seed[_HASH_LEN]; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(prng_seed, _HASH_LEN, prng_preseed, _HASH_LEN + LEN_SKSEED); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_set(&prng_sign, prng_seed, _HASH_LEN); // seed = H( sk_seed || digest ) - for (unsigned int i = 0; i < LEN_SKSEED + _HASH_LEN; i++) { - prng_preseed[i] ^= prng_preseed[i]; // clean - } - for (unsigned int i = 0; i < _HASH_LEN; i++) { - prng_seed[i] ^= prng_seed[i]; // clean - } - - // roll vinegars. - uint8_t vinegar[_V1_BYTE]; - unsigned int n_attempt = 0; - unsigned int l1_succ = 0; - while (!l1_succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen(&prng_sign, vinegar, _V1_BYTE); // generating vinegars - gfmat_prod(mat_l1, sk->l1_F2, _O1 * _O1_BYTE, _V1, vinegar); // generating the linear equations for layer 1 - l1_succ = gfmat_inv(mat_l1, mat_l1, _O1, mat_buffer); // check if the linear equation solvable - n_attempt++; - } - - // Given the vinegars, pre-compute variables needed for layer 2 - uint8_t r_l1_F1[_O1_BYTE] = {0}; - uint8_t r_l2_F1[_O2_BYTE] = {0}; - batch_quad_trimat_eval(r_l1_F1, sk->l1_F1, vinegar, _V1, _O1_BYTE); - batch_quad_trimat_eval(r_l2_F1, sk->l2_F1, vinegar, _V1, _O2_BYTE); - uint8_t mat_l2_F3[_O2 * _O2_BYTE]; - uint8_t mat_l2_F2[_O1 * _O2_BYTE]; - gfmat_prod(mat_l2_F3, sk->l2_F3, _O2 * _O2_BYTE, _V1, vinegar); - gfmat_prod(mat_l2_F2, sk->l2_F2, _O1 * _O2_BYTE, _V1, vinegar); - - // Some local variables. - uint8_t _z[_PUB_M_BYTE]; - uint8_t y[_PUB_M_BYTE]; - uint8_t *x_v1 = vinegar; - uint8_t x_o1[_O1_BYTE]; - uint8_t x_o2[_O2_BYTE]; - - uint8_t digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, _digest, _HASH_LEN); - uint8_t *salt = digest_salt + _HASH_LEN; - - uint8_t temp_o[_MAX_O_BYTE + 32] = {0}; - unsigned int succ = 0; - while (!succ) { - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - break; - } - // The computation: H(digest||salt) --> z --S--> y --C-map--> x --T--> w - - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen(&prng_sign, salt, _SALT_BYTE); // roll the salt - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(_z, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H(digest||salt) - - // y = S^-1 * z - memcpy(y, _z, _PUB_M_BYTE); // identity part of S - gfmat_prod(temp_o, sk->s1, _O1_BYTE, _O2, _z + _O1_BYTE); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(y, temp_o, _O1_BYTE); - - // Central Map: - // layer 1: calculate x_o1 - memcpy(temp_o, r_l1_F1, _O1_BYTE); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(temp_o, y, _O1_BYTE); - gfmat_prod(x_o1, mat_l1, _O1_BYTE, _O1, temp_o); - - // layer 2: calculate x_o2 - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_set_zero(temp_o, _O2_BYTE); - gfmat_prod(temp_o, mat_l2_F2, _O2_BYTE, _O1, x_o1); // F2 - batch_quad_trimat_eval(mat_l2, sk->l2_F5, x_o1, _O1, _O2_BYTE); // F5 - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(temp_o, mat_l2, _O2_BYTE); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(temp_o, r_l2_F1, _O2_BYTE); // F1 - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(temp_o, y + _O1_BYTE, _O2_BYTE); - - // generate the linear equations of the 2nd layer - gfmat_prod(mat_l2, sk->l2_F6, _O2 * _O2_BYTE, _O1, x_o1); // F6 - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(mat_l2, mat_l2_F3, _O2 * _O2_BYTE); // F3 - succ = gfmat_inv(mat_l2, mat_l2, _O2, mat_buffer); - gfmat_prod(x_o2, mat_l2, _O2_BYTE, _O2, temp_o); // solve l2 eqs - - n_attempt++; - }; - // w = T^-1 * y - uint8_t w[_PUB_N_BYTE]; - // identity part of T. - memcpy(w, x_v1, _V1_BYTE); - memcpy(w + _V1_BYTE, x_o1, _O1_BYTE); - memcpy(w + _V2_BYTE, x_o2, _O2_BYTE); - // Computing the t1 part. - gfmat_prod(y, sk->t1, _V1_BYTE, _O1, x_o1); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t4 part. - gfmat_prod(y, sk->t4, _V1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(w, y, _V1_BYTE); - // Computing the t3 part. - gfmat_prod(y, sk->t3, _O1_BYTE, _O2, x_o2); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(w + _V1_BYTE, y, _O1_BYTE); - - memset(signature, 0, _SIGNATURE_BYTE); // set the output 0 - // clean - memset(&prng_sign, 0, sizeof(prng_t)); - memset(vinegar, 0, _V1_BYTE); - memset(r_l1_F1, 0, _O1_BYTE); - memset(r_l2_F1, 0, _O2_BYTE); - memset(_z, 0, _PUB_M_BYTE); - memset(y, 0, _PUB_M_BYTE); - memset(x_o1, 0, _O1_BYTE); - memset(x_o2, 0, _O2_BYTE); - memset(temp_o, 0, sizeof(temp_o)); - - // return: copy w and salt to the signature. - if (MAX_ATTEMPT_FRMAT <= n_attempt) { - return -1; - } - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(signature, w, _PUB_N_BYTE); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(signature + _PUB_N_BYTE, salt, _SALT_BYTE); - return 0; -} - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk) { - unsigned char digest_ck[_PUB_M_BYTE]; - // public_map( digest_ck , pk , signature ); Evaluating the quadratic public polynomials. - batch_quad_trimat_eval(digest_ck, pk->pk, signature, _PUB_N, _PUB_M_BYTE); - - unsigned char correct[_PUB_M_BYTE]; - unsigned char digest_salt[_HASH_LEN + _SALT_BYTE]; - memcpy(digest_salt, digest, _HASH_LEN); - memcpy(digest_salt + _HASH_LEN, signature + _PUB_N_BYTE, _SALT_BYTE); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(correct, _PUB_M_BYTE, digest_salt, _HASH_LEN + _SALT_BYTE); // H( digest || salt ) - - // check consistancy. - unsigned char cc = 0; - for (unsigned int i = 0; i < _PUB_M_BYTE; i++) { - cc |= (digest_ck[i] ^ correct[i]); - } - return (0 == cc) ? 0 : -1; -} - -/////////////// cyclic version /////////////////////////// -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_sign_cyclic(uint8_t *signature, const csk_t *csk, const uint8_t *digest) { - unsigned char sk[sizeof(sk_t) + 32]; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_generate_secretkey_cyclic((sk_t *)sk, csk->pk_seed, csk->sk_seed); // generating classic secret key. - return PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_sign(signature, (sk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *_pk) { - unsigned char pk[sizeof(pk_t) + 32]; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_cpk_to_pk((pk_t *)pk, _pk); // generating classic public key. - return PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_verify(digest, signature, (pk_t *)pk); -} diff --git a/crypto_sign/rainbowV-compressed/clean/rainbow.h b/crypto_sign/rainbowV-compressed/clean/rainbow.h deleted file mode 100644 index a1c69bc5..00000000 --- a/crypto_sign/rainbowV-compressed/clean/rainbow.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef _RAINBOW_H_ -#define _RAINBOW_H_ -/// @file rainbow.h -/// @brief APIs for rainbow. -/// - -#include "rainbow_config.h" -#include "rainbow_keypair.h" - -#include - -/// -/// @brief Signing function for classical secret key. -/// -/// @param[out] signature - the signature. -/// @param[in] sk - the secret key. -/// @param[in] digest - the digest. -/// -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_sign(uint8_t *signature, const sk_t *sk, const uint8_t *digest); - -/// -/// @brief Verifying function. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_verify(const uint8_t *digest, const uint8_t *signature, const pk_t *pk); - -/// -/// @brief Signing function for compressed secret key of the cyclic rainbow. -/// -/// @param[out] signature - the signature. -/// @param[in] sk - the compressed secret key. -/// @param[in] digest - the digest. -/// -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_sign_cyclic(uint8_t *signature, const csk_t *sk, const uint8_t *digest); - -/// -/// @brief Verifying function for cyclic public keys. -/// -/// @param[in] digest - the digest. -/// @param[in] signature - the signature. -/// @param[in] pk - the public key of cyclic rainbow. -/// @return 0 for successful verified. -1 for failed verification. -/// -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_verify_cyclic(const uint8_t *digest, const uint8_t *signature, const cpk_t *pk); - -#endif // _RAINBOW_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/rainbow_blas.h b/crypto_sign/rainbowV-compressed/clean/rainbow_blas.h deleted file mode 100644 index b33125f8..00000000 --- a/crypto_sign/rainbowV-compressed/clean/rainbow_blas.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef _RAINBOW_BLAS_H_ -#define _RAINBOW_BLAS_H_ -/// @file rainbow_blas.h -/// @brief Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h -/// -/// Defining the functions used in rainbow.c acconding to the definitions in rainbow_config.h - -#include "blas.h" -#include "blas_comm.h" -#include "parallel_matrix_op.h" -#include "rainbow_config.h" - - -#define gfv_get_ele PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_get_ele -#define gfv_mul_scalar PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_mul_scalar -#define gfv_madd PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_madd - -#define gfmat_prod PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_prod -#define gfmat_inv PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256mat_inv - -#define batch_trimat_madd PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_trimat_madd_gf256 -#define batch_trimatTr_madd PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_trimatTr_madd_gf256 -#define batch_2trimat_madd PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_2trimat_madd_gf256 -#define batch_matTr_madd PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_matTr_madd_gf256 -#define batch_bmatTr_madd PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_bmatTr_madd_gf256 -#define batch_mat_madd PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_mat_madd_gf256 - -#define batch_quad_trimat_eval PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_quad_trimat_eval_gf256 -#define batch_quad_recmat_eval PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_batch_quad_recmat_eval_gf256 - - -#endif // _RAINBOW_BLAS_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/rainbow_config.h b/crypto_sign/rainbowV-compressed/clean/rainbow_config.h deleted file mode 100644 index e668ff3c..00000000 --- a/crypto_sign/rainbowV-compressed/clean/rainbow_config.h +++ /dev/null @@ -1,48 +0,0 @@ -#ifndef _H_RAINBOW_CONFIG_H_ -#define _H_RAINBOW_CONFIG_H_ - -/// @file rainbow_config.h -/// @brief Defining the parameters of the Rainbow and the corresponding constants. -/// - -#define _GFSIZE 256 -#define _V1 96 -#define _O1 36 -#define _O2 64 -#define _MAX_O 64 -#define _HASH_LEN 64 - - -#define _V2 ((_V1) + (_O1)) - -/// size of N, in # of gf elements. -#define _PUB_N (_V1 + _O1 + _O2) - -/// size of M, in # gf elements. -#define _PUB_M (_O1 + _O2) - -/// size of variables, in # bytes. - -// GF256 -#define _V1_BYTE (_V1) -#define _V2_BYTE (_V2) -#define _O1_BYTE (_O1) -#define _O2_BYTE (_O2) -#define _MAX_O_BYTE (_MAX_O) -#define _PUB_N_BYTE (_PUB_N) -#define _PUB_M_BYTE (_PUB_M) - - -/// length of seed for public key, in # bytes -#define LEN_PKSEED 32 - -/// length of seed for secret key, in # bytes -#define LEN_SKSEED 32 - -/// length of salt for a signature, in # bytes -#define _SALT_BYTE 16 - -/// length of a signature -#define _SIGNATURE_BYTE (_PUB_N_BYTE + _SALT_BYTE) - -#endif // _H_RAINBOW_CONFIG_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/rainbow_keypair.c b/crypto_sign/rainbowV-compressed/clean/rainbow_keypair.c deleted file mode 100644 index d202b8af..00000000 --- a/crypto_sign/rainbowV-compressed/clean/rainbow_keypair.c +++ /dev/null @@ -1,217 +0,0 @@ -/// @file rainbow_keypair.c -/// @brief implementations of functions in rainbow_keypair.h -/// - -#include "rainbow_keypair.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair_computation.h" -#include "utils_prng.h" -#include -#include -#include - -static -void generate_S_T( unsigned char *s_and_t, prng_t *prng0 ) { - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->s1); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t1); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t4); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); - s_and_t += size; - - size = sizeof(_sk->t3); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, s_and_t, size ); -} - - -static -unsigned generate_l1_F12( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l1_F1); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l1_F2); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static -unsigned generate_l2_F12356( unsigned char *sk, prng_t *prng0 ) { - unsigned n_byte_generated = 0; - sk_t *_sk; - unsigned size; - - size = sizeof(_sk->l2_F1); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F2); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F3); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F5); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - sk += size; - n_byte_generated += size; - - size = sizeof(_sk->l2_F6); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen( prng0, sk, size ); - n_byte_generated += size; - - return n_byte_generated; -} - - -static void generate_B1_B2(unsigned char *sk, prng_t *prng0) { - sk += generate_l1_F12(sk, prng0); - generate_l2_F12356(sk, prng0); -} - -static void calculate_t4(unsigned char *t2_to_t4, const unsigned char *t1, const unsigned char *t3) { - // t4 = T_sk.t1 * T_sk.t3 - T_sk.t2 - unsigned char temp[_V1_BYTE + 32]; - unsigned char *t4 = t2_to_t4; - for (unsigned int i = 0; i < _O2; i++) { /// t3 width - gfmat_prod(temp, t1, _V1_BYTE, _O1, t3); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(t4, temp, _V1_BYTE); - t4 += _V1_BYTE; - t3 += _O1_BYTE; - } -} - -static void obsfucate_l1_polys(unsigned char *l1_polys, const unsigned char *l2_polys, unsigned int n_terms, const unsigned char *s1) { - unsigned char temp[_O1_BYTE + 32]; - while (n_terms--) { - gfmat_prod(temp, s1, _O1_BYTE, _O2, l2_polys); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_gf256v_add(l1_polys, temp, _O1_BYTE); - l1_polys += _O1_BYTE; - l2_polys += _O2_BYTE; - } -} - -/////////////////// Classic ////////////////////////////////// - - -///////////////////// Cyclic ////////////////////////////////// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(pk->pk_seed, pk_seed, LEN_PKSEED); - memcpy(sk->sk_seed, sk_seed, LEN_SKSEED); - - // prng for sk - prng_t prng; - prng_t *prng0 = &prng; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_set(prng0, sk_seed, LEN_SKSEED); - generate_S_T(sk->s1, prng0); // S,T: only a part of sk - - unsigned char t2[sizeof(sk->t4)]; - memcpy(t2, sk->t4, _V1_BYTE * _O2); // temporarily store t2 - calculate_t4(sk->t4, sk->t1, sk->t3); // t2 <- t4 - - // prng for pk - sk_t inst_Qs; - sk_t *Qs = &inst_Qs; - prng_t *prng1 = &prng; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_set(prng1, pk_seed, LEN_PKSEED); - generate_B1_B2(Qs->l1_F1, prng1); // generating l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 - obsfucate_l1_polys(Qs->l1_F1, Qs->l2_F1, N_TRIANGLE_TERMS(_V1), sk->s1); - obsfucate_l1_polys(Qs->l1_F2, Qs->l2_F2, _V1 * _O1, sk->s1); - // so far, the Qs contains l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6. - - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_calculate_F_from_Q(sk, Qs, sk); // calcuate the rest parts of secret key from Qs and S,T - - unsigned char t4[sizeof(sk->t4)]; - memcpy(t4, sk->t4, _V1_BYTE * _O2); // temporarily store t4 - memcpy(sk->t4, t2, _V1_BYTE * _O2); // restore t2 - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_calculate_Q_from_F_cyclic(pk, sk, sk); // calculate the rest parts of public key: l1_Q3, l1_Q5, l1_Q6, l1_Q9, l2_Q9 - memcpy(sk->t4, t4, _V1_BYTE * _O2); // restore t4 - - obsfucate_l1_polys(pk->l1_Q3, Qs->l2_F3, _V1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q5, Qs->l2_F5, N_TRIANGLE_TERMS(_O1), sk->s1); - obsfucate_l1_polys(pk->l1_Q6, Qs->l2_F6, _O1 * _O2, sk->s1); - obsfucate_l1_polys(pk->l1_Q9, pk->l2_Q9, N_TRIANGLE_TERMS(_O2), sk->s1); - - // clean - memset(&prng, 0, sizeof(prng_t)); -} - - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_generate_compact_keypair_cyclic(cpk_t *pk, csk_t *rsk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(rsk->pk_seed, pk_seed, LEN_PKSEED); - memcpy(rsk->sk_seed, sk_seed, LEN_SKSEED); - sk_t sk; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_generate_keypair_cyclic(pk, &sk, pk_seed, sk_seed); -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_generate_secretkey_cyclic(sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed) { - memcpy(sk->sk_seed, sk_seed, LEN_SKSEED); - - // prng for sk - prng_t prng0; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_set(&prng0, sk_seed, LEN_SKSEED); - generate_S_T(sk->s1, &prng0); - calculate_t4(sk->t4, sk->t1, sk->t3); - - // prng for pk - sk_t inst_Qs; - sk_t *Qs = &inst_Qs; - prng_t prng1; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_set(&prng1, pk_seed, LEN_PKSEED); - generate_B1_B2(Qs->l1_F1, &prng1); - - obsfucate_l1_polys(Qs->l1_F1, Qs->l2_F1, N_TRIANGLE_TERMS(_V1), sk->s1); - obsfucate_l1_polys(Qs->l1_F2, Qs->l2_F2, _V1 * _O1, sk->s1); - - // calcuate the parts of sk according to pk. - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_calculate_F_from_Q(sk, Qs, sk); - - // clean prng for sk - memset(&prng0, 0, sizeof(prng_t)); -} -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_cpk_to_pk(pk_t *rpk, const cpk_t *cpk) { - // procedure: cpk_t --> extcpk_t --> pk_t - - // convert from cpk_t to extcpk_t - ext_cpk_t pk; - - // setup prng - prng_t prng0; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_set(&prng0, cpk->pk_seed, LEN_SKSEED); - - // generating parts of key with prng - generate_l1_F12(pk.l1_Q1, &prng0); - // copying parts of key from input. l1_Q3, l1_Q5, l1_Q6, l1_Q9 - memcpy(pk.l1_Q3, cpk->l1_Q3, _O1_BYTE * (_V1 * _O2 + N_TRIANGLE_TERMS(_O1) + _O1 * _O2 + N_TRIANGLE_TERMS(_O2))); - - // generating parts of key with prng - generate_l2_F12356(pk.l2_Q1, &prng0); - // copying parts of key from input: l2_Q9 - memcpy(pk.l2_Q9, cpk->l2_Q9, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - - // convert from extcpk_t to pk_t - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_extcpk_to_pk(rpk, &pk); -} diff --git a/crypto_sign/rainbowV-compressed/clean/rainbow_keypair.h b/crypto_sign/rainbowV-compressed/clean/rainbow_keypair.h deleted file mode 100644 index 9204d2c0..00000000 --- a/crypto_sign/rainbowV-compressed/clean/rainbow_keypair.h +++ /dev/null @@ -1,111 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_H_ -#define _RAINBOW_KEYPAIR_H_ -/// @file rainbow_keypair.h -/// @brief Formats of key pairs and functions for generating key pairs. -/// Formats of key pairs and functions for generating key pairs. -/// - -#include "rainbow_config.h" - -#define N_TRIANGLE_TERMS(n_var) ((n_var) * ((n_var) + 1) / 2) - -/// @brief public key for classic rainbow -/// -/// public key for classic rainbow -/// -typedef struct rainbow_publickey { - unsigned char pk[(_PUB_M_BYTE)*N_TRIANGLE_TERMS(_PUB_N)]; -} pk_t; - -/// @brief secret key for classic rainbow -/// -/// secret key for classic rainbow -/// -typedef struct rainbow_secretkey { - /// - /// seed for generating secret key. - /// Generating S, T, and F for classic rainbow. - /// Generating S and T only for cyclic rainbow. - unsigned char sk_seed[LEN_SKSEED]; - - unsigned char s1[_O1_BYTE * _O2]; ///< part of S map - unsigned char t1[_V1_BYTE * _O1]; ///< part of T map - unsigned char t4[_V1_BYTE * _O2]; ///< part of T map - unsigned char t3[_O1_BYTE * _O2]; ///< part of T map - - unsigned char l1_F1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer1 - unsigned char l1_F2[_O1_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer1 - - unsigned char l2_F1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; ///< part of C-map, F1, Layer2 - unsigned char l2_F2[_O2_BYTE * _V1 * _O1]; ///< part of C-map, F2, Layer2 - - unsigned char l2_F3[_O2_BYTE * _V1 * _O2]; ///< part of C-map, F3, Layer2 - unsigned char l2_F5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< part of C-map, F5, Layer2 - unsigned char l2_F6[_O2_BYTE * _O1 * _O2]; ///< part of C-map, F6, Layer2 -} sk_t; - -/// @brief public key for cyclic rainbow -/// -/// public key for cyclic rainbow -/// -typedef struct rainbow_publickey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating l1_Q1,l1_Q2,l2_Q1,l2_Q2,l2_Q3,l2_Q5,l2_Q6 - - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; ///< Q3, layer1 - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; ///< Q5, layer1 - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; ///< Q6, layer1 - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer1 - - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; ///< Q9, layer2 -} cpk_t; - -/// @brief compressed secret key for cyclic rainbow -/// -/// compressed secret key for cyclic rainbow -/// -typedef struct rainbow_secretkey_cyclic { - unsigned char pk_seed[LEN_PKSEED]; ///< seed for generating a part of public key. - unsigned char sk_seed[LEN_SKSEED]; ///< seed for generating a part of secret key. -} csk_t; - - -/// -/// @brief Generate key pairs for cyclic rainbow. -/// -/// @param[out] pk - the public key. -/// @param[out] sk - the secret key. -/// @param[in] pk_seed - seed for generating parts of public key. -/// @param[in] sk_seed - seed for generating secret key. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_generate_keypair_cyclic(cpk_t *pk, sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - -/// -/// @brief Generate compressed key pairs for cyclic rainbow. -/// -/// @param[out] pk - the public key. -/// @param[out] sk - the compressed secret key. -/// @param[in] pk_seed - seed for generating parts of the public key. -/// @param[in] sk_seed - seed for generating the secret key. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_generate_compact_keypair_cyclic(cpk_t *pk, csk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - -/// -/// @brief Generate secret key for cyclic rainbow. -/// -/// @param[out] sk - the secret key. -/// @param[in] pk_seed - seed for generating parts of the pbulic key. -/// @param[in] sk_seed - seed for generating the secret key. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_generate_secretkey_cyclic(sk_t *sk, const unsigned char *pk_seed, const unsigned char *sk_seed); - -//////////////////////////////////// - -/// -/// @brief converting formats of public keys : from cyclic version to classic key -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the cyclic public key. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_cpk_to_pk(pk_t *pk, const cpk_t *cpk); - -#endif // _RAINBOW_KEYPAIR_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/rainbow_keypair_computation.c b/crypto_sign/rainbowV-compressed/clean/rainbow_keypair_computation.c deleted file mode 100644 index aafa84dc..00000000 --- a/crypto_sign/rainbowV-compressed/clean/rainbow_keypair_computation.c +++ /dev/null @@ -1,213 +0,0 @@ -/// @file rainbow_keypair_computation.c -/// @brief Implementations for functions in rainbow_keypair_computation.h -/// - -#include "rainbow_keypair_computation.h" -#include "blas.h" -#include "blas_comm.h" -#include "rainbow_blas.h" -#include "rainbow_keypair.h" -#include -#include -#include - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk) { - const unsigned char *idx_l1 = cpk->l1_Q1; - const unsigned char *idx_l2 = cpk->l2_Q1; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = i; j < _V1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q2; - idx_l2 = cpk->l2_Q2; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q3; - idx_l2 = cpk->l2_Q3; - for (unsigned int i = 0; i < _V1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q5; - idx_l2 = cpk->l2_Q5; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = i; j < _V1 + _O1; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q6; - idx_l2 = cpk->l2_Q6; - for (unsigned int i = _V1; i < _V1 + _O1; i++) { - for (unsigned int j = _V1 + _O1; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } - idx_l1 = cpk->l1_Q9; - idx_l2 = cpk->l2_Q9; - for (unsigned int i = _V1 + _O1; i < _PUB_N; i++) { - for (unsigned int j = i; j < _PUB_N; j++) { - unsigned int pub_idx = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_idx_of_trimat(i, j, _PUB_N); - memcpy(&pk->pk[_PUB_M_BYTE * pub_idx], idx_l1, _O1_BYTE); - memcpy((&pk->pk[_PUB_M_BYTE * pub_idx]) + _O1_BYTE, idx_l2, _O2_BYTE); - idx_l1 += _O1_BYTE; - idx_l2 += _O2_BYTE; - } - } -} - -static void calculate_F_from_Q_ref(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - // Layer 1 - // F_sk.l1_F1s[i] = Q_pk.l1_F1s[i] - memcpy(Fs->l1_F1, Qs->l1_F1, _O1_BYTE * N_TRIANGLE_TERMS(_V1)); - - // F_sk.l1_F2s[i] = ( Q_pk.l1_F1s[i] + Q_pk.l1_F1s[i].transpose() ) * T_sk.t1 + Q_pk.l1_F2s[i] - memcpy(Fs->l1_F2, Qs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_2trimat_madd(Fs->l1_F2, Qs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); - - /* - Layer 2 - computations: - - F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - Q1_T1 = Q_pk.l2_F1s[i]*T_sk.t1 - F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - - Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - #Q1_Q1T_T4 = Q1_Q1T * t4 - Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - + Q_pk.l2_F2s[i].transpose() * t4 - + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - - */ - memcpy(Fs->l2_F1, Qs->l2_F1, _O2_BYTE * N_TRIANGLE_TERMS(_V1)); // F_sk.l2_F1s[i] = Q_pk.l2_F1s[i] - - // F_sk.l2_F2s[i] = Q1_T1 + Q_pk.l2_F2s[i] + Q_pk.l2_F1s[i].transpose() * T_sk.t1 - // F_sk.l2_F5s[i] = UT( t1_tr* ( Q1_T1 + Q_pk.l2_F2s[i] ) ) + Q_pk.l2_F5s[i] - memcpy(Fs->l2_F2, Qs->l2_F2, _O2_BYTE * _V1 * _O1); - batch_trimat_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // Q1_T1+ Q2 - - unsigned char tempQ[_O1 * _O1 * _O2_BYTE + 32]; - memset(tempQ, 0, _O1 * _O1 * _O2_BYTE); - batch_matTr_madd(tempQ, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F2, _O1, _O2_BYTE); // t1_tr*(Q1_T1+Q2) - memcpy(Fs->l2_F5, Qs->l2_F5, _O2_BYTE * N_TRIANGLE_TERMS(_O1)); // F5 - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_UpperTrianglize(Fs->l2_F5, tempQ, _O1, _O2_BYTE); // UT( ... ) - - batch_trimatTr_madd(Fs->l2_F2, Qs->l2_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O2_BYTE); // F2 = Q1_T1 + Q2 + Q1^tr*t1 - - // Q1_Q1T_T4 = (Q_pk.l2_F1s[i] + Q_pk.l2_F1s[i].transpose()) * t4 - // Q2_T3 = Q_pk.l2_F2s[i]*T_sk.t3 - // F_sk.l2_F3s[i] = Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] - memcpy(Fs->l2_F3, Qs->l2_F3, _V1 * _O2 * _O2_BYTE); - batch_2trimat_madd(Fs->l2_F3, Qs->l2_F1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); // Q1_Q1T_T4 - batch_mat_madd(Fs->l2_F3, Qs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // Q2_T3 - - // F_sk.l2_F6s[i] = t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - // + Q_pk.l2_F2s[i].transpose() * t4 - // + (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 + Q_pk.l2_F6s[i] - memcpy(Fs->l2_F6, Qs->l2_F6, _O1 * _O2 * _O2_BYTE); - batch_matTr_madd(Fs->l2_F6, Ts->t1, _V1, _V1_BYTE, _O1, Fs->l2_F3, _O2, _O2_BYTE); // t1_tr * ( Q1_Q1T_T4 + Q2_T3 + Q_pk.l2_F3s[i] ) - batch_2trimat_madd(Fs->l2_F6, Qs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // (Q_pk.l2_F5s[i] + Q_pk.l2_F5s[i].transpose())*T_sk.t3 - batch_bmatTr_madd(Fs->l2_F6, Qs->l2_F2, _O1, Ts->t4, _V1, _V1_BYTE, _O2, _O2_BYTE); -} - -#define _SIZE_BUFFER_F2 (_O2_BYTE * _V1 * _O2) -#define _SIZE_BUFFER_F3 (_O2_BYTE * _V1 * _O2) -static void calculate_Q_from_F_cyclic_ref(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - // Layer 1: Computing Q5, Q3, Q6, Q9 - - // Q_pk.l1_F5s[i] = UT( T1tr* (F1 * T1 + F2) ) - const unsigned char *t2 = Ts->t4; - - // assuming _O2 >= _O1 - - unsigned char buffer_F2[_SIZE_BUFFER_F2]; - memcpy(buffer_F2, Fs->l1_F2, _O1_BYTE * _V1 * _O1); - batch_trimat_madd( buffer_F2, Fs->l1_F1, Ts->t1, _V1, _V1_BYTE, _O1, _O1_BYTE); // F1*T1 + F2 - - // assuming _O2 >= _O1 - unsigned char buffer_F3[_SIZE_BUFFER_F3]; - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, Ts->t1, _V1, _V1_BYTE, _O1, buffer_F2, _O1, _O1_BYTE); // T1tr*(F1*T1 + F2) , release buffer_F2 - memset(Qs->l1_Q5, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O1)); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_UpperTrianglize(Qs->l1_Q5, buffer_F3, _O1, _O1_BYTE); // UT( ... ) // Q5 , release buffer_F3 - /* - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - F1_F1T_T2 + F2_T3 = F1_T2 + F2_T3 + F1tr * t2 - Q_pk.l1_F3s[i] = F1_F1T_T2 + F2_T3 - Q_pk.l1_F6s[i] = T1tr* ( F1_F1T_T2 + F2_T3 ) + F2tr * t2 - Q_pk.l1_F9s[i] = UT( T2tr* ( F1_T2 + F2_T3 ) ) - */ - memset(Qs->l1_Q3, 0, _O1_BYTE * _V1 * _O2); - memset(Qs->l1_Q6, 0, _O1_BYTE * _O1 * _O2); - memset(Qs->l1_Q9, 0, _O1_BYTE * N_TRIANGLE_TERMS(_O2)); - - batch_trimat_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1*T2 - batch_mat_madd(Qs->l1_Q3, Fs->l1_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O1_BYTE); // F1_T2 + F - memset(buffer_F3, 0, _O1_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F3, t2, _V1, _V1_BYTE, _O2, Qs->l1_Q3, _O2, _O1_BYTE); // T2tr * ( F1_T2 + F2_T3 ) - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_UpperTrianglize(Qs->l1_Q9, buffer_F3, _O2, _O1_BYTE); // Q9 , release buffe - batch_trimatTr_madd(Qs->l1_Q3, Fs->l1_F1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F1_F1T_T2 + F2_T3 / - batch_bmatTr_madd(Qs->l1_Q6, Fs->l1_F2, _O1, t2, _V1, _V1_BYTE, _O2, _O1_BYTE); // F2tr*T2 - batch_matTr_madd(Qs->l1_Q6, Ts->t1, _V1, _V1_BYTE, _O1, Qs->l1_Q3, _O2, _O1_BYTE); // Q6 - /* - Layer 2 - Computing - F1_T2 = F1 * t2 - F2_T3 = F2 * t3 - Q9 = UT( T2tr*( F1*T2 + F2*T3 + F3 ) + T3tr*( F5*T3 + F6 ) ) - */ - memcpy(buffer_F3, Fs->l2_F3, _O2_BYTE * _V1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F1, t2, _V1, _V1_BYTE, _O2, _O2_BYTE); // F1*T2 + F3 - batch_mat_madd(buffer_F3, Fs->l2_F2, _V1, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F1_T2 + F2_T3 - memset(buffer_F2, 0, _O2_BYTE * _V1 * _O2); - batch_matTr_madd(buffer_F2, t2, _V1, _V1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr * ( ..... ) , release buffe - memcpy(buffer_F3, Fs->l2_F6, _O2_BYTE * _O1 * _O2); - batch_trimat_madd(buffer_F3, Fs->l2_F5, Ts->t3, _O1, _O1_BYTE, _O2, _O2_BYTE); // F5*T3 + F6 - batch_matTr_madd(buffer_F2, Ts->t3, _O1, _O1_BYTE, _O2, buffer_F3, _O2, _O2_BYTE); // T2tr*( ..... ) + T3tr*( ..... ) - memset(Qs->l2_Q9, 0, _O2_BYTE * N_TRIANGLE_TERMS(_O2)); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_UpperTrianglize(Qs->l2_Q9, buffer_F2, _O2, _O2_BYTE); // Q9 - memset(buffer_F2, 0, _SIZE_BUFFER_F2); - memset(buffer_F3, 0, _SIZE_BUFFER_F3); -} - -// Choosing implementations depends on the macros: _BLAS_SSE_ and _BLAS_AVX2_ -#define calculate_F_from_Q_impl calculate_F_from_Q_ref -#define calculate_Q_from_F_cyclic_impl calculate_Q_from_F_cyclic_ref - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts) { - calculate_F_from_Q_impl(Fs, Qs, Ts); -} - -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts) { - calculate_Q_from_F_cyclic_impl(Qs, Fs, Ts); -} diff --git a/crypto_sign/rainbowV-compressed/clean/rainbow_keypair_computation.h b/crypto_sign/rainbowV-compressed/clean/rainbow_keypair_computation.h deleted file mode 100644 index 68e7234a..00000000 --- a/crypto_sign/rainbowV-compressed/clean/rainbow_keypair_computation.h +++ /dev/null @@ -1,71 +0,0 @@ -#ifndef _RAINBOW_KEYPAIR_COMP_H_ -#define _RAINBOW_KEYPAIR_COMP_H_ -/// @file rainbow_keypair_computation.h -/// @brief Functions for calculating pk/sk while generating keys. -/// -/// Defining an internal structure of public key. -/// Functions for calculating pk/sk for key generation. -/// - -#include "rainbow_keypair.h" - -/// @brief The (internal use) public key for rainbow -/// -/// The (internal use) public key for rainbow. The public -/// polynomials are divided into l1_Q1, l1_Q2, ... l1_Q9, -/// l2_Q1, .... , l2_Q9. -/// -typedef struct rainbow_extend_publickey { - unsigned char l1_Q1[_O1_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l1_Q2[_O1_BYTE * _V1 * _O1]; - unsigned char l1_Q3[_O1_BYTE * _V1 * _O2]; - unsigned char l1_Q5[_O1_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l1_Q6[_O1_BYTE * _O1 * _O2]; - unsigned char l1_Q9[_O1_BYTE * N_TRIANGLE_TERMS(_O2)]; - - unsigned char l2_Q1[_O2_BYTE * N_TRIANGLE_TERMS(_V1)]; - unsigned char l2_Q2[_O2_BYTE * _V1 * _O1]; - unsigned char l2_Q3[_O2_BYTE * _V1 * _O2]; - unsigned char l2_Q5[_O2_BYTE * N_TRIANGLE_TERMS(_O1)]; - unsigned char l2_Q6[_O2_BYTE * _O1 * _O2]; - unsigned char l2_Q9[_O2_BYTE * N_TRIANGLE_TERMS(_O2)]; -} ext_cpk_t; - -/// -/// @brief converting formats of public keys : from ext_cpk_t version to pk_t -/// -/// @param[out] pk - the classic public key. -/// @param[in] cpk - the internel public key. -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_extcpk_to_pk(pk_t *pk, const ext_cpk_t *cpk); -///////////////////////////////////////////////// - -/// -/// @brief Computing public key from secret key -/// -/// @param[out] Qs - the public key -/// @param[in] Fs - parts of the secret key: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the secret key: T1, T4, T3 -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_calculate_Q_from_F(ext_cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - - -/// -/// @brief Computing parts of the sk from parts of pk and sk -/// -/// @param[out] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Qs - parts of the pk: l1_Q1, l1_Q2, l2_Q1, l2_Q2, l2_Q3, l2_Q5, l2_Q6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_calculate_F_from_Q(sk_t *Fs, const sk_t *Qs, sk_t *Ts); - -/// -/// @brief Computing parts of the pk from the secret key -/// -/// @param[out] Qs - parts of the pk: l1_Q3, l1_Q5, l2_Q6, l1_Q9, l2_Q9 -/// @param[in] Fs - parts of the sk: l1_F1, l1_F2, l2_F1, l2_F2, l2_F3, l2_F5, l2_F6 -/// @param[in] Ts - parts of the sk: T1, T4, T3 -/// -void PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_calculate_Q_from_F_cyclic(cpk_t *Qs, const sk_t *Fs, const sk_t *Ts); - -#endif // _RAINBOW_KEYPAIR_COMP_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/sign.c b/crypto_sign/rainbowV-compressed/clean/sign.c deleted file mode 100644 index 335e7bfd..00000000 --- a/crypto_sign/rainbowV-compressed/clean/sign.c +++ /dev/null @@ -1,76 +0,0 @@ -/// @file sign.c -/// @brief the implementations for functions in api.h -/// -/// - -#include "api.h" -#include "rainbow.h" -#include "rainbow_config.h" -#include "rainbow_keypair.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { - unsigned char sk_seed[LEN_SKSEED] = {0}; - randombytes(sk_seed, LEN_SKSEED); - - unsigned char pk_seed[LEN_PKSEED] = {0}; - randombytes(pk_seed, LEN_PKSEED); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_generate_compact_keypair_cyclic((cpk_t *)pk, (csk_t *)sk, pk_seed, sk_seed); - return 0; -} - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign(unsigned char *sm, size_t *smlen, const unsigned char *m, size_t mlen, const unsigned char *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - - memcpy(sm, m, mlen); - smlen[0] = mlen + _SIGNATURE_BYTE; - - return PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_sign_cyclic(sm + mlen, (const csk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign_open(unsigned char *m, size_t *mlen, const unsigned char *sm, size_t smlen, const unsigned char *pk) { - int rc; - if (_SIGNATURE_BYTE > smlen) { - rc = -1; - } else { - *mlen = smlen - _SIGNATURE_BYTE; - - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, sm, *mlen); - - rc = PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_verify_cyclic(digest, sm + mlen[0], (const cpk_t *)pk); - } - if (!rc) { - memmove(m, sm, smlen - _SIGNATURE_BYTE); - } else { // bad signature - *mlen = (size_t) -1; - memset(m, 0, smlen); - } - return rc; -} - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - unsigned char digest[_HASH_LEN]; - - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - *siglen = _SIGNATURE_BYTE; - return PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_sign_cyclic(sig, (const csk_t *)sk, digest); -} - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - if (siglen != _SIGNATURE_BYTE) { - return -1; - } - unsigned char digest[_HASH_LEN]; - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(digest, _HASH_LEN, m, mlen); - return PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_rainbow_verify_cyclic(digest, sig, (const cpk_t *)pk); -} diff --git a/crypto_sign/rainbowV-compressed/clean/utils_hash.c b/crypto_sign/rainbowV-compressed/clean/utils_hash.c deleted file mode 100644 index d3ab9aec..00000000 --- a/crypto_sign/rainbowV-compressed/clean/utils_hash.c +++ /dev/null @@ -1,50 +0,0 @@ -/// @file utils_hash.c -/// @brief the adapter for SHA2 families. -/// -/// - -#include "utils_hash.h" -#include "rainbow_config.h" -#include "sha2.h" - -static inline int h(unsigned char *digest, const unsigned char *m, size_t mlen) { - sha512(digest, m, mlen); - return 0; -} - -static inline int expand_hash(unsigned char *digest, size_t n_digest, const unsigned char *hash) { - if (_HASH_LEN >= n_digest) { - for (size_t i = 0; i < n_digest; i++) { - digest[i] = hash[i]; - } - return 0; - } - for (size_t i = 0; i < _HASH_LEN; i++) { - digest[i] = hash[i]; - } - n_digest -= _HASH_LEN; - - while (_HASH_LEN <= n_digest) { - h(digest + _HASH_LEN, digest, _HASH_LEN); - - n_digest -= _HASH_LEN; - digest += _HASH_LEN; - } - unsigned char temp[_HASH_LEN]; - if (n_digest) { - h(temp, digest, _HASH_LEN); - for (size_t i = 0; i < n_digest; i++) { - digest[_HASH_LEN + i] = temp[i]; - } - } - return 0; -} - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(unsigned char *digest, - size_t len_digest, - const unsigned char *m, - size_t mlen) { - unsigned char buf[_HASH_LEN]; - h(buf, m, mlen); - return expand_hash(digest, len_digest, buf); -} diff --git a/crypto_sign/rainbowV-compressed/clean/utils_hash.h b/crypto_sign/rainbowV-compressed/clean/utils_hash.h deleted file mode 100644 index b1577ac1..00000000 --- a/crypto_sign/rainbowV-compressed/clean/utils_hash.h +++ /dev/null @@ -1,11 +0,0 @@ -#ifndef _UTILS_HASH_H_ -#define _UTILS_HASH_H_ -/// @file utils_hash.h -/// @brief the interface for adapting hash functions. -/// - -#include - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(unsigned char *digest, size_t len_digest, const unsigned char *m, size_t mlen); - -#endif // _UTILS_HASH_H_ diff --git a/crypto_sign/rainbowV-compressed/clean/utils_prng.c b/crypto_sign/rainbowV-compressed/clean/utils_prng.c deleted file mode 100644 index 378939db..00000000 --- a/crypto_sign/rainbowV-compressed/clean/utils_prng.c +++ /dev/null @@ -1,97 +0,0 @@ -/// @file utils_prng.c -/// @brief The implementation of PRNG related functions. -/// - -#include "utils_prng.h" -#include "aes.h" -#include "randombytes.h" -#include "utils_hash.h" -#include -#include - -static void prng_update(const unsigned char *provided_data, - unsigned char *Key, - unsigned char *V) { - unsigned char temp[48]; - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, Key); - for (int i = 0; i < 3; i++) { - //increment V - for (int j = 15; j >= 0; j--) { - if (V[j] == 0xff) { - V[j] = 0x00; - } else { - V[j]++; - break; - } - } - aes256_ecb(temp + 16 * i, V, 1, &ctx); - } - if (provided_data != NULL) { - for (int i = 0; i < 48; i++) { - temp[i] ^= provided_data[i]; - } - } - aes256_ctx_release(&ctx); - memcpy(Key, temp, 32); - memcpy(V, temp + 32, 16); -} -static void randombytes_init_with_state(prng_t *state, - unsigned char *entropy_input_48bytes) { - memset(state->Key, 0x00, 32); - memset(state->V, 0x00, 16); - prng_update(entropy_input_48bytes, state->Key, state->V); -} - -static int randombytes_with_state(prng_t *state, - unsigned char *x, - size_t xlen) { - - unsigned char block[16]; - int i = 0; - - aes256ctx ctx; - aes256_ecb_keyexp(&ctx, state->Key); - - while (xlen > 0) { - //increment V - for (int j = 15; j >= 0; j--) { - if (state->V[j] == 0xff) { - state->V[j] = 0x00; - } else { - state->V[j]++; - break; - } - } - aes256_ecb(block, state->V, 1, &ctx); - if (xlen > 15) { - memcpy(x + i, block, 16); - i += 16; - xlen -= 16; - } else { - memcpy(x + i, block, xlen); - xlen = 0; - } - } - aes256_ctx_release(&ctx); - prng_update(NULL, state->Key, state->V); - return 0; -} - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen) { - unsigned char seed[48]; - if (prng_seedlen >= 48) { - memcpy(seed, prng_seed, 48); - } else { - memcpy(seed, prng_seed, prng_seedlen); - PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_hash_msg(seed + prng_seedlen, 48 - (unsigned)prng_seedlen, (const unsigned char *)prng_seed, prng_seedlen); - } - - randombytes_init_with_state(ctx, seed); - - return 0; -} - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen) { - return randombytes_with_state(ctx, out, outlen); -} diff --git a/crypto_sign/rainbowV-compressed/clean/utils_prng.h b/crypto_sign/rainbowV-compressed/clean/utils_prng.h deleted file mode 100644 index fdd2a7b2..00000000 --- a/crypto_sign/rainbowV-compressed/clean/utils_prng.h +++ /dev/null @@ -1,18 +0,0 @@ -#ifndef _UTILS_PRNG_H_ -#define _UTILS_PRNG_H_ -/// @file utils_prng.h -/// @brief the interface for adapting PRNG functions. -/// -/// - -#include "randombytes.h" - -typedef struct { - unsigned char Key[32]; - unsigned char V[16]; -} prng_t; - -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_set(prng_t *ctx, const void *prng_seed, unsigned long prng_seedlen); -int PQCLEAN_RAINBOWVCOMPRESSED_CLEAN_prng_gen(prng_t *ctx, unsigned char *out, unsigned long outlen); - -#endif // _UTILS_PRNG_H_ diff --git a/crypto_sign/sphincs-haraka-128f-robust/META.yml b/crypto_sign/sphincs-haraka-128f-robust/META.yml deleted file mode 100644 index 5b5686d9..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 1 -length-public-key: 32 -length-secret-key: 64 -length-signature: 16976 -testvectors-sha256: a86f82106578f5bb8ea54caa913dbe2b0ca13294432e06c615e0cc2f3fba66ac -nistkat-sha256: 22afe9a2b538742f99fbf02293024de6424726eebddb3cac456534055689a4c3 -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/LICENSE b/crypto_sign/sphincs-haraka-128f-robust/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-128f-robust/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 7b399d06..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-128f-robust_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj hash_harakax4.obj thash_haraka_robustx4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/address.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/address.c deleted file mode 100644 index acaca75e..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/address.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/address.h deleted file mode 100644 index 8003a25e..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/api.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/api.h deleted file mode 100644 index 1ec301eb..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_BYTES 16976 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SEEDBYTES 48 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/fors.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/fors.c deleted file mode 100644 index 032b0f5f..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + j * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/fors.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/fors.h deleted file mode 100644 index 00cd71bc..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/haraka.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/haraka.c deleted file mode 100644 index c2ab26b3..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/haraka.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/haraka.h deleted file mode 100644 index 228cacda..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/hash.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/hash.h deleted file mode 100644 index d4ea5717..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/hash_haraka.c deleted file mode 100644 index 309737fd..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/hash_harakax4.c deleted file mode 100644 index 7f8cf5a9..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/hash_state.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/hash_state.h deleted file mode 100644 index 55b40bdb..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/hashx4.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/hashx4.h deleted file mode 100644 index 14f2ffba..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/params.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/params.h deleted file mode 100644 index 48ec695a..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N 16 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FULL_HEIGHT 60 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_D 20 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT 9 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES 30 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N / PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_D * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/sign.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/sign.c deleted file mode 100644 index 31a65202..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/thash.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/thash.h deleted file mode 100644 index d52a3054..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/thash_haraka_robust.c deleted file mode 100644 index f14713bc..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/thash_haraka_robustx4.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/thash_haraka_robustx4.c deleted file mode 100644 index 15f2c6d8..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/thash_haraka_robustx4.c +++ /dev/null @@ -1,92 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; \ - unsigned char bitmask0[(inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; \ - unsigned char bitmask1[(inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; \ - unsigned char bitmask2[(inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; \ - unsigned char bitmask3[(inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - unsigned int i; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - /* Generate masks first in buffer */ \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf_tmp + 32, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf_tmp + 96, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka256x4(outbuf, buf_tmp, state); \ - \ - /* move addresses to make room for inputs; zero old values */ \ - memcpy(buf_tmp + 192, buf_tmp + 96, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 128, buf_tmp + 64, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 64, buf_tmp + 32, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES); \ - /* skip memcpy(buf_tmp, buf_tmp, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES); already in place */ \ - \ - /* skip memset(buf_tmp, 0, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES); remained untouched */ \ - memset(buf_tmp + 32, 0, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES); \ - /* skip memset(buf_tmp + 64, 0, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES); contains addr1 */ \ - memset(buf_tmp + 96, 0, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES); \ - \ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; i++) { \ - buf_tmp[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ outbuf[i]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i + 64] = in1[i] ^ outbuf[i + 32]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i + 128] = in2[i] ^ outbuf[i + 64]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i + 192] = in3[i] ^ outbuf[i + 96]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_Sx4(bitmask0, bitmask1, bitmask2, bitmask3, (inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, buf0, buf1, \ - buf2, buf3, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES, state); \ - \ - for (i = 0; i < (inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; i++) { \ - buf0[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ bitmask0[i]; \ - buf1[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i] = in1[i] ^ bitmask1[i]; \ - buf2[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i] = in2[i] ^ bitmask2[i]; \ - buf3[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + i] = in3[i] ^ bitmask3[i]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/thashx4.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/thashx4.h deleted file mode 100644 index c3c535a5..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/utils.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/utils.c deleted file mode 100644 index ad1d4239..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/utils.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/utils.h deleted file mode 100644 index 4e496ff3..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/utilsx4.c deleted file mode 100644 index c51f342c..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/utilsx4.h deleted file mode 100644 index 4b57bfe8..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/wots.c b/crypto_sign/sphincs-haraka-128f-robust/aesni/wots.c deleted file mode 100644 index 6bbdaf6b..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/aesni/wots.h b/crypto_sign/sphincs-haraka-128f-robust/aesni/wots.h deleted file mode 100644 index 1b5908d8..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/LICENSE b/crypto_sign/sphincs-haraka-128f-robust/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-128f-robust/clean/Makefile.Microsoft_nmake deleted file mode 100644 index e7d459d6..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-128f-robust_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/address.c b/crypto_sign/sphincs-haraka-128f-robust/clean/address.c deleted file mode 100644 index 76591a03..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/address.h b/crypto_sign/sphincs-haraka-128f-robust/clean/address.h deleted file mode 100644 index 5de3f3ce..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/api.h b/crypto_sign/sphincs-haraka-128f-robust/clean/api.h deleted file mode 100644 index 24892aaa..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_BYTES 16976 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_SEEDBYTES 48 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/fors.c b/crypto_sign/sphincs-haraka-128f-robust/clean/fors.c deleted file mode 100644 index e3fdf6a6..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/fors.h b/crypto_sign/sphincs-haraka-128f-robust/clean/fors.h deleted file mode 100644 index 841087c1..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/haraka.c b/crypto_sign/sphincs-haraka-128f-robust/clean/haraka.c deleted file mode 100644 index 85808f71..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/haraka.h b/crypto_sign/sphincs-haraka-128f-robust/clean/haraka.h deleted file mode 100644 index 68db29ff..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/hash.h b/crypto_sign/sphincs-haraka-128f-robust/clean/hash.h deleted file mode 100644 index f7c1f53a..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-128f-robust/clean/hash_haraka.c deleted file mode 100644 index 325b54ff..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-128f-robust/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/params.h b/crypto_sign/sphincs-haraka-128f-robust/clean/params.h deleted file mode 100644 index 71b94519..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N 16 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FULL_HEIGHT 60 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_D 20 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT 9 -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES 30 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N / PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_D * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/sign.c b/crypto_sign/sphincs-haraka-128f-robust/clean/sign.c deleted file mode 100644 index 635c3b9b..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/thash.h b/crypto_sign/sphincs-haraka-128f-robust/clean/thash.h deleted file mode 100644 index 21eaec4a..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-128f-robust/clean/thash_haraka_robust.c deleted file mode 100644 index 2c458a4a..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/utils.c b/crypto_sign/sphincs-haraka-128f-robust/clean/utils.c deleted file mode 100644 index 99e0fc24..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/utils.h b/crypto_sign/sphincs-haraka-128f-robust/clean/utils.h deleted file mode 100644 index ae73fd7d..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/wots.c b/crypto_sign/sphincs-haraka-128f-robust/clean/wots.c deleted file mode 100644 index 4cb53a3e..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-128f-robust/clean/wots.h b/crypto_sign/sphincs-haraka-128f-robust/clean/wots.h deleted file mode 100644 index cb7a296b..00000000 --- a/crypto_sign/sphincs-haraka-128f-robust/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/META.yml b/crypto_sign/sphincs-haraka-128f-simple/META.yml deleted file mode 100644 index d879c904..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 1 -length-public-key: 32 -length-secret-key: 64 -length-signature: 16976 -testvectors-sha256: db98c3cd0ac0292a2b62e11c52851087d84971277188814bf14cbde7ca60c3e9 -nistkat-sha256: d0161f60f8bdd26fa2f03a881eb517adf7d3e9a44f5cc337cb9c0d8acf82c145 -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/LICENSE b/crypto_sign/sphincs-haraka-128f-simple/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-128f-simple/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 003266e5..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-128f-simple_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj hash_harakax4.obj thash_haraka_simplex4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/address.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/address.c deleted file mode 100644 index 9e365ff3..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/address.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/address.h deleted file mode 100644 index ca0cbded..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/api.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/api.h deleted file mode 100644 index 63d46ed5..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_BYTES 16976 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SEEDBYTES 48 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/fors.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/fors.c deleted file mode 100644 index a7c64f08..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + j * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/fors.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/fors.h deleted file mode 100644 index ca4efdf4..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/haraka.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/haraka.c deleted file mode 100644 index 58fd053c..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/haraka.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/haraka.h deleted file mode 100644 index 501adc1c..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/hash.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/hash.h deleted file mode 100644 index 58b3e240..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/hash_haraka.c deleted file mode 100644 index f568a97e..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/hash_harakax4.c deleted file mode 100644 index 54befaf5..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/hash_state.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/hash_state.h deleted file mode 100644 index cf3aca08..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/hashx4.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/hashx4.h deleted file mode 100644 index f3a74061..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/params.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/params.h deleted file mode 100644 index 9054fb9e..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N 16 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FULL_HEIGHT 60 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_D 20 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT 9 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES 30 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N / PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_D * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/sign.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/sign.c deleted file mode 100644 index 8ab3fbbb..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/thash.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/thash.h deleted file mode 100644 index 8825a019..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/thash_haraka_simple.c deleted file mode 100644 index 6ef2b75e..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/thash_haraka_simplex4.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/thash_haraka_simplex4.c deleted file mode 100644 index aade6da1..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/thash_haraka_simplex4.c +++ /dev/null @@ -1,66 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf_tmp + 128, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf_tmp + 192, addrx4 + 3 * 8); \ - \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES, in0, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + 64, in1, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + 128, in2, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + 192, in3, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - memcpy(buf0 + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES, in0, (inblocks)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - memcpy(buf1 + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES, in1, (inblocks)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - memcpy(buf2 + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES, in2, (inblocks)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - memcpy(buf3 + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES, in3, (inblocks)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/thashx4.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/thashx4.h deleted file mode 100644 index 0f45b958..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/utils.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/utils.c deleted file mode 100644 index 0d1b0b49..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/utils.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/utils.h deleted file mode 100644 index f241c10a..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/utilsx4.c deleted file mode 100644 index 9d67f765..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/utilsx4.h deleted file mode 100644 index b3ed7b87..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/wots.c b/crypto_sign/sphincs-haraka-128f-simple/aesni/wots.c deleted file mode 100644 index 6eb6bd4d..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/aesni/wots.h b/crypto_sign/sphincs-haraka-128f-simple/aesni/wots.h deleted file mode 100644 index b0eebb9f..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/LICENSE b/crypto_sign/sphincs-haraka-128f-simple/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-128f-simple/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 02eaa6ec..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-128f-simple_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/address.c b/crypto_sign/sphincs-haraka-128f-simple/clean/address.c deleted file mode 100644 index ce8106a5..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/address.h b/crypto_sign/sphincs-haraka-128f-simple/clean/address.h deleted file mode 100644 index 22b0e4ee..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/api.h b/crypto_sign/sphincs-haraka-128f-simple/clean/api.h deleted file mode 100644 index edf32d17..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_BYTES 16976 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_SEEDBYTES 48 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/fors.c b/crypto_sign/sphincs-haraka-128f-simple/clean/fors.c deleted file mode 100644 index 9554ae72..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/fors.h b/crypto_sign/sphincs-haraka-128f-simple/clean/fors.h deleted file mode 100644 index 952c94c2..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/haraka.c b/crypto_sign/sphincs-haraka-128f-simple/clean/haraka.c deleted file mode 100644 index 1f54d8e0..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/haraka.h b/crypto_sign/sphincs-haraka-128f-simple/clean/haraka.h deleted file mode 100644 index 149d6399..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/hash.h b/crypto_sign/sphincs-haraka-128f-simple/clean/hash.h deleted file mode 100644 index 09f673ea..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-128f-simple/clean/hash_haraka.c deleted file mode 100644 index c58594b1..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-128f-simple/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/params.h b/crypto_sign/sphincs-haraka-128f-simple/clean/params.h deleted file mode 100644 index 3587d902..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N 16 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FULL_HEIGHT 60 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_D 20 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT 9 -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES 30 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N / PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_D * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/sign.c b/crypto_sign/sphincs-haraka-128f-simple/clean/sign.c deleted file mode 100644 index 67b1b9ce..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/thash.h b/crypto_sign/sphincs-haraka-128f-simple/clean/thash.h deleted file mode 100644 index 77cbb364..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-128f-simple/clean/thash_haraka_simple.c deleted file mode 100644 index d51a717e..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/utils.c b/crypto_sign/sphincs-haraka-128f-simple/clean/utils.c deleted file mode 100644 index 6edbd137..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/utils.h b/crypto_sign/sphincs-haraka-128f-simple/clean/utils.h deleted file mode 100644 index a3814bae..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/wots.c b/crypto_sign/sphincs-haraka-128f-simple/clean/wots.c deleted file mode 100644 index af3d72bb..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-128f-simple/clean/wots.h b/crypto_sign/sphincs-haraka-128f-simple/clean/wots.h deleted file mode 100644 index 2b1092d0..00000000 --- a/crypto_sign/sphincs-haraka-128f-simple/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128FSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/META.yml b/crypto_sign/sphincs-haraka-128s-robust/META.yml deleted file mode 100644 index a346153c..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 1 -length-public-key: 32 -length-secret-key: 64 -length-signature: 8080 -testvectors-sha256: b39fd1f6f34923b4c0696b72a1242f5a9e45df48eb28dcb9a53e4ba9955e130c -nistkat-sha256: de504b1aa6ee3cc6513a0da3511414b5d2472c5bd9efa780239518876c4e9fb2 -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/LICENSE b/crypto_sign/sphincs-haraka-128s-robust/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-128s-robust/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 2b773628..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-128s-robust_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj hash_harakax4.obj thash_haraka_robustx4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/address.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/address.c deleted file mode 100644 index d3a28e4d..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/address.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/address.h deleted file mode 100644 index 15247349..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/api.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/api.h deleted file mode 100644 index 54e4264e..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_BYTES 8080 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SEEDBYTES 48 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/fors.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/fors.c deleted file mode 100644 index 9b8e500f..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + j * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/fors.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/fors.h deleted file mode 100644 index bc9e2d76..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/haraka.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/haraka.c deleted file mode 100644 index 0c866b32..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/haraka.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/haraka.h deleted file mode 100644 index c664af02..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/hash.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/hash.h deleted file mode 100644 index 11bf995d..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/hash_haraka.c deleted file mode 100644 index 65e6d463..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/hash_harakax4.c deleted file mode 100644 index 0573a557..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/hash_state.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/hash_state.h deleted file mode 100644 index edb46eac..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/hashx4.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/hashx4.h deleted file mode 100644 index 7f6ce54e..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/params.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/params.h deleted file mode 100644 index 9781caed..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N 16 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT 15 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES 10 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N / PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_D * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/sign.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/sign.c deleted file mode 100644 index f1a3af6a..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/thash.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/thash.h deleted file mode 100644 index 38669a30..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/thash_haraka_robust.c deleted file mode 100644 index f1b380e6..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/thash_haraka_robustx4.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/thash_haraka_robustx4.c deleted file mode 100644 index 7f488d8c..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/thash_haraka_robustx4.c +++ /dev/null @@ -1,92 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; \ - unsigned char bitmask0[(inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; \ - unsigned char bitmask1[(inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; \ - unsigned char bitmask2[(inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; \ - unsigned char bitmask3[(inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - unsigned int i; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - /* Generate masks first in buffer */ \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf_tmp + 32, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf_tmp + 96, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka256x4(outbuf, buf_tmp, state); \ - \ - /* move addresses to make room for inputs; zero old values */ \ - memcpy(buf_tmp + 192, buf_tmp + 96, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 128, buf_tmp + 64, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 64, buf_tmp + 32, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES); \ - /* skip memcpy(buf_tmp, buf_tmp, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES); already in place */ \ - \ - /* skip memset(buf_tmp, 0, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES); remained untouched */ \ - memset(buf_tmp + 32, 0, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES); \ - /* skip memset(buf_tmp + 64, 0, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES); contains addr1 */ \ - memset(buf_tmp + 96, 0, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES); \ - \ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; i++) { \ - buf_tmp[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ outbuf[i]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i + 64] = in1[i] ^ outbuf[i + 32]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i + 128] = in2[i] ^ outbuf[i + 64]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i + 192] = in3[i] ^ outbuf[i + 96]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_Sx4(bitmask0, bitmask1, bitmask2, bitmask3, (inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, buf0, buf1, \ - buf2, buf3, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES, state); \ - \ - for (i = 0; i < (inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; i++) { \ - buf0[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ bitmask0[i]; \ - buf1[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i] = in1[i] ^ bitmask1[i]; \ - buf2[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i] = in2[i] ^ bitmask2[i]; \ - buf3[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + i] = in3[i] ^ bitmask3[i]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/thashx4.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/thashx4.h deleted file mode 100644 index 016967e4..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/utils.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/utils.c deleted file mode 100644 index 8e502ee1..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/utils.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/utils.h deleted file mode 100644 index 0a248633..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/utilsx4.c deleted file mode 100644 index bd94d9c9..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/utilsx4.h deleted file mode 100644 index 158ef5ed..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/wots.c b/crypto_sign/sphincs-haraka-128s-robust/aesni/wots.c deleted file mode 100644 index 674c4d2b..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/aesni/wots.h b/crypto_sign/sphincs-haraka-128s-robust/aesni/wots.h deleted file mode 100644 index 168bf076..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/LICENSE b/crypto_sign/sphincs-haraka-128s-robust/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-128s-robust/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 3529b28e..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-128s-robust_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/address.c b/crypto_sign/sphincs-haraka-128s-robust/clean/address.c deleted file mode 100644 index 495d9451..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/address.h b/crypto_sign/sphincs-haraka-128s-robust/clean/address.h deleted file mode 100644 index b58addbb..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/api.h b/crypto_sign/sphincs-haraka-128s-robust/clean/api.h deleted file mode 100644 index c7e26331..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_BYTES 8080 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_SEEDBYTES 48 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/fors.c b/crypto_sign/sphincs-haraka-128s-robust/clean/fors.c deleted file mode 100644 index 8f2bd150..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/fors.h b/crypto_sign/sphincs-haraka-128s-robust/clean/fors.h deleted file mode 100644 index 58c25b13..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/haraka.c b/crypto_sign/sphincs-haraka-128s-robust/clean/haraka.c deleted file mode 100644 index 26a27946..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/haraka.h b/crypto_sign/sphincs-haraka-128s-robust/clean/haraka.h deleted file mode 100644 index 0c9b45ea..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/hash.h b/crypto_sign/sphincs-haraka-128s-robust/clean/hash.h deleted file mode 100644 index c7d076f9..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-128s-robust/clean/hash_haraka.c deleted file mode 100644 index b3c7ba56..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-128s-robust/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/params.h b/crypto_sign/sphincs-haraka-128s-robust/clean/params.h deleted file mode 100644 index bef5e86c..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N 16 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT 15 -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES 10 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N / PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_D * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/sign.c b/crypto_sign/sphincs-haraka-128s-robust/clean/sign.c deleted file mode 100644 index 1db675a2..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/thash.h b/crypto_sign/sphincs-haraka-128s-robust/clean/thash.h deleted file mode 100644 index c5a7eb20..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-128s-robust/clean/thash_haraka_robust.c deleted file mode 100644 index f54180a9..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/utils.c b/crypto_sign/sphincs-haraka-128s-robust/clean/utils.c deleted file mode 100644 index 888ea83f..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/utils.h b/crypto_sign/sphincs-haraka-128s-robust/clean/utils.h deleted file mode 100644 index e85ca458..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/wots.c b/crypto_sign/sphincs-haraka-128s-robust/clean/wots.c deleted file mode 100644 index de43b7f3..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-128s-robust/clean/wots.h b/crypto_sign/sphincs-haraka-128s-robust/clean/wots.h deleted file mode 100644 index b98dd23a..00000000 --- a/crypto_sign/sphincs-haraka-128s-robust/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/META.yml b/crypto_sign/sphincs-haraka-128s-simple/META.yml deleted file mode 100644 index 3940379b..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 1 -length-public-key: 32 -length-secret-key: 64 -length-signature: 8080 -testvectors-sha256: 526b848d03142746354042329e174aedda2acd70269a57017e37edd5b1b8976a -nistkat-sha256: a83a6512c773b1f305f07a383ececf607ecfbd0e5ad49b4ab444faed019f66c8 -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/LICENSE b/crypto_sign/sphincs-haraka-128s-simple/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-128s-simple/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 30c34481..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-128s-simple_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj hash_harakax4.obj thash_haraka_simplex4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/address.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/address.c deleted file mode 100644 index b32f3593..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/address.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/address.h deleted file mode 100644 index 306112a3..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/api.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/api.h deleted file mode 100644 index e9f786a7..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_BYTES 8080 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SEEDBYTES 48 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/fors.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/fors.c deleted file mode 100644 index 5d97baf2..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + j * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/fors.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/fors.h deleted file mode 100644 index 79ff829d..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/haraka.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/haraka.c deleted file mode 100644 index 1cd9801e..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/haraka.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/haraka.h deleted file mode 100644 index 5d991745..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/hash.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/hash.h deleted file mode 100644 index 45aaca68..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/hash_haraka.c deleted file mode 100644 index ffc4f956..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/hash_harakax4.c deleted file mode 100644 index 764de98c..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/hash_state.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/hash_state.h deleted file mode 100644 index 9a55b78c..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/hashx4.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/hashx4.h deleted file mode 100644 index 83700800..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/params.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/params.h deleted file mode 100644 index 71f82315..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N 16 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT 15 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES 10 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N / PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_D * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/sign.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/sign.c deleted file mode 100644 index ff294b24..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/thash.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/thash.h deleted file mode 100644 index 25ace053..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/thash_haraka_simple.c deleted file mode 100644 index d59464a7..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/thash_haraka_simplex4.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/thash_haraka_simplex4.c deleted file mode 100644 index ab46d997..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/thash_haraka_simplex4.c +++ /dev/null @@ -1,66 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf_tmp + 128, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf_tmp + 192, addrx4 + 3 * 8); \ - \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES, in0, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + 64, in1, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + 128, in2, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + 192, in3, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - memcpy(buf0 + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES, in0, (inblocks)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - memcpy(buf1 + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES, in1, (inblocks)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - memcpy(buf2 + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES, in2, (inblocks)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - memcpy(buf3 + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES, in3, (inblocks)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/thashx4.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/thashx4.h deleted file mode 100644 index cda376e7..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/utils.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/utils.c deleted file mode 100644 index 18fdf707..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/utils.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/utils.h deleted file mode 100644 index b9d80c71..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/utilsx4.c deleted file mode 100644 index c0bae15c..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/utilsx4.h deleted file mode 100644 index 009906c4..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/wots.c b/crypto_sign/sphincs-haraka-128s-simple/aesni/wots.c deleted file mode 100644 index 5be2d22d..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/aesni/wots.h b/crypto_sign/sphincs-haraka-128s-simple/aesni/wots.h deleted file mode 100644 index a94cadb6..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/LICENSE b/crypto_sign/sphincs-haraka-128s-simple/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-128s-simple/clean/Makefile.Microsoft_nmake deleted file mode 100644 index f3bec8a5..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-128s-simple_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/address.c b/crypto_sign/sphincs-haraka-128s-simple/clean/address.c deleted file mode 100644 index 7c4de6f4..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/address.h b/crypto_sign/sphincs-haraka-128s-simple/clean/address.h deleted file mode 100644 index 28a13555..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/api.h b/crypto_sign/sphincs-haraka-128s-simple/clean/api.h deleted file mode 100644 index 4d3a7ece..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES 32 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_BYTES 8080 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_SEEDBYTES 48 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/fors.c b/crypto_sign/sphincs-haraka-128s-simple/clean/fors.c deleted file mode 100644 index 5f61d478..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/fors.h b/crypto_sign/sphincs-haraka-128s-simple/clean/fors.h deleted file mode 100644 index 8d988d4a..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/haraka.c b/crypto_sign/sphincs-haraka-128s-simple/clean/haraka.c deleted file mode 100644 index f1531dd6..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/haraka.h b/crypto_sign/sphincs-haraka-128s-simple/clean/haraka.h deleted file mode 100644 index a740b009..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/hash.h b/crypto_sign/sphincs-haraka-128s-simple/clean/hash.h deleted file mode 100644 index f50e7bf2..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-128s-simple/clean/hash_haraka.c deleted file mode 100644 index 325a72ea..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-128s-simple/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/params.h b/crypto_sign/sphincs-haraka-128s-simple/clean/params.h deleted file mode 100644 index eb2f5c3e..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N 16 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT 15 -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES 10 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N / PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_D * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/sign.c b/crypto_sign/sphincs-haraka-128s-simple/clean/sign.c deleted file mode 100644 index 89225a1d..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/thash.h b/crypto_sign/sphincs-haraka-128s-simple/clean/thash.h deleted file mode 100644 index bc97601a..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-128s-simple/clean/thash_haraka_simple.c deleted file mode 100644 index 295fceb5..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/utils.c b/crypto_sign/sphincs-haraka-128s-simple/clean/utils.c deleted file mode 100644 index f53ba464..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/utils.h b/crypto_sign/sphincs-haraka-128s-simple/clean/utils.h deleted file mode 100644 index 7d6ba13d..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/wots.c b/crypto_sign/sphincs-haraka-128s-simple/clean/wots.c deleted file mode 100644 index 9ec8b0b6..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-128s-simple/clean/wots.h b/crypto_sign/sphincs-haraka-128s-simple/clean/wots.h deleted file mode 100644 index 6455e15c..00000000 --- a/crypto_sign/sphincs-haraka-128s-simple/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA128SSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/META.yml b/crypto_sign/sphincs-haraka-192f-robust/META.yml deleted file mode 100644 index e5a224bb..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 3 -length-public-key: 48 -length-secret-key: 96 -length-signature: 35664 -testvectors-sha256: 28a3b10cfcd0bd8b2b9789f7ceb86f764b3be5f22aacad9d66b51d76077d8bc0 -nistkat-sha256: 1d32cab46df0d4e6678a06a9eae7b187c80eaedf56b1e7d221035d7c6f08ef06 -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/LICENSE b/crypto_sign/sphincs-haraka-192f-robust/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-192f-robust/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index a346af35..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-192f-robust_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj hash_harakax4.obj thash_haraka_robustx4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/address.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/address.c deleted file mode 100644 index e40ab3e1..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/address.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/address.h deleted file mode 100644 index bf73cc57..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/api.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/api.h deleted file mode 100644 index da73bc17..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_BYTES 35664 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SEEDBYTES 72 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/fors.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/fors.c deleted file mode 100644 index 4ac8d3f6..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + j * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/fors.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/fors.h deleted file mode 100644 index 52a51e09..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/haraka.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/haraka.c deleted file mode 100644 index 2489d3e8..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/haraka.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/haraka.h deleted file mode 100644 index 9c2a8ded..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/hash.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/hash.h deleted file mode 100644 index d788d481..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/hash_haraka.c deleted file mode 100644 index cb88f1f4..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/hash_harakax4.c deleted file mode 100644 index 77b4eb1e..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/hash_state.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/hash_state.h deleted file mode 100644 index 81ba3aea..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/hashx4.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/hashx4.h deleted file mode 100644 index a4c75c39..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/params.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/params.h deleted file mode 100644 index 1fb3fc9f..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N 24 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FULL_HEIGHT 66 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_D 22 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT 8 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES 33 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N / PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_D * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/sign.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/sign.c deleted file mode 100644 index 5b5c4956..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/thash.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/thash.h deleted file mode 100644 index 018da6fc..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/thash_haraka_robust.c deleted file mode 100644 index ea24bc37..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/thash_haraka_robustx4.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/thash_haraka_robustx4.c deleted file mode 100644 index df971993..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/thash_haraka_robustx4.c +++ /dev/null @@ -1,92 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; \ - unsigned char bitmask0[(inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; \ - unsigned char bitmask1[(inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; \ - unsigned char bitmask2[(inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; \ - unsigned char bitmask3[(inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - unsigned int i; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - /* Generate masks first in buffer */ \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf_tmp + 32, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf_tmp + 96, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka256x4(outbuf, buf_tmp, state); \ - \ - /* move addresses to make room for inputs; zero old values */ \ - memcpy(buf_tmp + 192, buf_tmp + 96, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 128, buf_tmp + 64, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 64, buf_tmp + 32, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES); \ - /* skip memcpy(buf_tmp, buf_tmp, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES); already in place */ \ - \ - /* skip memset(buf_tmp, 0, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES); remained untouched */ \ - memset(buf_tmp + 32, 0, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES); \ - /* skip memset(buf_tmp + 64, 0, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES); contains addr1 */ \ - memset(buf_tmp + 96, 0, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES); \ - \ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; i++) { \ - buf_tmp[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ outbuf[i]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i + 64] = in1[i] ^ outbuf[i + 32]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i + 128] = in2[i] ^ outbuf[i + 64]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i + 192] = in3[i] ^ outbuf[i + 96]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_Sx4(bitmask0, bitmask1, bitmask2, bitmask3, (inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, buf0, buf1, \ - buf2, buf3, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES, state); \ - \ - for (i = 0; i < (inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; i++) { \ - buf0[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ bitmask0[i]; \ - buf1[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i] = in1[i] ^ bitmask1[i]; \ - buf2[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i] = in2[i] ^ bitmask2[i]; \ - buf3[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + i] = in3[i] ^ bitmask3[i]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/thashx4.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/thashx4.h deleted file mode 100644 index bb29a996..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/utils.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/utils.c deleted file mode 100644 index 214f1c95..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/utils.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/utils.h deleted file mode 100644 index 24d3ee4f..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/utilsx4.c deleted file mode 100644 index b7401add..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/utilsx4.h deleted file mode 100644 index 6d583840..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/wots.c b/crypto_sign/sphincs-haraka-192f-robust/aesni/wots.c deleted file mode 100644 index be0b6233..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/aesni/wots.h b/crypto_sign/sphincs-haraka-192f-robust/aesni/wots.h deleted file mode 100644 index 96ac86d3..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/LICENSE b/crypto_sign/sphincs-haraka-192f-robust/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-192f-robust/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 9990047b..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-192f-robust_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/address.c b/crypto_sign/sphincs-haraka-192f-robust/clean/address.c deleted file mode 100644 index 7bd831e8..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/address.h b/crypto_sign/sphincs-haraka-192f-robust/clean/address.h deleted file mode 100644 index 3c816a16..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/api.h b/crypto_sign/sphincs-haraka-192f-robust/clean/api.h deleted file mode 100644 index 4f02c373..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_BYTES 35664 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_SEEDBYTES 72 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/fors.c b/crypto_sign/sphincs-haraka-192f-robust/clean/fors.c deleted file mode 100644 index e6c68b76..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/fors.h b/crypto_sign/sphincs-haraka-192f-robust/clean/fors.h deleted file mode 100644 index ee47e057..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/haraka.c b/crypto_sign/sphincs-haraka-192f-robust/clean/haraka.c deleted file mode 100644 index ab227774..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/haraka.h b/crypto_sign/sphincs-haraka-192f-robust/clean/haraka.h deleted file mode 100644 index b5b19f50..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/hash.h b/crypto_sign/sphincs-haraka-192f-robust/clean/hash.h deleted file mode 100644 index 16e3ecce..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-192f-robust/clean/hash_haraka.c deleted file mode 100644 index 265a7b43..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-192f-robust/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/params.h b/crypto_sign/sphincs-haraka-192f-robust/clean/params.h deleted file mode 100644 index ec201a1f..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N 24 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FULL_HEIGHT 66 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_D 22 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT 8 -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES 33 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N / PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_D * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/sign.c b/crypto_sign/sphincs-haraka-192f-robust/clean/sign.c deleted file mode 100644 index 965559a2..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/thash.h b/crypto_sign/sphincs-haraka-192f-robust/clean/thash.h deleted file mode 100644 index dc6ac5b2..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-192f-robust/clean/thash_haraka_robust.c deleted file mode 100644 index bebcfc33..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/utils.c b/crypto_sign/sphincs-haraka-192f-robust/clean/utils.c deleted file mode 100644 index 8bf3a679..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/utils.h b/crypto_sign/sphincs-haraka-192f-robust/clean/utils.h deleted file mode 100644 index 3c8bd7e4..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/wots.c b/crypto_sign/sphincs-haraka-192f-robust/clean/wots.c deleted file mode 100644 index bcbab844..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-192f-robust/clean/wots.h b/crypto_sign/sphincs-haraka-192f-robust/clean/wots.h deleted file mode 100644 index cf94e14a..00000000 --- a/crypto_sign/sphincs-haraka-192f-robust/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/META.yml b/crypto_sign/sphincs-haraka-192f-simple/META.yml deleted file mode 100644 index eed490d4..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 3 -length-public-key: 48 -length-secret-key: 96 -length-signature: 35664 -testvectors-sha256: 2d630dda998eda5fa634867af350a211276ad37f95506c48fdb06dc96f78d348 -nistkat-sha256: 4888059ed11c192b3a07e227e3befc967819d05f85723a7740bbc31eadc37f37 -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/LICENSE b/crypto_sign/sphincs-haraka-192f-simple/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-192f-simple/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 2b3d1d53..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-192f-simple_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj hash_harakax4.obj thash_haraka_simplex4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/address.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/address.c deleted file mode 100644 index 3ba23d45..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/address.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/address.h deleted file mode 100644 index f5a85216..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/api.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/api.h deleted file mode 100644 index 4d882417..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_BYTES 35664 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SEEDBYTES 72 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/fors.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/fors.c deleted file mode 100644 index 4da07fc7..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + j * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/fors.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/fors.h deleted file mode 100644 index d1a29b6e..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/haraka.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/haraka.c deleted file mode 100644 index 68b2ce04..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/haraka.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/haraka.h deleted file mode 100644 index 5ff3f7de..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/hash.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/hash.h deleted file mode 100644 index 842f54a1..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/hash_haraka.c deleted file mode 100644 index ba3f3a46..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/hash_harakax4.c deleted file mode 100644 index 38c2c2a9..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/hash_state.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/hash_state.h deleted file mode 100644 index 5dd7bb14..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/hashx4.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/hashx4.h deleted file mode 100644 index 1afb5848..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/params.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/params.h deleted file mode 100644 index f1863ed3..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N 24 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FULL_HEIGHT 66 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_D 22 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT 8 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES 33 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N / PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_D * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/sign.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/sign.c deleted file mode 100644 index 9d4e48ab..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/thash.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/thash.h deleted file mode 100644 index b9e3f7f5..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/thash_haraka_simple.c deleted file mode 100644 index b84c8d16..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/thash_haraka_simplex4.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/thash_haraka_simplex4.c deleted file mode 100644 index e2e53c61..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/thash_haraka_simplex4.c +++ /dev/null @@ -1,66 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf_tmp + 128, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf_tmp + 192, addrx4 + 3 * 8); \ - \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES, in0, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + 64, in1, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + 128, in2, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + 192, in3, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - memcpy(buf0 + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES, in0, (inblocks)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - memcpy(buf1 + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES, in1, (inblocks)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - memcpy(buf2 + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES, in2, (inblocks)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - memcpy(buf3 + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES, in3, (inblocks)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/thashx4.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/thashx4.h deleted file mode 100644 index efe575a6..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/utils.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/utils.c deleted file mode 100644 index 4381d53d..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/utils.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/utils.h deleted file mode 100644 index a60cae01..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/utilsx4.c deleted file mode 100644 index 2d63e028..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/utilsx4.h deleted file mode 100644 index 3bdd6b82..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/wots.c b/crypto_sign/sphincs-haraka-192f-simple/aesni/wots.c deleted file mode 100644 index e68a1d96..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/aesni/wots.h b/crypto_sign/sphincs-haraka-192f-simple/aesni/wots.h deleted file mode 100644 index 72a8b982..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/LICENSE b/crypto_sign/sphincs-haraka-192f-simple/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-192f-simple/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 70577b63..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-192f-simple_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/address.c b/crypto_sign/sphincs-haraka-192f-simple/clean/address.c deleted file mode 100644 index cdee97b6..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/address.h b/crypto_sign/sphincs-haraka-192f-simple/clean/address.h deleted file mode 100644 index 0e307285..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/api.h b/crypto_sign/sphincs-haraka-192f-simple/clean/api.h deleted file mode 100644 index 6a866100..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_BYTES 35664 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_SEEDBYTES 72 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/fors.c b/crypto_sign/sphincs-haraka-192f-simple/clean/fors.c deleted file mode 100644 index 5fd6c058..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/fors.h b/crypto_sign/sphincs-haraka-192f-simple/clean/fors.h deleted file mode 100644 index d1cfe516..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/haraka.c b/crypto_sign/sphincs-haraka-192f-simple/clean/haraka.c deleted file mode 100644 index ffb2f99e..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/haraka.h b/crypto_sign/sphincs-haraka-192f-simple/clean/haraka.h deleted file mode 100644 index cd8c98d0..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/hash.h b/crypto_sign/sphincs-haraka-192f-simple/clean/hash.h deleted file mode 100644 index e156b811..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-192f-simple/clean/hash_haraka.c deleted file mode 100644 index 85c4bb2f..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-192f-simple/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/params.h b/crypto_sign/sphincs-haraka-192f-simple/clean/params.h deleted file mode 100644 index 69d43e0c..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N 24 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FULL_HEIGHT 66 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_D 22 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT 8 -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES 33 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N / PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_D * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/sign.c b/crypto_sign/sphincs-haraka-192f-simple/clean/sign.c deleted file mode 100644 index eba10555..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/thash.h b/crypto_sign/sphincs-haraka-192f-simple/clean/thash.h deleted file mode 100644 index f1a704d2..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-192f-simple/clean/thash_haraka_simple.c deleted file mode 100644 index 7be07c39..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/utils.c b/crypto_sign/sphincs-haraka-192f-simple/clean/utils.c deleted file mode 100644 index 69a328d9..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/utils.h b/crypto_sign/sphincs-haraka-192f-simple/clean/utils.h deleted file mode 100644 index 759ddc88..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/wots.c b/crypto_sign/sphincs-haraka-192f-simple/clean/wots.c deleted file mode 100644 index 2cdae332..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-192f-simple/clean/wots.h b/crypto_sign/sphincs-haraka-192f-simple/clean/wots.h deleted file mode 100644 index 92655c93..00000000 --- a/crypto_sign/sphincs-haraka-192f-simple/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192FSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/META.yml b/crypto_sign/sphincs-haraka-192s-robust/META.yml deleted file mode 100644 index d4639811..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 3 -length-public-key: 48 -length-secret-key: 96 -length-signature: 17064 -testvectors-sha256: 524edf3f752a7f203fb128d9ca3ad530fba09777527f7d7511477dbaaea185ca -nistkat-sha256: 3bb2c0ea5d4b7c39d1c63b424493ab9b739c64adf511abf7e4107ad750a46273 -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/LICENSE b/crypto_sign/sphincs-haraka-192s-robust/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-192s-robust/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index bca7b867..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-192s-robust_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj hash_harakax4.obj thash_haraka_robustx4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/address.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/address.c deleted file mode 100644 index 7545f3d0..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/address.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/address.h deleted file mode 100644 index 8c7e2d0e..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/api.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/api.h deleted file mode 100644 index ff14b0a6..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_BYTES 17064 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SEEDBYTES 72 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/fors.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/fors.c deleted file mode 100644 index 3dbed0b0..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + j * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/fors.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/fors.h deleted file mode 100644 index 7e493afe..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/haraka.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/haraka.c deleted file mode 100644 index 6186398b..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/haraka.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/haraka.h deleted file mode 100644 index 44abbc78..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/hash.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/hash.h deleted file mode 100644 index 4b4fa016..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/hash_haraka.c deleted file mode 100644 index 0a204c38..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/hash_harakax4.c deleted file mode 100644 index 1de7243f..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/hash_state.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/hash_state.h deleted file mode 100644 index ed3c6fdd..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/hashx4.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/hashx4.h deleted file mode 100644 index 801e6899..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/params.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/params.h deleted file mode 100644 index 2103a2b6..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N 24 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT 16 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES 14 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N / PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_D * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/sign.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/sign.c deleted file mode 100644 index 68db93dd..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/thash.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/thash.h deleted file mode 100644 index 469836cf..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/thash_haraka_robust.c deleted file mode 100644 index 8224bef8..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/thash_haraka_robustx4.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/thash_haraka_robustx4.c deleted file mode 100644 index c27ed57c..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/thash_haraka_robustx4.c +++ /dev/null @@ -1,92 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; \ - unsigned char bitmask0[(inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; \ - unsigned char bitmask1[(inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; \ - unsigned char bitmask2[(inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; \ - unsigned char bitmask3[(inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - unsigned int i; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - /* Generate masks first in buffer */ \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf_tmp + 32, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf_tmp + 96, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka256x4(outbuf, buf_tmp, state); \ - \ - /* move addresses to make room for inputs; zero old values */ \ - memcpy(buf_tmp + 192, buf_tmp + 96, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 128, buf_tmp + 64, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 64, buf_tmp + 32, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES); \ - /* skip memcpy(buf_tmp, buf_tmp, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES); already in place */ \ - \ - /* skip memset(buf_tmp, 0, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES); remained untouched */ \ - memset(buf_tmp + 32, 0, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES); \ - /* skip memset(buf_tmp + 64, 0, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES); contains addr1 */ \ - memset(buf_tmp + 96, 0, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES); \ - \ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; i++) { \ - buf_tmp[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ outbuf[i]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i + 64] = in1[i] ^ outbuf[i + 32]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i + 128] = in2[i] ^ outbuf[i + 64]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i + 192] = in3[i] ^ outbuf[i + 96]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_Sx4(bitmask0, bitmask1, bitmask2, bitmask3, (inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, buf0, buf1, \ - buf2, buf3, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES, state); \ - \ - for (i = 0; i < (inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; i++) { \ - buf0[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ bitmask0[i]; \ - buf1[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i] = in1[i] ^ bitmask1[i]; \ - buf2[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i] = in2[i] ^ bitmask2[i]; \ - buf3[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + i] = in3[i] ^ bitmask3[i]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/thashx4.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/thashx4.h deleted file mode 100644 index a63aa235..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/utils.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/utils.c deleted file mode 100644 index b6e9bad9..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/utils.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/utils.h deleted file mode 100644 index 7715b4ec..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/utilsx4.c deleted file mode 100644 index c7f91266..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/utilsx4.h deleted file mode 100644 index bd61e7e4..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/wots.c b/crypto_sign/sphincs-haraka-192s-robust/aesni/wots.c deleted file mode 100644 index 396e6435..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/aesni/wots.h b/crypto_sign/sphincs-haraka-192s-robust/aesni/wots.h deleted file mode 100644 index eab26dd9..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/LICENSE b/crypto_sign/sphincs-haraka-192s-robust/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-192s-robust/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 03b54631..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-192s-robust_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/address.c b/crypto_sign/sphincs-haraka-192s-robust/clean/address.c deleted file mode 100644 index b97822db..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/address.h b/crypto_sign/sphincs-haraka-192s-robust/clean/address.h deleted file mode 100644 index d5b18e2c..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/api.h b/crypto_sign/sphincs-haraka-192s-robust/clean/api.h deleted file mode 100644 index d3064370..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_BYTES 17064 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_SEEDBYTES 72 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/fors.c b/crypto_sign/sphincs-haraka-192s-robust/clean/fors.c deleted file mode 100644 index 3866d539..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/fors.h b/crypto_sign/sphincs-haraka-192s-robust/clean/fors.h deleted file mode 100644 index 2cbb3f8d..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/haraka.c b/crypto_sign/sphincs-haraka-192s-robust/clean/haraka.c deleted file mode 100644 index 68eb00a6..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/haraka.h b/crypto_sign/sphincs-haraka-192s-robust/clean/haraka.h deleted file mode 100644 index f5466671..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/hash.h b/crypto_sign/sphincs-haraka-192s-robust/clean/hash.h deleted file mode 100644 index 2c281c63..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-192s-robust/clean/hash_haraka.c deleted file mode 100644 index 568f5e0b..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-192s-robust/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/params.h b/crypto_sign/sphincs-haraka-192s-robust/clean/params.h deleted file mode 100644 index 6d5ad745..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N 24 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT 16 -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES 14 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N / PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_D * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/sign.c b/crypto_sign/sphincs-haraka-192s-robust/clean/sign.c deleted file mode 100644 index 9a75d304..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/thash.h b/crypto_sign/sphincs-haraka-192s-robust/clean/thash.h deleted file mode 100644 index def09374..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-192s-robust/clean/thash_haraka_robust.c deleted file mode 100644 index 95d77365..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/utils.c b/crypto_sign/sphincs-haraka-192s-robust/clean/utils.c deleted file mode 100644 index 5de9d482..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/utils.h b/crypto_sign/sphincs-haraka-192s-robust/clean/utils.h deleted file mode 100644 index b0392a36..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/wots.c b/crypto_sign/sphincs-haraka-192s-robust/clean/wots.c deleted file mode 100644 index 38a67e42..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-192s-robust/clean/wots.h b/crypto_sign/sphincs-haraka-192s-robust/clean/wots.h deleted file mode 100644 index 90780e62..00000000 --- a/crypto_sign/sphincs-haraka-192s-robust/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/META.yml b/crypto_sign/sphincs-haraka-192s-simple/META.yml deleted file mode 100644 index 1b85510d..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 3 -length-public-key: 48 -length-secret-key: 96 -length-signature: 17064 -testvectors-sha256: 0228f1872256e698360c0b156e7fffc12d234e50acbf05a4e899d4d8105d2796 -nistkat-sha256: c8e823fe6b03f35a0d9996dea1559e6924b86e2631e945a3ab9bb4e55c22c068 -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/LICENSE b/crypto_sign/sphincs-haraka-192s-simple/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-192s-simple/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 81df8fd0..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-192s-simple_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj hash_harakax4.obj thash_haraka_simplex4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/address.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/address.c deleted file mode 100644 index e3c8ca09..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/address.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/address.h deleted file mode 100644 index d8817d11..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/api.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/api.h deleted file mode 100644 index 4f502429..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_BYTES 17064 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SEEDBYTES 72 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/fors.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/fors.c deleted file mode 100644 index 0f1380d1..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + j * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/fors.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/fors.h deleted file mode 100644 index e111b6be..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/haraka.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/haraka.c deleted file mode 100644 index 27165481..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/haraka.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/haraka.h deleted file mode 100644 index e0838b74..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/hash.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/hash.h deleted file mode 100644 index 9c0f6927..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/hash_haraka.c deleted file mode 100644 index b5b7e6b2..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/hash_harakax4.c deleted file mode 100644 index 7a289dcf..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/hash_state.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/hash_state.h deleted file mode 100644 index db7b3e5b..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/hashx4.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/hashx4.h deleted file mode 100644 index 7e381cd3..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/params.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/params.h deleted file mode 100644 index 0f8d7918..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N 24 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT 16 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES 14 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N / PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_D * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/sign.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/sign.c deleted file mode 100644 index 6a274b42..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/thash.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/thash.h deleted file mode 100644 index d1068ee5..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/thash_haraka_simple.c deleted file mode 100644 index 99c6c4d1..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/thash_haraka_simplex4.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/thash_haraka_simplex4.c deleted file mode 100644 index cd3a89cc..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/thash_haraka_simplex4.c +++ /dev/null @@ -1,66 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf_tmp + 128, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf_tmp + 192, addrx4 + 3 * 8); \ - \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES, in0, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + 64, in1, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + 128, in2, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + 192, in3, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - memcpy(buf0 + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES, in0, (inblocks)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - memcpy(buf1 + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES, in1, (inblocks)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - memcpy(buf2 + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES, in2, (inblocks)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - memcpy(buf3 + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES, in3, (inblocks)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/thashx4.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/thashx4.h deleted file mode 100644 index 780d967e..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/utils.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/utils.c deleted file mode 100644 index a0823541..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/utils.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/utils.h deleted file mode 100644 index 9ea1872f..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/utilsx4.c deleted file mode 100644 index e05e35cb..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/utilsx4.h deleted file mode 100644 index aa00c98d..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/wots.c b/crypto_sign/sphincs-haraka-192s-simple/aesni/wots.c deleted file mode 100644 index 239a8859..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/aesni/wots.h b/crypto_sign/sphincs-haraka-192s-simple/aesni/wots.h deleted file mode 100644 index f035b0b3..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/LICENSE b/crypto_sign/sphincs-haraka-192s-simple/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-192s-simple/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 8a8c7c0c..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-192s-simple_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/address.c b/crypto_sign/sphincs-haraka-192s-simple/clean/address.c deleted file mode 100644 index cacdfdcb..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/address.h b/crypto_sign/sphincs-haraka-192s-simple/clean/address.h deleted file mode 100644 index ec19cb4d..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/api.h b/crypto_sign/sphincs-haraka-192s-simple/clean/api.h deleted file mode 100644 index 30b02cd7..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES 96 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES 48 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_BYTES 17064 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_SEEDBYTES 72 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/fors.c b/crypto_sign/sphincs-haraka-192s-simple/clean/fors.c deleted file mode 100644 index e35d86e8..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/fors.h b/crypto_sign/sphincs-haraka-192s-simple/clean/fors.h deleted file mode 100644 index 4c26c25f..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/haraka.c b/crypto_sign/sphincs-haraka-192s-simple/clean/haraka.c deleted file mode 100644 index 232e1dc8..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/haraka.h b/crypto_sign/sphincs-haraka-192s-simple/clean/haraka.h deleted file mode 100644 index 87f1b6ed..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/hash.h b/crypto_sign/sphincs-haraka-192s-simple/clean/hash.h deleted file mode 100644 index 742306ad..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-192s-simple/clean/hash_haraka.c deleted file mode 100644 index 3eae3f10..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-192s-simple/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/params.h b/crypto_sign/sphincs-haraka-192s-simple/clean/params.h deleted file mode 100644 index 73d58e37..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N 24 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT 16 -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES 14 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N / PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_D * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/sign.c b/crypto_sign/sphincs-haraka-192s-simple/clean/sign.c deleted file mode 100644 index 3f06e151..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/thash.h b/crypto_sign/sphincs-haraka-192s-simple/clean/thash.h deleted file mode 100644 index 66efb5b5..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-192s-simple/clean/thash_haraka_simple.c deleted file mode 100644 index 69dbf5b7..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/utils.c b/crypto_sign/sphincs-haraka-192s-simple/clean/utils.c deleted file mode 100644 index 06badc48..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/utils.h b/crypto_sign/sphincs-haraka-192s-simple/clean/utils.h deleted file mode 100644 index 08d1eff3..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/wots.c b/crypto_sign/sphincs-haraka-192s-simple/clean/wots.c deleted file mode 100644 index e28e546a..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-192s-simple/clean/wots.h b/crypto_sign/sphincs-haraka-192s-simple/clean/wots.h deleted file mode 100644 index 9050041b..00000000 --- a/crypto_sign/sphincs-haraka-192s-simple/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA192SSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/META.yml b/crypto_sign/sphincs-haraka-256f-robust/META.yml deleted file mode 100644 index 65bafe76..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 5 -length-public-key: 64 -length-secret-key: 128 -length-signature: 49216 -testvectors-sha256: 7cc4c9a8720401ed53bc2fa9a0dd9e316dca3a715b3c730d1e0c4822dfdfd0b5 -nistkat-sha256: b31c6a00604e5f1eed1534c0f8ab29ceb0c831397075ca93c43c5a2a73e2649c -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/LICENSE b/crypto_sign/sphincs-haraka-256f-robust/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-256f-robust/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 3a9b3143..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-256f-robust_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj hash_harakax4.obj thash_haraka_robustx4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/address.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/address.c deleted file mode 100644 index 7b5cf80a..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/address.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/address.h deleted file mode 100644 index b40712ff..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/api.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/api.h deleted file mode 100644 index 64a49ea5..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_BYTES 49216 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SEEDBYTES 96 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/fors.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/fors.c deleted file mode 100644 index 68e83f32..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + j * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/fors.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/fors.h deleted file mode 100644 index 197c1bde..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/haraka.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/haraka.c deleted file mode 100644 index 52f0b191..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/haraka.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/haraka.h deleted file mode 100644 index ed977f8d..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/hash.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/hash.h deleted file mode 100644 index 358ccf94..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/hash_haraka.c deleted file mode 100644 index 56621073..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/hash_harakax4.c deleted file mode 100644 index 9fe614df..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/hash_state.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/hash_state.h deleted file mode 100644 index cab028d0..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/hashx4.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/hashx4.h deleted file mode 100644 index e453123a..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/params.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/params.h deleted file mode 100644 index babfe795..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N 32 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FULL_HEIGHT 68 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_D 17 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT 10 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES 30 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N / PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_D * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/sign.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/sign.c deleted file mode 100644 index 339f8b15..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/thash.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/thash.h deleted file mode 100644 index 739d8da2..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/thash_haraka_robust.c deleted file mode 100644 index 07bf0bf2..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/thash_haraka_robustx4.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/thash_haraka_robustx4.c deleted file mode 100644 index fc3ee767..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/thash_haraka_robustx4.c +++ /dev/null @@ -1,92 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; \ - unsigned char bitmask0[(inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; \ - unsigned char bitmask1[(inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; \ - unsigned char bitmask2[(inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; \ - unsigned char bitmask3[(inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - unsigned int i; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - /* Generate masks first in buffer */ \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf_tmp + 32, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf_tmp + 96, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka256x4(outbuf, buf_tmp, state); \ - \ - /* move addresses to make room for inputs; zero old values */ \ - memcpy(buf_tmp + 192, buf_tmp + 96, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 128, buf_tmp + 64, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 64, buf_tmp + 32, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES); \ - /* skip memcpy(buf_tmp, buf_tmp, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES); already in place */ \ - \ - /* skip memset(buf_tmp, 0, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES); remained untouched */ \ - memset(buf_tmp + 32, 0, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES); \ - /* skip memset(buf_tmp + 64, 0, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES); contains addr1 */ \ - memset(buf_tmp + 96, 0, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES); \ - \ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; i++) { \ - buf_tmp[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ outbuf[i]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i + 64] = in1[i] ^ outbuf[i + 32]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i + 128] = in2[i] ^ outbuf[i + 64]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i + 192] = in3[i] ^ outbuf[i + 96]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_Sx4(bitmask0, bitmask1, bitmask2, bitmask3, (inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, buf0, buf1, \ - buf2, buf3, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES, state); \ - \ - for (i = 0; i < (inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; i++) { \ - buf0[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ bitmask0[i]; \ - buf1[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i] = in1[i] ^ bitmask1[i]; \ - buf2[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i] = in2[i] ^ bitmask2[i]; \ - buf3[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + i] = in3[i] ^ bitmask3[i]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/thashx4.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/thashx4.h deleted file mode 100644 index 8b0a0592..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/utils.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/utils.c deleted file mode 100644 index eef5014f..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/utils.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/utils.h deleted file mode 100644 index c7bec527..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/utilsx4.c deleted file mode 100644 index 966a19cf..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/utilsx4.h deleted file mode 100644 index fd8340d7..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/wots.c b/crypto_sign/sphincs-haraka-256f-robust/aesni/wots.c deleted file mode 100644 index 3573fe25..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/aesni/wots.h b/crypto_sign/sphincs-haraka-256f-robust/aesni/wots.h deleted file mode 100644 index d84a4725..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/LICENSE b/crypto_sign/sphincs-haraka-256f-robust/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-256f-robust/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 436fa07c..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-256f-robust_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/address.c b/crypto_sign/sphincs-haraka-256f-robust/clean/address.c deleted file mode 100644 index 11da5bb2..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/address.h b/crypto_sign/sphincs-haraka-256f-robust/clean/address.h deleted file mode 100644 index e1995b06..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/api.h b/crypto_sign/sphincs-haraka-256f-robust/clean/api.h deleted file mode 100644 index 1537adea..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_BYTES 49216 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SEEDBYTES 96 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/fors.c b/crypto_sign/sphincs-haraka-256f-robust/clean/fors.c deleted file mode 100644 index 7db54ed8..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/fors.h b/crypto_sign/sphincs-haraka-256f-robust/clean/fors.h deleted file mode 100644 index 02a4e4dc..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/haraka.c b/crypto_sign/sphincs-haraka-256f-robust/clean/haraka.c deleted file mode 100644 index c345e743..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/haraka.h b/crypto_sign/sphincs-haraka-256f-robust/clean/haraka.h deleted file mode 100644 index c0e64fb7..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/hash.h b/crypto_sign/sphincs-haraka-256f-robust/clean/hash.h deleted file mode 100644 index 9cc5cad8..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-256f-robust/clean/hash_haraka.c deleted file mode 100644 index 6033e20f..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-256f-robust/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/params.h b/crypto_sign/sphincs-haraka-256f-robust/clean/params.h deleted file mode 100644 index 5870e431..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N 32 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FULL_HEIGHT 68 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_D 17 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT 10 -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES 30 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N / PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_D * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/sign.c b/crypto_sign/sphincs-haraka-256f-robust/clean/sign.c deleted file mode 100644 index cc7b1a66..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/thash.h b/crypto_sign/sphincs-haraka-256f-robust/clean/thash.h deleted file mode 100644 index 451af2b9..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-256f-robust/clean/thash_haraka_robust.c deleted file mode 100644 index ed97ca4e..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/utils.c b/crypto_sign/sphincs-haraka-256f-robust/clean/utils.c deleted file mode 100644 index c3b45d7f..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/utils.h b/crypto_sign/sphincs-haraka-256f-robust/clean/utils.h deleted file mode 100644 index 072fd86b..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/wots.c b/crypto_sign/sphincs-haraka-256f-robust/clean/wots.c deleted file mode 100644 index 83188d1f..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-256f-robust/clean/wots.h b/crypto_sign/sphincs-haraka-256f-robust/clean/wots.h deleted file mode 100644 index 483e1b38..00000000 --- a/crypto_sign/sphincs-haraka-256f-robust/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/META.yml b/crypto_sign/sphincs-haraka-256f-simple/META.yml deleted file mode 100644 index 054bd6fb..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 5 -length-public-key: 64 -length-secret-key: 128 -length-signature: 49216 -testvectors-sha256: dec0d78c3084540ea5c8a4ced594d07b0110d21d4a5564b80c4ea2638030b44d -nistkat-sha256: 73d4172d95d0e668f7ac535a67f6ab26a963a604391053c9a2ce62cba88f2220 -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/LICENSE b/crypto_sign/sphincs-haraka-256f-simple/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-256f-simple/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 6e33aa3a..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-256f-simple_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj hash_harakax4.obj thash_haraka_simplex4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/address.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/address.c deleted file mode 100644 index 9d4f81a8..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/address.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/address.h deleted file mode 100644 index cc7f4568..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/api.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/api.h deleted file mode 100644 index c61b6f63..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_BYTES 49216 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SEEDBYTES 96 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/fors.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/fors.c deleted file mode 100644 index 52dbb8ed..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + j * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/fors.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/fors.h deleted file mode 100644 index ac30ea43..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/haraka.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/haraka.c deleted file mode 100644 index 46daeef8..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/haraka.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/haraka.h deleted file mode 100644 index 147f179b..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/hash.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/hash.h deleted file mode 100644 index 0baa004d..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/hash_haraka.c deleted file mode 100644 index 3a86f12b..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/hash_harakax4.c deleted file mode 100644 index 2a938ad2..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/hash_state.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/hash_state.h deleted file mode 100644 index a61180ae..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/hashx4.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/hashx4.h deleted file mode 100644 index aaf73a57..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/params.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/params.h deleted file mode 100644 index 1e12a268..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N 32 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FULL_HEIGHT 68 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_D 17 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT 10 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES 30 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N / PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_D * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/sign.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/sign.c deleted file mode 100644 index 1f31a08b..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/thash.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/thash.h deleted file mode 100644 index b763d64c..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/thash_haraka_simple.c deleted file mode 100644 index 4594b74f..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/thash_haraka_simplex4.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/thash_haraka_simplex4.c deleted file mode 100644 index a30d0e1c..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/thash_haraka_simplex4.c +++ /dev/null @@ -1,66 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf_tmp + 128, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf_tmp + 192, addrx4 + 3 * 8); \ - \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES, in0, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + 64, in1, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + 128, in2, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + 192, in3, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - memcpy(buf0 + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES, in0, (inblocks)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - memcpy(buf1 + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES, in1, (inblocks)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - memcpy(buf2 + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES, in2, (inblocks)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - memcpy(buf3 + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES, in3, (inblocks)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/thashx4.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/thashx4.h deleted file mode 100644 index 3059b65c..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/utils.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/utils.c deleted file mode 100644 index 93aa1844..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/utils.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/utils.h deleted file mode 100644 index df3f21c6..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/utilsx4.c deleted file mode 100644 index 9d3a35f5..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/utilsx4.h deleted file mode 100644 index 99623c21..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/wots.c b/crypto_sign/sphincs-haraka-256f-simple/aesni/wots.c deleted file mode 100644 index 1997f344..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/aesni/wots.h b/crypto_sign/sphincs-haraka-256f-simple/aesni/wots.h deleted file mode 100644 index cf3daa60..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/LICENSE b/crypto_sign/sphincs-haraka-256f-simple/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-256f-simple/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 60dd3f40..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-256f-simple_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/address.c b/crypto_sign/sphincs-haraka-256f-simple/clean/address.c deleted file mode 100644 index 1ce4c0d9..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/address.h b/crypto_sign/sphincs-haraka-256f-simple/clean/address.h deleted file mode 100644 index 6e50c2da..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/api.h b/crypto_sign/sphincs-haraka-256f-simple/clean/api.h deleted file mode 100644 index bc39e1c7..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_BYTES 49216 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_SEEDBYTES 96 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/fors.c b/crypto_sign/sphincs-haraka-256f-simple/clean/fors.c deleted file mode 100644 index ee2a1f7c..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/fors.h b/crypto_sign/sphincs-haraka-256f-simple/clean/fors.h deleted file mode 100644 index d51016dd..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/haraka.c b/crypto_sign/sphincs-haraka-256f-simple/clean/haraka.c deleted file mode 100644 index 4168c4c7..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/haraka.h b/crypto_sign/sphincs-haraka-256f-simple/clean/haraka.h deleted file mode 100644 index 5588763b..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/hash.h b/crypto_sign/sphincs-haraka-256f-simple/clean/hash.h deleted file mode 100644 index 15cd5a7e..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-256f-simple/clean/hash_haraka.c deleted file mode 100644 index da320bd2..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-256f-simple/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/params.h b/crypto_sign/sphincs-haraka-256f-simple/clean/params.h deleted file mode 100644 index d14d3d9a..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N 32 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FULL_HEIGHT 68 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_D 17 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT 10 -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES 30 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N / PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_D * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/sign.c b/crypto_sign/sphincs-haraka-256f-simple/clean/sign.c deleted file mode 100644 index 0c9a029f..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/thash.h b/crypto_sign/sphincs-haraka-256f-simple/clean/thash.h deleted file mode 100644 index 8bd21a97..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-256f-simple/clean/thash_haraka_simple.c deleted file mode 100644 index 2b741840..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/utils.c b/crypto_sign/sphincs-haraka-256f-simple/clean/utils.c deleted file mode 100644 index 1051de96..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/utils.h b/crypto_sign/sphincs-haraka-256f-simple/clean/utils.h deleted file mode 100644 index 57fe2f4a..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/wots.c b/crypto_sign/sphincs-haraka-256f-simple/clean/wots.c deleted file mode 100644 index 214f4826..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-256f-simple/clean/wots.h b/crypto_sign/sphincs-haraka-256f-simple/clean/wots.h deleted file mode 100644 index 3c65111b..00000000 --- a/crypto_sign/sphincs-haraka-256f-simple/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256FSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/META.yml b/crypto_sign/sphincs-haraka-256s-robust/META.yml deleted file mode 100644 index cebde62d..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 5 -length-public-key: 64 -length-secret-key: 128 -length-signature: 29792 -testvectors-sha256: 10ea3f99d8899cc82d3a21f2198e93f32585b1c08022e57c1984b0811336f09f -nistkat-sha256: a419bdba92da2d07f99c3c3ba4f776b955244a7c3b565816c7fd2151f6c3363f -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/LICENSE b/crypto_sign/sphincs-haraka-256s-robust/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-256s-robust/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 0c7d36c6..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-256s-robust_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj hash_harakax4.obj thash_haraka_robustx4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/address.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/address.c deleted file mode 100644 index 3253b0b9..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/address.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/address.h deleted file mode 100644 index 1218edb9..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/api.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/api.h deleted file mode 100644 index bc26b0e1..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_BYTES 29792 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SEEDBYTES 96 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/fors.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/fors.c deleted file mode 100644 index 2a36b634..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + j * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/fors.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/fors.h deleted file mode 100644 index 3d8c9ba5..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/haraka.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/haraka.c deleted file mode 100644 index bd6cde24..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/haraka.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/haraka.h deleted file mode 100644 index 9805202b..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/hash.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/hash.h deleted file mode 100644 index cbdc30d2..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/hash_haraka.c deleted file mode 100644 index 35c2f967..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/hash_harakax4.c deleted file mode 100644 index 862c760e..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/hash_state.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/hash_state.h deleted file mode 100644 index 11e3ad93..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/hashx4.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/hashx4.h deleted file mode 100644 index c754cbe6..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/params.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/params.h deleted file mode 100644 index 30032b96..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N 32 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT 14 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES 22 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N / PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_D * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/sign.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/sign.c deleted file mode 100644 index 08e2a323..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/thash.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/thash.h deleted file mode 100644 index e3d3a28f..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/thash_haraka_robust.c deleted file mode 100644 index 4c5034dc..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/thash_haraka_robustx4.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/thash_haraka_robustx4.c deleted file mode 100644 index 6dc19df0..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/thash_haraka_robustx4.c +++ /dev/null @@ -1,92 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; \ - unsigned char bitmask0[(inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; \ - unsigned char bitmask1[(inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; \ - unsigned char bitmask2[(inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; \ - unsigned char bitmask3[(inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - unsigned int i; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - /* Generate masks first in buffer */ \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf_tmp + 32, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf_tmp + 96, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka256x4(outbuf, buf_tmp, state); \ - \ - /* move addresses to make room for inputs; zero old values */ \ - memcpy(buf_tmp + 192, buf_tmp + 96, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 128, buf_tmp + 64, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES); \ - memcpy(buf_tmp + 64, buf_tmp + 32, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES); \ - /* skip memcpy(buf_tmp, buf_tmp, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES); already in place */ \ - \ - /* skip memset(buf_tmp, 0, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES); remained untouched */ \ - memset(buf_tmp + 32, 0, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES); \ - /* skip memset(buf_tmp + 64, 0, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES); contains addr1 */ \ - memset(buf_tmp + 96, 0, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES); \ - \ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; i++) { \ - buf_tmp[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ outbuf[i]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i + 64] = in1[i] ^ outbuf[i + 32]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i + 128] = in2[i] ^ outbuf[i + 64]; \ - buf_tmp[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i + 192] = in3[i] ^ outbuf[i + 96]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_Sx4(bitmask0, bitmask1, bitmask2, bitmask3, (inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, buf0, buf1, \ - buf2, buf3, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES, state); \ - \ - for (i = 0; i < (inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; i++) { \ - buf0[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i] = in0[i] ^ bitmask0[i]; \ - buf1[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i] = in1[i] ^ bitmask1[i]; \ - buf2[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i] = in2[i] ^ bitmask2[i]; \ - buf3[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + i] = in3[i] ^ bitmask3[i]; \ - } \ - \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/thashx4.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/thashx4.h deleted file mode 100644 index 3d9c3465..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/utils.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/utils.c deleted file mode 100644 index 37496356..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/utils.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/utils.h deleted file mode 100644 index a3ecbf50..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/utilsx4.c deleted file mode 100644 index e79ed408..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/utilsx4.h deleted file mode 100644 index 1901dfe8..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/wots.c b/crypto_sign/sphincs-haraka-256s-robust/aesni/wots.c deleted file mode 100644 index 949585fb..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/aesni/wots.h b/crypto_sign/sphincs-haraka-256s-robust/aesni/wots.h deleted file mode 100644 index e655453c..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/LICENSE b/crypto_sign/sphincs-haraka-256s-robust/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-256s-robust/clean/Makefile.Microsoft_nmake deleted file mode 100644 index 41797404..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-256s-robust_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_robust.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/address.c b/crypto_sign/sphincs-haraka-256s-robust/clean/address.c deleted file mode 100644 index fdb232ef..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/address.h b/crypto_sign/sphincs-haraka-256s-robust/clean/address.h deleted file mode 100644 index 0d5ac605..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/api.h b/crypto_sign/sphincs-haraka-256s-robust/clean/api.h deleted file mode 100644 index 783c9387..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_BYTES 29792 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_SEEDBYTES 96 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/fors.c b/crypto_sign/sphincs-haraka-256s-robust/clean/fors.c deleted file mode 100644 index e09e1179..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/fors.h b/crypto_sign/sphincs-haraka-256s-robust/clean/fors.h deleted file mode 100644 index 86b48f61..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/haraka.c b/crypto_sign/sphincs-haraka-256s-robust/clean/haraka.c deleted file mode 100644 index fb1bf5ef..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/haraka.h b/crypto_sign/sphincs-haraka-256s-robust/clean/haraka.h deleted file mode 100644 index b5e035a6..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/hash.h b/crypto_sign/sphincs-haraka-256s-robust/clean/hash.h deleted file mode 100644 index e827cb18..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-256s-robust/clean/hash_haraka.c deleted file mode 100644 index 13b0ca95..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/hash_state.h b/crypto_sign/sphincs-haraka-256s-robust/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/params.h b/crypto_sign/sphincs-haraka-256s-robust/clean/params.h deleted file mode 100644 index f6f019f8..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N 32 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT 14 -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES 22 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N / PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_D * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/sign.c b/crypto_sign/sphincs-haraka-256s-robust/clean/sign.c deleted file mode 100644 index 815a70e3..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/thash.h b/crypto_sign/sphincs-haraka-256s-robust/clean/thash.h deleted file mode 100644 index d4f268e6..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/thash_haraka_robust.c b/crypto_sign/sphincs-haraka-256s-robust/clean/thash_haraka_robust.c deleted file mode 100644 index a8b64059..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/thash_haraka_robust.c +++ /dev/null @@ -1,94 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char *bitmask = buf + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES; - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - unsigned int i; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_addr_to_bytes(buf_tmp, addr); - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka256(outbuf, buf_tmp, hash_state_seeded); - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; i++) { - buf_tmp[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ outbuf[i]; - } - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S( - bitmask, inblocks * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES, hash_state_seeded); - - for (i = 0; i < inblocks * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; i++) { - buf[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES + i] = in[i] ^ bitmask[i]; - } - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/utils.c b/crypto_sign/sphincs-haraka-256s-robust/clean/utils.c deleted file mode 100644 index ab94abd5..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/utils.h b/crypto_sign/sphincs-haraka-256s-robust/clean/utils.h deleted file mode 100644 index cd37ac8c..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/wots.c b/crypto_sign/sphincs-haraka-256s-robust/clean/wots.c deleted file mode 100644 index 52e861a4..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-256s-robust/clean/wots.h b/crypto_sign/sphincs-haraka-256s-robust/clean/wots.h deleted file mode 100644 index d1c38c8f..00000000 --- a/crypto_sign/sphincs-haraka-256s-robust/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SROBUST_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/META.yml b/crypto_sign/sphincs-haraka-256s-simple/META.yml deleted file mode 100644 index a57a0c0c..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/META.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: SPHINCS+ -type: signature -claimed-nist-level: 5 -length-public-key: 64 -length-secret-key: 128 -length-signature: 29792 -testvectors-sha256: cab3bd8c005a4e868052c471ec110359305e986f237f8ce2c7c08ae45c424bbe -nistkat-sha256: 0b8c7d3d8001eec6ddb317e0301fef4adc4f5b03301e5f4b93d09881b1a5ba7a -principal-submitters: - - Andreas Hülsing -auxiliary-submitters: - - Jean-Philippe Aumasson - - Daniel J. Bernstein, - - Christoph Dobraunig - - Maria Eichlseder - - Scott Fluhrer - - Stefan-Lukas Gazdag - - Panos Kampanakis - - Stefan Kölbl - - Tanja Lange - - Martin M. Lauridsen - - Florian Mendel - - Ruben Niederhagen - - Christian Rechberger - - Joost Rijneveld - - Peter Schwabe -implementations: - - name: clean - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - - name: aesni - version: https://github.com/sphincs/sphincsplus/commit/77755c94d0bc744478044d6efbb888dc13156441 - supported_platforms: - - architecture: x86_64 - required_flags: - - aes diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/LICENSE b/crypto_sign/sphincs-haraka-256s-simple/aesni/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-256s-simple/aesni/Makefile.Microsoft_nmake deleted file mode 100644 index 365ff373..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/Makefile.Microsoft_nmake +++ /dev/null @@ -1,23 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-256s-simple_aesni.lib -OBJECTS=address.obj wots.obj utils.obj utilsx4.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj hash_harakax4.obj thash_haraka_simplex4.obj haraka.obj - -# We ignore warning C4127: in thash_haraka_*x4.c we use a conditional -# that when the macro is generated for inblocks = 1 results in a case -# with `if (1 == 1)`. The compiler should just optimise this away, but -# on MSVC we get a compiler complaint. -CFLAGS=/nologo /arch:AVX /O2 /I ..\..\..\common /W4 /WX /wd4127 - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/address.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/address.c deleted file mode 100644 index 74862370..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/address.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/address.h deleted file mode 100644 index 9df219cd..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/api.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/api.h deleted file mode 100644 index 4c8ef765..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_API_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_BYTES 29792 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SEEDBYTES 96 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/fors.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/fors.c deleted file mode 100644 index 0793f161..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/fors.c +++ /dev/null @@ -1,206 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hashx4.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -static void fors_gen_skx4(unsigned char *sk0, - unsigned char *sk1, - unsigned char *sk2, - unsigned char *sk3, const unsigned char *sk_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_prf_addrx4(sk0, sk1, sk2, sk3, sk_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_1(leaf, sk, pub_seed, fors_leaf_addr, state_seeded); -} - -static void fors_sk_to_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk0, - const unsigned char *sk1, - const unsigned char *sk2, - const unsigned char *sk3, - const unsigned char *pub_seed, - uint32_t fors_leaf_addrx4[4 * 8], - const hash_state *state_seeded) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thashx4_1(leaf0, leaf1, leaf2, leaf3, - sk0, sk1, sk2, sk3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -static void fors_gen_leafx4(unsigned char *leaf0, - unsigned char *leaf1, - unsigned char *leaf2, - unsigned char *leaf3, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx0, - uint32_t addr_idx1, - uint32_t addr_idx2, - uint32_t addr_idx3, - const uint32_t fors_tree_addr[8], - const hash_state *state_seeded) { - uint32_t fors_leaf_addrx4[4 * 8] = {0}; - unsigned int j; - - /* Only copy the parts that must be kept in fors_leaf_addrx4. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_keypair_addr(fors_leaf_addrx4 + j * 8, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type(fors_leaf_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 0 * 8, addr_idx0); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 1 * 8, addr_idx1); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 2 * 8, addr_idx2); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index(fors_leaf_addrx4 + 3 * 8, addr_idx3); - - fors_gen_skx4(leaf0, leaf1, leaf2, leaf3, sk_seed, fors_leaf_addrx4, state_seeded); - fors_sk_to_leafx4(leaf0, leaf1, leaf2, leaf3, - leaf0, leaf1, leaf2, leaf3, pub_seed, fors_leaf_addrx4, state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_fors_sign(unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *state_seeded) { - /* Round up to multiple of 4 to prevent out-of-bounds for x4 parallelism */ - uint32_t indices[(PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES + 3) & ~3] = {0}; - unsigned char roots[((PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES + 3) & ~3) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - /* Sign to a buffer, since we may not have a nice multiple of 4 and would - otherwise overrun the signature. */ - unsigned char sigbufx4[4 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT)]; - uint32_t fors_tree_addrx4[4 * 8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset[4] = {0}; - unsigned int i, j; - - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_keypair_addr(fors_tree_addrx4 + j * 8, fors_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type(fors_tree_addrx4 + j * 8, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - } - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES) { - idx_offset[j] = (i + j) * (1 << PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_height(fors_tree_addrx4 + j * 8, 0); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index(fors_tree_addrx4 + j * 8, - indices[i + j] + idx_offset[j]); - } - } - - /* Include the secret key part that produces the selected leaf nodes. */ - fors_gen_skx4(sigbufx4 + 0 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - sigbufx4 + 1 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - sigbufx4 + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - sigbufx4 + 3 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - sk_seed, fors_tree_addrx4, state_seeded); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehashx4_FORS_HEIGHT(roots + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, sk_seed, pub_seed, - &indices[i], idx_offset, fors_gen_leafx4, fors_tree_addrx4, - state_seeded); - - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES) { - memcpy(sig, sigbufx4 + j * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - memcpy(sig + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - sigbufx4 + 4 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + j * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT, - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N * (1 + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT); - } - } - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_fors_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, - const uint32_t fors_addr[8], - const hash_state *state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, leaf, indices[i], idx_offset, - sig, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT, pub_seed, fors_tree_addr, - state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/fors.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/fors.h deleted file mode 100644 index 7c58e297..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/haraka.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/haraka.c deleted file mode 100644 index 403f074c..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/haraka.c +++ /dev/null @@ -1,801 +0,0 @@ -/* -Plain C implementation of the Haraka256 and Haraka512 permutations. -*/ -#include -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -#define u64 uint64_t -#define u128 __m128i - -#define LOAD(src) _mm_loadu_si128((u128 *)(src)) -#define STORE(dest,src) _mm_storeu_si128((u128 *)(dest),src) - -#define XOR128(a, b) _mm_xor_si128(a, b) - -#define AES2(s0, s1, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 2)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 3)); - -#define AES2_4x(s0, s1, s2, s3, rci) \ - AES2((s0)[0], (s0)[1], rci); \ - AES2((s1)[0], (s1)[1], rci); \ - AES2((s2)[0], (s2)[1], rci); \ - AES2((s3)[0], (s3)[1], rci); - -#define AES4(s0, s1, s2, s3, rci) \ - (s0) = _mm_aesenc_si128(s0, *(rci)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 1)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 2)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 3)); \ - (s0) = _mm_aesenc_si128(s0, *((rci) + 4)); \ - (s1) = _mm_aesenc_si128(s1, *((rci) + 5)); \ - (s2) = _mm_aesenc_si128(s2, *((rci) + 6)); \ - (s3) = _mm_aesenc_si128(s3, *((rci) + 7)); - -#define AES4_4x(s0, s1, s2, s3, rci) \ - AES4((s0)[0], (s0)[1], (s0)[2], (s0)[3], rci); \ - AES4((s1)[0], (s1)[1], (s1)[2], (s1)[3], rci); \ - AES4((s2)[0], (s2)[1], (s2)[2], (s2)[3], rci); \ - AES4((s3)[0], (s3)[1], (s3)[2], (s3)[3], rci); - -#define MIX2(s0, s1) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s1) = _mm_unpackhi_epi32(s0, s1); \ - (s0) = tmp; - -#define MIX4(s0, s1, s2, s3) \ - tmp = _mm_unpacklo_epi32(s0, s1); \ - (s0) = _mm_unpackhi_epi32(s0, s1); \ - (s1) = _mm_unpacklo_epi32(s2, s3); \ - (s2) = _mm_unpackhi_epi32(s2, s3); \ - (s3) = _mm_unpacklo_epi32(s0, s2); \ - (s0) = _mm_unpackhi_epi32(s0, s2); \ - (s2) = _mm_unpackhi_epi32(s1, tmp); \ - (s1) = _mm_unpacklo_epi32(s1, tmp); - -#define TRUNCSTORE(out, s0, s1, s2, s3) \ - _mm_storeu_si128((u128 *)(out), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s0), _mm_castsi128_pd(s1), 3))); \ - _mm_storeu_si128((u128 *)((out) + 16), \ - _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(s2), _mm_castsi128_pd(s3), 0))); - -static void load_haraka_constants(u128 rc[40]) { - rc[ 0] = _mm_set_epi32((int)0x0684704c, (int)0xe620c00a, (int)0xb2c5fef0, (int)0x75817b9d); - rc[ 1] = _mm_set_epi32((int)0x8b66b4e1, (int)0x88f3a06b, (int)0x640f6ba4, (int)0x2f08f717); - rc[ 2] = _mm_set_epi32((int)0x3402de2d, (int)0x53f28498, (int)0xcf029d60, (int)0x9f029114); - rc[ 3] = _mm_set_epi32((int)0x0ed6eae6, (int)0x2e7b4f08, (int)0xbbf3bcaf, (int)0xfd5b4f79); - rc[ 4] = _mm_set_epi32((int)0xcbcfb0cb, (int)0x4872448b, (int)0x79eecd1c, (int)0xbe397044); - rc[ 5] = _mm_set_epi32((int)0x7eeacdee, (int)0x6e9032b7, (int)0x8d5335ed, (int)0x2b8a057b); - rc[ 6] = _mm_set_epi32((int)0x67c28f43, (int)0x5e2e7cd0, (int)0xe2412761, (int)0xda4fef1b); - rc[ 7] = _mm_set_epi32((int)0x2924d9b0, (int)0xafcacc07, (int)0x675ffde2, (int)0x1fc70b3b); - rc[ 8] = _mm_set_epi32((int)0xab4d63f1, (int)0xe6867fe9, (int)0xecdb8fca, (int)0xb9d465ee); - rc[ 9] = _mm_set_epi32((int)0x1c30bf84, (int)0xd4b7cd64, (int)0x5b2a404f, (int)0xad037e33); - rc[10] = _mm_set_epi32((int)0xb2cc0bb9, (int)0x941723bf, (int)0x69028b2e, (int)0x8df69800); - rc[11] = _mm_set_epi32((int)0xfa0478a6, (int)0xde6f5572, (int)0x4aaa9ec8, (int)0x5c9d2d8a); - rc[12] = _mm_set_epi32((int)0xdfb49f2b, (int)0x6b772a12, (int)0x0efa4f2e, (int)0x29129fd4); - rc[13] = _mm_set_epi32((int)0x1ea10344, (int)0xf449a236, (int)0x32d611ae, (int)0xbb6a12ee); - rc[14] = _mm_set_epi32((int)0xaf044988, (int)0x4b050084, (int)0x5f9600c9, (int)0x9ca8eca6); - rc[15] = _mm_set_epi32((int)0x21025ed8, (int)0x9d199c4f, (int)0x78a2c7e3, (int)0x27e593ec); - rc[16] = _mm_set_epi32((int)0xbf3aaaf8, (int)0xa759c9b7, (int)0xb9282ecd, (int)0x82d40173); - rc[17] = _mm_set_epi32((int)0x6260700d, (int)0x6186b017, (int)0x37f2efd9, (int)0x10307d6b); - rc[18] = _mm_set_epi32((int)0x5aca45c2, (int)0x21300443, (int)0x81c29153, (int)0xf6fc9ac6); - rc[19] = _mm_set_epi32((int)0x9223973c, (int)0x226b68bb, (int)0x2caf92e8, (int)0x36d1943a); - rc[20] = _mm_set_epi32((int)0xd3bf9238, (int)0x225886eb, (int)0x6cbab958, (int)0xe51071b4); - rc[21] = _mm_set_epi32((int)0xdb863ce5, (int)0xaef0c677, (int)0x933dfddd, (int)0x24e1128d); - rc[22] = _mm_set_epi32((int)0xbb606268, (int)0xffeba09c, (int)0x83e48de3, (int)0xcb2212b1); - rc[23] = _mm_set_epi32((int)0x734bd3dc, (int)0xe2e4d19c, (int)0x2db91a4e, (int)0xc72bf77d); - rc[24] = _mm_set_epi32((int)0x43bb47c3, (int)0x61301b43, (int)0x4b1415c4, (int)0x2cb3924e); - rc[25] = _mm_set_epi32((int)0xdba775a8, (int)0xe707eff6, (int)0x03b231dd, (int)0x16eb6899); - rc[26] = _mm_set_epi32((int)0x6df3614b, (int)0x3c755977, (int)0x8e5e2302, (int)0x7eca472c); - rc[27] = _mm_set_epi32((int)0xcda75a17, (int)0xd6de7d77, (int)0x6d1be5b9, (int)0xb88617f9); - rc[28] = _mm_set_epi32((int)0xec6b43f0, (int)0x6ba8e9aa, (int)0x9d6c069d, (int)0xa946ee5d); - rc[29] = _mm_set_epi32((int)0xcb1e6950, (int)0xf957332b, (int)0xa2531159, (int)0x3bf327c1); - rc[30] = _mm_set_epi32((int)0x2cee0c75, (int)0x00da619c, (int)0xe4ed0353, (int)0x600ed0d9); - rc[31] = _mm_set_epi32((int)0xf0b1a5a1, (int)0x96e90cab, (int)0x80bbbabc, (int)0x63a4a350); - rc[32] = _mm_set_epi32((int)0xae3db102, (int)0x5e962988, (int)0xab0dde30, (int)0x938dca39); - rc[33] = _mm_set_epi32((int)0x17bb8f38, (int)0xd554a40b, (int)0x8814f3a8, (int)0x2e75b442); - rc[34] = _mm_set_epi32((int)0x34bb8a5b, (int)0x5f427fd7, (int)0xaeb6b779, (int)0x360a16f6); - rc[35] = _mm_set_epi32((int)0x26f65241, (int)0xcbe55438, (int)0x43ce5918, (int)0xffbaafde); - rc[36] = _mm_set_epi32((int)0x4ce99a54, (int)0xb9f3026a, (int)0xa2ca9cf7, (int)0x839ec978); - rc[37] = _mm_set_epi32((int)0xae51a51a, (int)0x1bdff7be, (int)0x40c06e28, (int)0x22901235); - rc[38] = _mm_set_epi32((int)0xa0c1613c, (int)0xba7ed22b, (int)0xc173bc0f, (int)0x48a659cf); - rc[39] = _mm_set_epi32((int)0x756acc03, (int)0x02288288, (int)0x4ad6bdfd, (int)0xe9c59da1); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - int i; - unsigned char buf[40 * 16]; - - /* Use the standard constants to generate tweaked ones. */ - load_haraka_constants(state->rc); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S(buf, 40 * 16, sk_seed, seed_length, state); - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc_sseed[i] = LOAD(buf + i * 16); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S(buf, 40 * 16, pk_seed, seed_length, state); - - /* Tweak constants with the pub_seed */ - for (i = 0; i < 40; i++) { - state->rc[i] = LOAD(buf + i * 16); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m + 16))); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - STORE(s, XOR128(LOAD(s), LOAD(t))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t + 16))); -} - -static void haraka_S_absorb4x(unsigned char *s, - const unsigned char *m0, - const unsigned char *m1, - const unsigned char *m2, - const unsigned char *m3, - unsigned long long int mlen, - unsigned char p, - const harakactx *state) { - unsigned long long i; - unsigned char t0[HARAKAS_RATE]; - unsigned char t1[HARAKAS_RATE]; - unsigned char t2[HARAKAS_RATE]; - unsigned char t3[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - // XOR block to state - STORE(s, XOR128(LOAD(s), LOAD(m0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(m0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(m1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(m1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(m2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(m2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(m3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(m3 + 16))); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - mlen -= HARAKAS_RATE; - m0 += HARAKAS_RATE; - m1 += HARAKAS_RATE; - m2 += HARAKAS_RATE; - m3 += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t0[i] = 0; - t1[i] = 0; - t2[i] = 0; - t3[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t0[i] = m0[i]; - t1[i] = m1[i]; - t2[i] = m2[i]; - t3[i] = m3[i]; - } - - t0[i] = p; - t1[i] = p; - t2[i] = p; - t3[i] = p; - - t0[HARAKAS_RATE - 1] |= 128; - t1[HARAKAS_RATE - 1] |= 128; - t2[HARAKAS_RATE - 1] |= 128; - t3[HARAKAS_RATE - 1] |= 128; - - STORE(s, XOR128(LOAD(s), LOAD(t0))); - STORE(s + 16, XOR128(LOAD(s + 16), LOAD(t0 + 16))); - STORE(s + 64, XOR128(LOAD(s + 64), LOAD(t1))); - STORE(s + 80, XOR128(LOAD(s + 80), LOAD(t1 + 16))); - STORE(s + 128, XOR128(LOAD(s + 128), LOAD(t2))); - STORE(s + 144, XOR128(LOAD(s + 144), LOAD(t2 + 16))); - STORE(s + 192, XOR128(LOAD(s + 192), LOAD(t3))); - STORE(s + 208, XOR128(LOAD(s + 208), LOAD(t3 + 16))); -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, unsigned int r, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm(s, s, state); - STORE(h, LOAD(s)); - STORE(h + 16, LOAD(s + 16)); - h += r; - nblocks--; - } -} - -static void haraka_S_squeezeblocks4x(unsigned char *h0, - unsigned char *h1, - unsigned char *h2, - unsigned char *h3, - unsigned long long nblocks, - unsigned char *s, - unsigned int r, - const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm_x4(s, s, state); - STORE(h0, LOAD(s)); - STORE(h0 + 16, LOAD(s + 16)); - STORE(h1, LOAD(s + 64)); - STORE(h1 + 16, LOAD(s + 80)); - STORE(h2, LOAD(s + 128)); - STORE(h2 + 16, LOAD(s + 144)); - STORE(h3, LOAD(s + 192)); - STORE(h3 + 16, LOAD(s + 208)); - h0 += r; - h1 += r; - h2 += r; - h3 += r; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(s_inc[64] + mlen); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - size_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = (uint8_t)s_inc[(HARAKAS_RATE - s_inc[64] + (uint8_t)i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S(unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks(d, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_Sx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state) { - unsigned long long i; - unsigned char s[64 * 4]; - unsigned char d0[32]; - unsigned char d1[32]; - unsigned char d2[32]; - unsigned char d3[32]; - - for (i = 0; i < 64 * 4; i++) { - s[i] = 0; - } - haraka_S_absorb4x(s, in0, in1, in2, in3, inlen, 0x1F, state); - - haraka_S_squeezeblocks4x(out0, out1, out2, out3, outlen / HARAKAS_RATE, s, HARAKAS_RATE, state); - out0 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out1 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out2 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - out3 += (outlen / HARAKAS_RATE) * HARAKAS_RATE; - - if (outlen % HARAKAS_RATE) { - haraka_S_squeezeblocks4x(d0, d1, d2, d3, 1, s, HARAKAS_RATE, state); - for (i = 0; i < outlen % HARAKAS_RATE; i++) { - out0[i] = d0[i]; - out1[i] = d1[i]; - out2[i] = d2[i]; - out3[i] = d3[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - STORE(out, s[0]); - STORE(out + 16, s[1]); - STORE(out + 32, s[2]); - STORE(out + 48, s[3]); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[0][2]); - STORE(out + 48, s[0][3]); - STORE(out + 64, s[1][0]); - STORE(out + 80, s[1][1]); - STORE(out + 96, s[1][2]); - STORE(out + 112, s[1][3]); - STORE(out + 128, s[2][0]); - STORE(out + 144, s[2][1]); - STORE(out + 160, s[2][2]); - STORE(out + 176, s[2][3]); - STORE(out + 192, s[3][0]); - STORE(out + 208, s[3][1]); - STORE(out + 224, s[3][2]); - STORE(out + 240, s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - s[2] = LOAD(in + 32); - s[3] = LOAD(in + 48); - - AES4(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0], s[1], s[2], s[3]); - - AES4(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0], s[1], s[2], s[3]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - s[2] = XOR128(s[2], LOAD(in + 32)); - s[3] = XOR128(s[3], LOAD(in + 48)); - - // truncate and store result - TRUNCSTORE(out, s[0], s[1], s[2], s[3]); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][4], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[0][2] = LOAD(in + 32); - s[0][3] = LOAD(in + 48); - s[1][0] = LOAD(in + 64); - s[1][1] = LOAD(in + 80); - s[1][2] = LOAD(in + 96); - s[1][3] = LOAD(in + 112); - s[2][0] = LOAD(in + 128); - s[2][1] = LOAD(in + 144); - s[2][2] = LOAD(in + 160); - s[2][3] = LOAD(in + 176); - s[3][0] = LOAD(in + 192); - s[3][1] = LOAD(in + 208); - s[3][2] = LOAD(in + 224); - s[3][3] = LOAD(in + 240); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 8); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 16); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 24); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - AES4_4x(s[0], s[1], s[2], s[3], state->rc + 32); - MIX4(s[0][0], s[0][1], s[0][2], s[0][3]); - MIX4(s[1][0], s[1][1], s[1][2], s[1][3]); - MIX4(s[2][0], s[2][1], s[2][2], s[2][3]); - MIX4(s[3][0], s[3][1], s[3][2], s[3][3]); - - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[0][2] = XOR128(s[0][2], LOAD(in + 32)); - s[0][3] = XOR128(s[0][3], LOAD(in + 48)); - s[1][0] = XOR128(s[1][0], LOAD(in + 64)); - s[1][1] = XOR128(s[1][1], LOAD(in + 80)); - s[1][2] = XOR128(s[1][2], LOAD(in + 96)); - s[1][3] = XOR128(s[1][3], LOAD(in + 112)); - s[2][0] = XOR128(s[2][0], LOAD(in + 128)); - s[2][1] = XOR128(s[2][1], LOAD(in + 144)); - s[2][2] = XOR128(s[2][2], LOAD(in + 160)); - s[2][3] = XOR128(s[2][3], LOAD(in + 176)); - s[3][0] = XOR128(s[3][0], LOAD(in + 192)); - s[3][1] = XOR128(s[3][1], LOAD(in + 208)); - s[3][2] = XOR128(s[3][2], LOAD(in + 224)); - s[3][3] = XOR128(s[3][3], LOAD(in + 240)); - - TRUNCSTORE(out, s[0][0], s[0][1], s[0][2], s[0][3]); - TRUNCSTORE((out + 32), s[1][0], s[1][1], s[1][2], s[1][3]); - TRUNCSTORE((out + 64), s[2][0], s[2][1], s[2][2], s[2][3]); - TRUNCSTORE((out + 96), s[3][0], s[3][1], s[3][2], s[3][3]); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = _mm_xor_si128(s[0][0], LOAD(in)); - s[0][1] = _mm_xor_si128(s[0][1], LOAD(in + 16)); - s[1][0] = _mm_xor_si128(s[1][0], LOAD(in + 32)); - s[1][1] = _mm_xor_si128(s[1][1], LOAD(in + 48)); - s[2][0] = _mm_xor_si128(s[2][0], LOAD(in + 64)); - s[2][1] = _mm_xor_si128(s[2][1], LOAD(in + 80)); - s[3][0] = _mm_xor_si128(s[3][0], LOAD(in + 96)); - s[3][1] = _mm_xor_si128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[2], tmp; - - s[0] = LOAD(in); - s[1] = LOAD(in + 16); - - AES2(s[0], s[1], state->rc_sseed); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 4); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 8); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 12); - MIX2(s[0], s[1]); - - AES2(s[0], s[1], state->rc_sseed + 16); - MIX2(s[0], s[1]); - - s[0] = XOR128(s[0], LOAD(in)); - s[1] = XOR128(s[1], LOAD(in + 16)); - - STORE(out, s[0]); - STORE(out + 16, s[1]); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state) { - u128 s[4][2], tmp; - - s[0][0] = LOAD(in); - s[0][1] = LOAD(in + 16); - s[1][0] = LOAD(in + 32); - s[1][1] = LOAD(in + 48); - s[2][0] = LOAD(in + 64); - s[2][1] = LOAD(in + 80); - s[3][0] = LOAD(in + 96); - s[3][1] = LOAD(in + 112); - - // Round 1 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 2 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 4); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 3 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 8); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 4 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 12); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Round 5 - AES2_4x(s[0], s[1], s[2], s[3], state->rc_sseed + 16); - - MIX2(s[0][0], s[0][1]); - MIX2(s[1][0], s[1][1]); - MIX2(s[2][0], s[2][1]); - MIX2(s[3][0], s[3][1]); - - // Feed Forward - s[0][0] = XOR128(s[0][0], LOAD(in)); - s[0][1] = XOR128(s[0][1], LOAD(in + 16)); - s[1][0] = XOR128(s[1][0], LOAD(in + 32)); - s[1][1] = XOR128(s[1][1], LOAD(in + 48)); - s[2][0] = XOR128(s[2][0], LOAD(in + 64)); - s[2][1] = XOR128(s[2][1], LOAD(in + 80)); - s[3][0] = XOR128(s[3][0], LOAD(in + 96)); - s[3][1] = XOR128(s[3][1], LOAD(in + 112)); - - STORE(out, s[0][0]); - STORE(out + 16, s[0][1]); - STORE(out + 32, s[1][0]); - STORE(out + 48, s[1][1]); - STORE(out + 64, s[2][0]); - STORE(out + 80, s[2][1]); - STORE(out + 96, s[3][0]); - STORE(out + 112, s[3][1]); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/haraka.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/haraka.h deleted file mode 100644 index 11042951..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/haraka.h +++ /dev/null @@ -1,57 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_HARAKA_H - -#include -#include -#include - -typedef struct { - __m128i rc[40]; - __m128i rc_sseed[40]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_Sx4( - unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - unsigned long long outlen, - const unsigned char *in0, - const unsigned char *in1, - const unsigned char *in2, - const unsigned char *in3, - unsigned long long inlen, - const harakactx *state); - - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512_perm_x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256x4(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256_skx4(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/hash.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/hash.h deleted file mode 100644 index 6d302e86..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_HASH_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/hash_haraka.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/hash_haraka.c deleted file mode 100644 index 54f3bc1a..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_BITS (PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_D - 1)) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_LEAF_BITS PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_DGST_BYTES (PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/hash_harakax4.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/hash_harakax4.c deleted file mode 100644 index 34b50429..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/hash_harakax4.c +++ /dev/null @@ -1,37 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" - -/* - * 4-way parallel version of prf_addr; takes 4x as much input and output - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - unsigned char bufx4[4 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[4 * 32]; - unsigned int i; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - for (i = 0; i < 4; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(bufx4 + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES, addrx4 + i * 8); - } - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka256_skx4(outbuf, bufx4, state_seeded); - - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/hash_state.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/hash_state.h deleted file mode 100644 index 2d366c0e..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_HASH_STATE_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/hashx4.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/hashx4.h deleted file mode 100644 index 75b7c304..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/hashx4.h +++ /dev/null @@ -1,16 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_HASHX4_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_HASHX4_H - -#include - -#include "hash_state.h" - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_prf_addrx4(unsigned char *out0, - unsigned char *out1, - unsigned char *out2, - unsigned char *out3, - const unsigned char *key, - const uint32_t addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/params.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/params.h deleted file mode 100644 index 5e206f87..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N 32 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT 14 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES 22 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N / PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN (PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES (PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_D * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/sign.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/sign.c deleted file mode 100644 index 158d60c1..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/sign.c +++ /dev/null @@ -1,409 +0,0 @@ -#include -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_D - 1); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, sk + 3 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - - // guarantee alignment of pk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES / 16]; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - - // guarantee alignment of sk - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES / 16]; - uint8_t sk[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - - union { - __m128 _x[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SEEDBYTES / 16]; - uint8_t seed[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SEEDBYTES]; - } aligned_seed; - randombytes(aligned_seed.seed, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SEEDBYTES); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_seed_keypair( - aligned_pk.pk, aligned_sk.sk, aligned_seed.seed); - memcpy(pk, aligned_pk.pk, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - memcpy(sk, aligned_sk.sk, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - // guarantee alignment of sk - union { - __m128 *_x; - uint8_t sk[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES]; - } aligned_sk; - memcpy(aligned_sk.sk, sk, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_SECRETKEYBYTES); - sk = aligned_sk.sk; - - // guarantee alignment of sig - union { - __m128 *_x; - uint8_t sig[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES]; - } aligned_sig; - uint8_t *orig_sig = sig; - sig = (uint8_t *)aligned_sig.sig; - - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT; - } - - memcpy(orig_sig, aligned_sig.sig, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES); - *siglen = PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES; - - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_D; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT; - } - - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - - // guarantee alignment of pk - union { - __m128 *_x; - uint8_t pk[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES]; - } aligned_pk; - memcpy(aligned_pk.pk, pk, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_CRYPTO_PUBLICKEYBYTES); - pk = aligned_pk.pk; - - - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES; - - if (PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES, sm + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/thash.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/thash.h deleted file mode 100644 index b5faf265..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_THASH_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/thash_haraka_simple.c deleted file mode 100644 index 4bfe5daa..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_S( - out, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, buf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/thash_haraka_simplex4.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/thash_haraka_simplex4.c deleted file mode 100644 index 98279e47..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/thash_haraka_simplex4.c +++ /dev/null @@ -1,66 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "params.h" -#include "thashx4.h" - -/** - * 4-way parallel version of thash; takes 4x as much input and output - */ -#define thashx4_variant(name, inblocks) \ - void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thashx4_##name(unsigned char *out0, unsigned char *out1, unsigned char *out2, \ - unsigned char *out3, const unsigned char *in0, \ - const unsigned char *in1, const unsigned char *in2, \ - const unsigned char *in3, const unsigned char *pub_seed, \ - uint32_t addrx4[4 * 8], const harakactx *state) { \ - unsigned char buf0[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; \ - unsigned char buf1[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; \ - unsigned char buf2[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; \ - unsigned char buf3[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; \ - unsigned char outbuf[32 * 4]; \ - unsigned char buf_tmp[64 * 4]; \ - \ - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ \ - \ - if ((inblocks) == 1) { \ - memset(buf_tmp, 0, 64 * 4); \ - \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf_tmp, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf_tmp + 64, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf_tmp + 128, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf_tmp + 192, addrx4 + 3 * 8); \ - \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES, in0, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + 64, in1, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + 128, in2, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + 192, in3, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka512x4(outbuf, buf_tmp, state); \ - \ - memcpy(out0, outbuf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - memcpy(out1, outbuf + 32, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - memcpy(out2, outbuf + 64, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - memcpy(out3, outbuf + 96, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - } else { \ - /* All other tweakable hashes*/ \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf0, addrx4 + 0 * 8); \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf1, addrx4 + 1 * 8); \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf2, addrx4 + 2 * 8); \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_addr_to_bytes(buf3, addrx4 + 3 * 8); \ - \ - memcpy(buf0 + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES, in0, (inblocks)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - memcpy(buf1 + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES, in1, (inblocks)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - memcpy(buf2 + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES, in2, (inblocks)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - memcpy(buf3 + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES, in3, (inblocks)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_haraka_Sx4(out0, out1, out2, out3, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, buf0, buf1, buf2, buf3, \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_BYTES + (inblocks)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, state); \ - } \ - } - -thashx4_variant(1, 1) -thashx4_variant(2, 2) -thashx4_variant(WOTS_LEN, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN) -thashx4_variant(FORS_TREES, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_TREES) diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/thashx4.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/thashx4.h deleted file mode 100644 index 407da7d5..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/thashx4.h +++ /dev/null @@ -1,25 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_THASHX4_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_THASHX4_H - -#include - -#include "hash_state.h" - -#define thashx4_header(inblocks) \ - void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thashx4_##inblocks(unsigned char *out0, \ - unsigned char *out1, \ - unsigned char *out2, \ - unsigned char *out3, \ - const unsigned char *in0, \ - const unsigned char *in1, \ - const unsigned char *in2, \ - const unsigned char *in3, \ - const unsigned char *pub_seed, uint32_t addrx4[4*8], \ - const hash_state *state_seeded) - -thashx4_header(1); -thashx4_header(2); -thashx4_header(WOTS_LEN); -thashx4_header(FORS_TREES); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/utils.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/utils.c deleted file mode 100644 index 75fe4b6a..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, leaf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - } else { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, auth_path, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/utils.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/utils.h deleted file mode 100644 index 85e1c43c..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_UTILS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/utilsx4.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/utilsx4.c deleted file mode 100644 index 36d91090..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/utilsx4.c +++ /dev/null @@ -1,98 +0,0 @@ -#include "address.h" -#include "params.h" -#include "thashx4.h" -#include "utils.h" -#include "utilsx4.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -#define treehashx4_variant(name, tree_height) \ - void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehashx4_##name( \ - unsigned char *rootx4, unsigned char *auth_pathx4, const unsigned char *sk_seed, \ - const unsigned char *pub_seed, const uint32_t leaf_idx[4], uint32_t idx_offset[4], \ - void (*gen_leafx4)(unsigned char * /* leaf0 */, unsigned char * /* leaf1 */, \ - unsigned char * /* leaf2 */, unsigned char * /* leaf3 */, \ - const unsigned char * /* sk_seed */, \ - const unsigned char * /* pub_seed */, uint32_t /* addr_idx0 */, \ - uint32_t /* addr_idx1 */, uint32_t /* addr_idx2 */, \ - uint32_t /* addr_idx3 */, const uint32_t[8] /* tree_addr */, \ - const hash_state * /* state_seeded */), \ - uint32_t tree_addrx4[4 * 8], const hash_state *state_seeded) { \ - unsigned char stackx4[4 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; \ - unsigned int heights[(tree_height) + 1]; \ - unsigned int offset = 0; \ - uint32_t idx; \ - uint32_t tree_idx; \ - unsigned int j; \ - \ - for (idx = 0; idx < (uint32_t)(1 << (tree_height)); idx++) { \ - /* Add the next leaf node to the stack. */ \ - gen_leafx4(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + offset * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, sk_seed, \ - pub_seed, idx + idx_offset[0], idx + idx_offset[1], idx + idx_offset[2], \ - idx + idx_offset[3], tree_addrx4, state_seeded); \ - offset++; \ - heights[offset - 1] = 0; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if ((leaf_idx[j] ^ 0x1) == idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - } \ - } \ - \ - /* While the top-most nodes are of equal height.. */ \ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { \ - /* Compute index of the new node, in the next layer. */ \ - tree_idx = (idx >> (heights[offset - 1] + 1)); \ - \ - /* Set the address of the node we're creating. */ \ - for (j = 0; j < 4; j++) { \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_height(tree_addrx4 + j * 8, heights[offset - 1] + 1); \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_tree_index(tree_addrx4 + j * 8, \ - tree_idx + (idx_offset[j] >> (heights[offset - 1] + 1))); \ - } \ - /* Hash the top-most nodes from the stack together. */ \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thashx4_2(stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 0 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 1 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 2 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + 3 * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 2) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - pub_seed, tree_addrx4, state_seeded); \ - offset--; \ - /* Note that the top-most node is now one layer higher. */ \ - heights[offset - 1]++; \ - \ - /* If this is a node we need for the auth path.. */ \ - for (j = 0; j < 4; j++) { \ - if (((leaf_idx[j] >> heights[offset - 1]) ^ 0x1) == tree_idx) { \ - memcpy(auth_pathx4 + j * (tree_height)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + \ - heights[offset - 1] * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N + (offset - 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, \ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - } \ - } \ - } \ - } \ - \ - for (j = 0; j < 4; j++) { \ - memcpy(rootx4 + j * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, stackx4 + j * ((tree_height) + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); \ - } \ - } - -treehashx4_variant(FORS_HEIGHT, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_FORS_HEIGHT) diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/utilsx4.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/utilsx4.h deleted file mode 100644 index d9c5ba19..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/utilsx4.h +++ /dev/null @@ -1,38 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_UTILSX4_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_UTILSX4_H - -#include "hash_state.h" -#include "params.h" - -#include - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_treehashx4_FORS_HEIGHT(unsigned char *rootx4, - unsigned char *auth_pathx4, - const unsigned char *sk_seed, - const unsigned char *pub_seed, - const uint32_t leaf_idx[4], - uint32_t idx_offset[4], - void (*gen_leafx4)(unsigned char * /* leaf0 */, - unsigned char * /* leaf1 */, - unsigned char * /* leaf2 */, - unsigned char * /* leaf3 */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx0 */, - uint32_t /* addr_idx1 */, - uint32_t /* addr_idx2 */, - uint32_t /* addr_idx3 */, - const uint32_t[8] /* tree_addr */, - const hash_state * /* state_seeded */), - uint32_t tree_addrx4[4 * 8], - const hash_state *state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/wots.c b/crypto_sign/sphincs-haraka-256s-simple/aesni/wots.c deleted file mode 100644 index 1f72634b..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/wots.c +++ /dev/null @@ -1,240 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "hashx4.h" -#include "params.h" -#include "thash.h" -#include "thashx4.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], const hash_state *state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_prf_addr(sk, sk_seed, wots_addr, state_seeded); -} - -/** - * 4-way parallel version of wots_gen_sk; expects 4x as much space in sk - */ -static void wots_gen_skx4(unsigned char *skx4, const unsigned char *sk_seed, - uint32_t wots_addrx4[4 * 8], const hash_state *state_seeded) { - unsigned int j; - - /* Make sure that the hash address is actually zeroed. */ - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_hash_addr(wots_addrx4 + j * 8, 0); - } - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_prf_addrx4(skx4 + 0 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - skx4 + 1 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - skx4 + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - skx4 + 3 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - sk_seed, wots_addrx4, - state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thash_1(out, out, pub_seed, addr, state_seeded); - } -} - -/** - * 4-way parallel version of gen_chain; expects 4x as much space in out, and - * 4x as much space in inx4. Assumes start and step identical across chains. - */ -static void gen_chainx4(unsigned char *outx4, const unsigned char *inx4, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addrx4[4 * 8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - /* Initialize outx4 with the value at position 'start'. */ - memcpy(outx4, inx4, 4 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_W; i++) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_hash_addr(addrx4 + j * 8, i); - } - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_thashx4_1(outx4 + 0 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - outx4 + 0 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - outx4 + 1 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - outx4 + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - outx4 + 3 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - pub_seed, addrx4, - state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const int out_len, const unsigned char *input) { - int in = 0; - int out = 0; - unsigned char total = 0; - int bits = 0; - int consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LOGW; - output[out] = (unsigned int)(total >> bits) & (PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_W - 1); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_wots_gen_pk(unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - uint32_t i; - unsigned int j; - - uint32_t addrx4[4 * 8]; - unsigned char pkbuf[4 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N]; - - for (j = 0; j < 4; j++) { - memcpy(addrx4 + j * 8, addr, sizeof(uint32_t) * 8); - } - - /* The last iteration typically does not have complete set of 4 chains, - but because we use pkbuf, this is not an issue -- we still do as many - in parallel as possible. */ - for (i = 0; i < ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN + 3) & ~0x3); i += 4) { - for (j = 0; j < 4; j++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_chain_addr(addrx4 + j * 8, i + j); - } - wots_gen_skx4(pkbuf, sk_seed, addrx4, state_seeded); - gen_chainx4(pkbuf, pkbuf, 0, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_W - 1, pub_seed, addrx4, state_seeded); - for (j = 0; j < 4; j++) { - if (i + j < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN) { - memcpy(pk + (i + j)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, pkbuf + j * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N); - } - } - } - - // Get rid of unused argument variable. - (void)state_seeded; -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_wots_sign(unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, sk_seed, addr, state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, 0, lengths[i], pub_seed, addr, state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_wots_pk_from_sig(unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, sig + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_N, - lengths[i], PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_W - 1 - lengths[i], pub_seed, addr, - state_seeded); - } - - // avoid unused argument - (void)state_seeded; -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/aesni/wots.h b/crypto_sign/sphincs-haraka-256s-simple/aesni/wots.h deleted file mode 100644 index 7bf3f4d1..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/aesni/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_AESNI_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/LICENSE b/crypto_sign/sphincs-haraka-256s-simple/clean/LICENSE deleted file mode 100644 index 670154e3..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/LICENSE +++ /dev/null @@ -1,116 +0,0 @@ -CC0 1.0 Universal - -Statement of Purpose - -The laws of most jurisdictions throughout the world automatically confer -exclusive Copyright and Related Rights (defined below) upon the creator and -subsequent owner(s) (each and all, an "owner") of an original work of -authorship and/or a database (each, a "Work"). - -Certain owners wish to permanently relinquish those rights to a Work for the -purpose of contributing to a commons of creative, cultural and scientific -works ("Commons") that the public can reliably and without fear of later -claims of infringement build upon, modify, incorporate in other works, reuse -and redistribute as freely as possible in any form whatsoever and for any -purposes, including without limitation commercial purposes. These owners may -contribute to the Commons to promote the ideal of a free culture and the -further production of creative, cultural and scientific works, or to gain -reputation or greater distribution for their Work in part through the use and -efforts of others. - -For these and/or other purposes and motivations, and without any expectation -of additional consideration or compensation, the person associating CC0 with a -Work (the "Affirmer"), to the extent that he or she is an owner of Copyright -and Related Rights in the Work, voluntarily elects to apply CC0 to the Work -and publicly distribute the Work under its terms, with knowledge of his or her -Copyright and Related Rights in the Work and the meaning and intended legal -effect of CC0 on those rights. - -1. Copyright and Related Rights. A Work made available under CC0 may be -protected by copyright and related or neighboring rights ("Copyright and -Related Rights"). Copyright and Related Rights include, but are not limited -to, the following: - - i. the right to reproduce, adapt, distribute, perform, display, communicate, - and translate a Work; - - ii. moral rights retained by the original author(s) and/or performer(s); - - iii. publicity and privacy rights pertaining to a person's image or likeness - depicted in a Work; - - iv. rights protecting against unfair competition in regards to a Work, - subject to the limitations in paragraph 4(a), below; - - v. rights protecting the extraction, dissemination, use and reuse of data in - a Work; - - vi. database rights (such as those arising under Directive 96/9/EC of the - European Parliament and of the Council of 11 March 1996 on the legal - protection of databases, and under any national implementation thereof, - including any amended or successor version of such directive); and - - vii. other similar, equivalent or corresponding rights throughout the world - based on applicable law or treaty, and any national implementations thereof. - -2. Waiver. To the greatest extent permitted by, but not in contravention of, -applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and -unconditionally waives, abandons, and surrenders all of Affirmer's Copyright -and Related Rights and associated claims and causes of action, whether now -known or unknown (including existing as well as future claims and causes of -action), in the Work (i) in all territories worldwide, (ii) for the maximum -duration provided by applicable law or treaty (including future time -extensions), (iii) in any current or future medium and for any number of -copies, and (iv) for any purpose whatsoever, including without limitation -commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes -the Waiver for the benefit of each member of the public at large and to the -detriment of Affirmer's heirs and successors, fully intending that such Waiver -shall not be subject to revocation, rescission, cancellation, termination, or -any other legal or equitable action to disrupt the quiet enjoyment of the Work -by the public as contemplated by Affirmer's express Statement of Purpose. - -3. Public License Fallback. Should any part of the Waiver for any reason be -judged legally invalid or ineffective under applicable law, then the Waiver -shall be preserved to the maximum extent permitted taking into account -Affirmer's express Statement of Purpose. In addition, to the extent the Waiver -is so judged Affirmer hereby grants to each affected person a royalty-free, -non transferable, non sublicensable, non exclusive, irrevocable and -unconditional license to exercise Affirmer's Copyright and Related Rights in -the Work (i) in all territories worldwide, (ii) for the maximum duration -provided by applicable law or treaty (including future time extensions), (iii) -in any current or future medium and for any number of copies, and (iv) for any -purpose whatsoever, including without limitation commercial, advertising or -promotional purposes (the "License"). The License shall be deemed effective as -of the date CC0 was applied by Affirmer to the Work. Should any part of the -License for any reason be judged legally invalid or ineffective under -applicable law, such partial invalidity or ineffectiveness shall not -invalidate the remainder of the License, and in such case Affirmer hereby -affirms that he or she will not (i) exercise any of his or her remaining -Copyright and Related Rights in the Work or (ii) assert any associated claims -and causes of action with respect to the Work, in either case contrary to -Affirmer's express Statement of Purpose. - -4. Limitations and Disclaimers. - - a. No trademark or patent rights held by Affirmer are waived, abandoned, - surrendered, licensed or otherwise affected by this document. - - b. Affirmer offers the Work as-is and makes no representations or warranties - of any kind concerning the Work, express, implied, statutory or otherwise, - including without limitation warranties of title, merchantability, fitness - for a particular purpose, non infringement, or the absence of latent or - other defects, accuracy, or the present or absence of errors, whether or not - discoverable, all to the greatest extent permissible under applicable law. - - c. Affirmer disclaims responsibility for clearing rights of other persons - that may apply to the Work or any use thereof, including without limitation - any person's Copyright and Related Rights in the Work. Further, Affirmer - disclaims responsibility for obtaining any necessary consents, permissions - or other rights required for any use of the Work. - - d. Affirmer understands and acknowledges that Creative Commons is not a - party to this document and has no duty or obligation with respect to this - CC0 or use of the Work. - -For more information, please see - diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/Makefile.Microsoft_nmake b/crypto_sign/sphincs-haraka-256s-simple/clean/Makefile.Microsoft_nmake deleted file mode 100644 index e5386476..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/Makefile.Microsoft_nmake +++ /dev/null @@ -1,19 +0,0 @@ -# This Makefile can be used with Microsoft Visual Studio's nmake using the command: -# nmake /f Makefile.Microsoft_nmake - -LIBRARY=libsphincs-haraka-256s-simple_clean.lib -OBJECTS=address.obj wots.obj utils.obj fors.obj sign.obj hash_haraka.obj thash_haraka_simple.obj haraka.obj - -CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX - -all: $(LIBRARY) - -# Make sure objects are recompiled if headers change. -$(OBJECTS): *.h - -$(LIBRARY): $(OBJECTS) - LIB.EXE /NOLOGO /WX /OUT:$@ $** - -clean: - -DEL $(OBJECTS) - -DEL $(LIBRARY) diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/address.c b/crypto_sign/sphincs-haraka-256s-simple/clean/address.c deleted file mode 100644 index 89206539..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/address.c +++ /dev/null @@ -1,78 +0,0 @@ -#include - -#include "address.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]) { - int i; - - for (i = 0; i < 8; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ull_to_bytes( - bytes + i * 4, 4, addr[i]); - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer) { - addr[0] = layer; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree) { - addr[1] = 0; - addr[2] = (uint32_t) (tree >> 32); - addr[3] = (uint32_t) tree; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type) { - addr[4] = type; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; -} - -/* These functions are used for OTS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair) { - addr[5] = keypair; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]) { - out[0] = in[0]; - out[1] = in[1]; - out[2] = in[2]; - out[3] = in[3]; - out[5] = in[5]; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain) { - addr[6] = chain; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash) { - addr[7] = hash; -} - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height) { - addr[6] = tree_height; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index) { - addr[7] = tree_index; -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/address.h b/crypto_sign/sphincs-haraka-256s-simple/clean/address.h deleted file mode 100644 index 23870ee7..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/address.h +++ /dev/null @@ -1,50 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDRESS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDRESS_H - -#include - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_WOTS 0 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_WOTSPK 1 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE 2 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE 3 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_FORSPK 4 - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_addr_to_bytes( - unsigned char *bytes, const uint32_t addr[8]); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_layer_addr( - uint32_t addr[8], uint32_t layer); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_addr( - uint32_t addr[8], uint64_t tree); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - uint32_t addr[8], uint32_t type); - -/* Copies the layer and tree part of one address into the other */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_subtree_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for WOTS and FORS addresses. */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_keypair_addr( - uint32_t addr[8], uint32_t keypair); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_chain_addr( - uint32_t addr[8], uint32_t chain); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_hash_addr( - uint32_t addr[8], uint32_t hash); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_keypair_addr( - uint32_t out[8], const uint32_t in[8]); - -/* These functions are used for all hash tree addresses (including FORS). */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_height( - uint32_t addr[8], uint32_t tree_height); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_index( - uint32_t addr[8], uint32_t tree_index); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/api.h b/crypto_sign/sphincs-haraka-256s-simple/clean/api.h deleted file mode 100644 index 99ef1ee6..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/api.h +++ /dev/null @@ -1,81 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_API_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_API_H - -#include -#include - - - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_ALGNAME "SPHINCS+" - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES 128 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES 64 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_BYTES 29792 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_SEEDBYTES 96 - - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_secretkeybytes(void); - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_publickeybytes(void); - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_bytes(void); - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_seedbytes(void); - -/* - * Generates a SPHINCS+ key pair given a seed. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed); - -/* - * Generates a SPHINCS+ key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [root || PUB_SEED] - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk); - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk); - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk); - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/fors.c b/crypto_sign/sphincs-haraka-256s-simple/clean/fors.c deleted file mode 100644 index 41db5d2f..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/fors.c +++ /dev/null @@ -1,161 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "thash.h" -#include "utils.h" - -static void fors_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t fors_leaf_addr[8], const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_prf_addr( - sk, sk_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_sk_to_leaf(unsigned char *leaf, const unsigned char *sk, - const unsigned char *pub_seed, - uint32_t fors_leaf_addr[8], - const hash_state *hash_state_seeded) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_1( - leaf, sk, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -static void fors_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t fors_tree_addr[8], - const hash_state *hash_state_seeded) { - uint32_t fors_leaf_addr[8] = {0}; - - /* Only copy the parts that must be kept in fors_leaf_addr. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_keypair_addr( - fors_leaf_addr, fors_tree_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - fors_leaf_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_index( - fors_leaf_addr, addr_idx); - - fors_gen_sk(leaf, sk_seed, fors_leaf_addr, hash_state_seeded); - fors_sk_to_leaf(leaf, leaf, pub_seed, fors_leaf_addr, hash_state_seeded); -} - -/** - * Interprets m as PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT-bit unsigned integers. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES bits. - * Assumes indices has space for PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES integers. - */ -static void message_to_indices(uint32_t *indices, const unsigned char *m) { - unsigned int i, j; - unsigned int offset = 0; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES; i++) { - indices[i] = 0; - for (j = 0; j < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT; j++) { - indices[i] ^= (((uint32_t)m[offset >> 3] >> (offset & 0x7)) & 0x1) << j; - offset++; - } - } -} - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_keypair_addr( - fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_keypair_addr( - fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - fors_tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - fors_pk_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_height( - fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_index( - fors_tree_addr, indices[i] + idx_offset); - - /* Include the secret key part that produces the selected leaf node. */ - fors_gen_sk(sig, sk_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - - /* Compute the authentication path for this leaf node. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash_FORS_HEIGHT( - roots + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, sig, sk_seed, pub_seed, - indices[i], idx_offset, fors_gen_leaf, fors_tree_addr, - hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_FORS_TREES( - pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded) { - uint32_t indices[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES]; - unsigned char roots[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - uint32_t fors_tree_addr[8] = {0}; - uint32_t fors_pk_addr[8] = {0}; - uint32_t idx_offset; - unsigned int i; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_keypair_addr(fors_tree_addr, fors_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_keypair_addr(fors_pk_addr, fors_addr); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type(fors_tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type(fors_pk_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_FORSPK); - - message_to_indices(indices, m); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES; i++) { - idx_offset = i * (1 << PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_height(fors_tree_addr, 0); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_index(fors_tree_addr, indices[i] + idx_offset); - - /* Derive the leaf from the included secret key part. */ - fors_sk_to_leaf(leaf, sig, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - - /* Derive the corresponding root node of this tree. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_compute_root(roots + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, leaf, indices[i], idx_offset, sig, - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT, pub_seed, fors_tree_addr, hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT; - } - - /* Hash horizontally across all tree roots to derive the public key. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_FORS_TREES(pk, roots, pub_seed, fors_pk_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/fors.h b/crypto_sign/sphincs-haraka-256s-simple/clean/fors.h deleted file mode 100644 index 6417d555..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/fors.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_H - -#include - -#include "hash_state.h" -#include "params.h" - -/** - * Signs a message m, deriving the secret key from sk_seed and the FTS address. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_fors_sign( - unsigned char *sig, unsigned char *pk, - const unsigned char *m, - const unsigned char *sk_seed, const unsigned char *pub_seed, - const uint32_t fors_addr[8], const hash_state *hash_state_seeded); - -/** - * Derives the FORS public key from a signature. - * This can be used for verification by comparing to a known public key, or to - * subsequently verify a signature on the derived public key. The latter is the - * typical use-case when used as an FTS below an OTS in a hypertree. - * Assumes m contains at least PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES bits. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_fors_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *m, - const unsigned char *pub_seed, const uint32_t fors_addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/haraka.c b/crypto_sign/sphincs-haraka-256s-simple/clean/haraka.c deleted file mode 100644 index b8b9c449..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/haraka.c +++ /dev/null @@ -1,963 +0,0 @@ -/* - * Constant time implementation of the Haraka hash function. - * - * The bit-sliced implementation of the AES round functions are - * based on the AES implementation in BearSSL written - * by Thomas Pornin - */ - -#include -#include -#include -#include - -#include "haraka.h" - -#define HARAKAS_RATE 32 - -static const uint64_t haraka512_rc64[10][8] = { - {0x24cf0ab9086f628b, 0xbdd6eeecc83b8382, 0xd96fb0306cdad0a7, 0xaace082ac8f95f89, 0x449d8e8870d7041f, 0x49bb2f80b2b3e2f8, 0x0569ae98d93bb258, 0x23dc9691e7d6a4b1}, - {0xd8ba10ede0fe5b6e, 0x7ecf7dbe424c7b8e, 0x6ea9949c6df62a31, 0xbf3f3c97ec9c313e, 0x241d03a196a1861e, 0xead3a51116e5a2ea, 0x77d479fcad9574e3, 0x18657a1af894b7a0}, - {0x10671e1a7f595522, 0xd9a00ff675d28c7b, 0x2f1edf0d2b9ba661, 0xb8ff58b8e3de45f9, 0xee29261da9865c02, 0xd1532aa4b50bdf43, 0x8bf858159b231bb1, 0xdf17439d22d4f599}, - {0xdd4b2f0870b918c0, 0x757a81f3b39b1bb6, 0x7a5c556898952e3f, 0x7dd70a16d915d87a, 0x3ae61971982b8301, 0xc3ab319e030412be, 0x17c0033ac094a8cb, 0x5a0630fc1a8dc4ef}, - {0x17708988c1632f73, 0xf92ddae090b44f4f, 0x11ac0285c43aa314, 0x509059941936b8ba, 0xd03e152fa2ce9b69, 0x3fbcbcb63a32998b, 0x6204696d692254f7, 0x915542ed93ec59b4}, - {0xf4ed94aa8879236e, 0xff6cb41cd38e03c0, 0x069b38602368aeab, 0x669495b820f0ddba, 0xf42013b1b8bf9e3d, 0xcf935efe6439734d, 0xbc1dcf42ca29e3f8, 0x7e6d3ed29f78ad67}, - {0xf3b0f6837ffcddaa, 0x3a76faef934ddf41, 0xcec7ae583a9c8e35, 0xe4dd18c68f0260af, 0x2c0e5df1ad398eaa, 0x478df5236ae22e8c, 0xfb944c46fe865f39, 0xaa48f82f028132ba}, - {0x231b9ae2b76aca77, 0x292a76a712db0b40, 0x5850625dc8134491, 0x73137dd469810fb5, 0x8a12a6a202a474fd, 0xd36fd9daa78bdb80, 0xb34c5e733505706f, 0xbaf1cdca818d9d96}, - {0x2e99781335e8c641, 0xbddfe5cce47d560e, 0xf74e9bf32e5e040c, 0x1d7a709d65996be9, 0x670df36a9cf66cdd, 0xd05ef84a176a2875, 0x0f888e828cb1c44e, 0x1a79e9c9727b052c}, - {0x83497348628d84de, 0x2e9387d51f22a754, 0xb000068da2f852d6, 0x378c9e1190fd6fe5, 0x870027c316de7293, 0xe51a9d4462e047bb, 0x90ecf7f8c6251195, 0x655953bfbed90a9c}, -}; - -static inline uint32_t br_dec32le(const unsigned char *src) { - return (uint32_t)src[0] - | ((uint32_t)src[1] << 8) - | ((uint32_t)src[2] << 16) - | ((uint32_t)src[3] << 24); -} - -static void br_range_dec32le(uint32_t *v, size_t num, const unsigned char *src) { - while (num-- > 0) { - *v ++ = br_dec32le(src); - src += 4; - } -} - -static inline void br_enc32le(unsigned char *dst, uint32_t x) { - dst[0] = (unsigned char)x; - dst[1] = (unsigned char)(x >> 8); - dst[2] = (unsigned char)(x >> 16); - dst[3] = (unsigned char)(x >> 24); -} - - -static void br_range_enc32le(unsigned char *dst, const uint32_t *v, size_t num) { - while (num-- > 0) { - br_enc32le(dst, *v ++); - dst += 4; - } -} - -static void br_aes_ct64_bitslice_Sbox(uint64_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint64_t x0, x1, x2, x3, x4, x5, x6, x7; - uint64_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint64_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint64_t y20, y21; - uint64_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint64_t z10, z11, z12, z13, z14, z15, z16, z17; - uint64_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint64_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint64_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint64_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint64_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint64_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint64_t t60, t61, t62, t63, t64, t65, t66, t67; - uint64_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_bitslice_Sbox(uint32_t *q) { - /* - * This S-box implementation is a straightforward translation of - * the circuit described by Boyar and Peralta in "A new - * combinational logic minimization technique with applications - * to cryptology" (https://eprint.iacr.org/2009/191.pdf). - * - * Note that variables x* (input) and s* (output) are numbered - * in "reverse" order (x0 is the high bit, x7 is the low bit). - */ - - uint32_t x0, x1, x2, x3, x4, x5, x6, x7; - uint32_t y1, y2, y3, y4, y5, y6, y7, y8, y9; - uint32_t y10, y11, y12, y13, y14, y15, y16, y17, y18, y19; - uint32_t y20, y21; - uint32_t z0, z1, z2, z3, z4, z5, z6, z7, z8, z9; - uint32_t z10, z11, z12, z13, z14, z15, z16, z17; - uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; - uint32_t t10, t11, t12, t13, t14, t15, t16, t17, t18, t19; - uint32_t t20, t21, t22, t23, t24, t25, t26, t27, t28, t29; - uint32_t t30, t31, t32, t33, t34, t35, t36, t37, t38, t39; - uint32_t t40, t41, t42, t43, t44, t45, t46, t47, t48, t49; - uint32_t t50, t51, t52, t53, t54, t55, t56, t57, t58, t59; - uint32_t t60, t61, t62, t63, t64, t65, t66, t67; - uint32_t s0, s1, s2, s3, s4, s5, s6, s7; - - x0 = q[7]; - x1 = q[6]; - x2 = q[5]; - x3 = q[4]; - x4 = q[3]; - x5 = q[2]; - x6 = q[1]; - x7 = q[0]; - - /* - * Top linear transformation. - */ - y14 = x3 ^ x5; - y13 = x0 ^ x6; - y9 = x0 ^ x3; - y8 = x0 ^ x5; - t0 = x1 ^ x2; - y1 = t0 ^ x7; - y4 = y1 ^ x3; - y12 = y13 ^ y14; - y2 = y1 ^ x0; - y5 = y1 ^ x6; - y3 = y5 ^ y8; - t1 = x4 ^ y12; - y15 = t1 ^ x5; - y20 = t1 ^ x1; - y6 = y15 ^ x7; - y10 = y15 ^ t0; - y11 = y20 ^ y9; - y7 = x7 ^ y11; - y17 = y10 ^ y11; - y19 = y10 ^ y8; - y16 = t0 ^ y11; - y21 = y13 ^ y16; - y18 = x0 ^ y16; - - /* - * Non-linear section. - */ - t2 = y12 & y15; - t3 = y3 & y6; - t4 = t3 ^ t2; - t5 = y4 & x7; - t6 = t5 ^ t2; - t7 = y13 & y16; - t8 = y5 & y1; - t9 = t8 ^ t7; - t10 = y2 & y7; - t11 = t10 ^ t7; - t12 = y9 & y11; - t13 = y14 & y17; - t14 = t13 ^ t12; - t15 = y8 & y10; - t16 = t15 ^ t12; - t17 = t4 ^ t14; - t18 = t6 ^ t16; - t19 = t9 ^ t14; - t20 = t11 ^ t16; - t21 = t17 ^ y20; - t22 = t18 ^ y19; - t23 = t19 ^ y21; - t24 = t20 ^ y18; - - t25 = t21 ^ t22; - t26 = t21 & t23; - t27 = t24 ^ t26; - t28 = t25 & t27; - t29 = t28 ^ t22; - t30 = t23 ^ t24; - t31 = t22 ^ t26; - t32 = t31 & t30; - t33 = t32 ^ t24; - t34 = t23 ^ t33; - t35 = t27 ^ t33; - t36 = t24 & t35; - t37 = t36 ^ t34; - t38 = t27 ^ t36; - t39 = t29 & t38; - t40 = t25 ^ t39; - - t41 = t40 ^ t37; - t42 = t29 ^ t33; - t43 = t29 ^ t40; - t44 = t33 ^ t37; - t45 = t42 ^ t41; - z0 = t44 & y15; - z1 = t37 & y6; - z2 = t33 & x7; - z3 = t43 & y16; - z4 = t40 & y1; - z5 = t29 & y7; - z6 = t42 & y11; - z7 = t45 & y17; - z8 = t41 & y10; - z9 = t44 & y12; - z10 = t37 & y3; - z11 = t33 & y4; - z12 = t43 & y13; - z13 = t40 & y5; - z14 = t29 & y2; - z15 = t42 & y9; - z16 = t45 & y14; - z17 = t41 & y8; - - /* - * Bottom linear transformation. - */ - t46 = z15 ^ z16; - t47 = z10 ^ z11; - t48 = z5 ^ z13; - t49 = z9 ^ z10; - t50 = z2 ^ z12; - t51 = z2 ^ z5; - t52 = z7 ^ z8; - t53 = z0 ^ z3; - t54 = z6 ^ z7; - t55 = z16 ^ z17; - t56 = z12 ^ t48; - t57 = t50 ^ t53; - t58 = z4 ^ t46; - t59 = z3 ^ t54; - t60 = t46 ^ t57; - t61 = z14 ^ t57; - t62 = t52 ^ t58; - t63 = t49 ^ t58; - t64 = z4 ^ t59; - t65 = t61 ^ t62; - t66 = z1 ^ t63; - s0 = t59 ^ t63; - s6 = t56 ^ ~t62; - s7 = t48 ^ ~t60; - t67 = t64 ^ t65; - s3 = t53 ^ t66; - s4 = t51 ^ t66; - s5 = t47 ^ t65; - s1 = t64 ^ ~s3; - s2 = t55 ^ ~t67; - - q[7] = s0; - q[6] = s1; - q[5] = s2; - q[4] = s3; - q[3] = s4; - q[2] = s5; - q[1] = s6; - q[0] = s7; -} - -static void br_aes_ct_ortho(uint32_t *q) { -#define SWAPN_32(cl, ch, s, x, y) do { \ - uint32_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint32_t)(cl)) | ((b & (uint32_t)(cl)) << (s)); \ - (y) = ((a & (uint32_t)(ch)) >> (s)) | (b & (uint32_t)(ch)); \ - } while (0) - -#define SWAP2_32(x, y) SWAPN_32(0x55555555, 0xAAAAAAAA, 1, x, y) -#define SWAP4_32(x, y) SWAPN_32(0x33333333, 0xCCCCCCCC, 2, x, y) -#define SWAP8_32(x, y) SWAPN_32(0x0F0F0F0F, 0xF0F0F0F0, 4, x, y) - - SWAP2_32(q[0], q[1]); - SWAP2_32(q[2], q[3]); - SWAP2_32(q[4], q[5]); - SWAP2_32(q[6], q[7]); - - SWAP4_32(q[0], q[2]); - SWAP4_32(q[1], q[3]); - SWAP4_32(q[4], q[6]); - SWAP4_32(q[5], q[7]); - - SWAP8_32(q[0], q[4]); - SWAP8_32(q[1], q[5]); - SWAP8_32(q[2], q[6]); - SWAP8_32(q[3], q[7]); -} - -static inline void add_round_key32(uint32_t *q, const uint32_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows32(uint32_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint32_t x; - - x = q[i]; - q[i] = (x & 0x000000FF) - | ((x & 0x0000FC00) >> 2) | ((x & 0x00000300) << 6) - | ((x & 0x00F00000) >> 4) | ((x & 0x000F0000) << 4) - | ((x & 0xC0000000) >> 6) | ((x & 0x3F000000) << 2); - } -} - -static inline uint32_t rotr16(uint32_t x) { - return (x << 16) | (x >> 16); -} - -static inline void mix_columns32(uint32_t *q) { - uint32_t q0, q1, q2, q3, q4, q5, q6, q7; - uint32_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 8) | (q0 << 24); - r1 = (q1 >> 8) | (q1 << 24); - r2 = (q2 >> 8) | (q2 << 24); - r3 = (q3 >> 8) | (q3 << 24); - r4 = (q4 >> 8) | (q4 << 24); - r5 = (q5 >> 8) | (q5 << 24); - r6 = (q6 >> 8) | (q6 << 24); - r7 = (q7 >> 8) | (q7 << 24); - - q[0] = q7 ^ r7 ^ r0 ^ rotr16(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr16(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr16(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr16(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr16(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr16(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr16(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr16(q7 ^ r7); -} - -static void br_aes_ct64_ortho(uint64_t *q) { -#define SWAPN(cl, ch, s, x, y) do { \ - uint64_t a, b; \ - a = (x); \ - b = (y); \ - (x) = (a & (uint64_t)(cl)) | ((b & (uint64_t)(cl)) << (s)); \ - (y) = ((a & (uint64_t)(ch)) >> (s)) | (b & (uint64_t)(ch)); \ - } while (0) - -#define SWAP2(x, y) SWAPN(0x5555555555555555, 0xAAAAAAAAAAAAAAAA, 1, x, y) -#define SWAP4(x, y) SWAPN(0x3333333333333333, 0xCCCCCCCCCCCCCCCC, 2, x, y) -#define SWAP8(x, y) SWAPN(0x0F0F0F0F0F0F0F0F, 0xF0F0F0F0F0F0F0F0, 4, x, y) - - SWAP2(q[0], q[1]); - SWAP2(q[2], q[3]); - SWAP2(q[4], q[5]); - SWAP2(q[6], q[7]); - - SWAP4(q[0], q[2]); - SWAP4(q[1], q[3]); - SWAP4(q[4], q[6]); - SWAP4(q[5], q[7]); - - SWAP8(q[0], q[4]); - SWAP8(q[1], q[5]); - SWAP8(q[2], q[6]); - SWAP8(q[3], q[7]); -} - - -static void br_aes_ct64_interleave_in(uint64_t *q0, uint64_t *q1, const uint32_t *w) { - uint64_t x0, x1, x2, x3; - - x0 = w[0]; - x1 = w[1]; - x2 = w[2]; - x3 = w[3]; - x0 |= (x0 << 16); - x1 |= (x1 << 16); - x2 |= (x2 << 16); - x3 |= (x3 << 16); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - x0 |= (x0 << 8); - x1 |= (x1 << 8); - x2 |= (x2 << 8); - x3 |= (x3 << 8); - x0 &= (uint64_t)0x00FF00FF00FF00FF; - x1 &= (uint64_t)0x00FF00FF00FF00FF; - x2 &= (uint64_t)0x00FF00FF00FF00FF; - x3 &= (uint64_t)0x00FF00FF00FF00FF; - *q0 = x0 | (x2 << 8); - *q1 = x1 | (x3 << 8); -} - - -static void br_aes_ct64_interleave_out(uint32_t *w, uint64_t q0, uint64_t q1) { - uint64_t x0, x1, x2, x3; - - x0 = q0 & (uint64_t)0x00FF00FF00FF00FF; - x1 = q1 & (uint64_t)0x00FF00FF00FF00FF; - x2 = (q0 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x3 = (q1 >> 8) & (uint64_t)0x00FF00FF00FF00FF; - x0 |= (x0 >> 8); - x1 |= (x1 >> 8); - x2 |= (x2 >> 8); - x3 |= (x3 >> 8); - x0 &= (uint64_t)0x0000FFFF0000FFFF; - x1 &= (uint64_t)0x0000FFFF0000FFFF; - x2 &= (uint64_t)0x0000FFFF0000FFFF; - x3 &= (uint64_t)0x0000FFFF0000FFFF; - w[0] = (uint32_t)x0 | (uint32_t)(x0 >> 16); - w[1] = (uint32_t)x1 | (uint32_t)(x1 >> 16); - w[2] = (uint32_t)x2 | (uint32_t)(x2 >> 16); - w[3] = (uint32_t)x3 | (uint32_t)(x3 >> 16); -} - -static inline void add_round_key(uint64_t *q, const uint64_t *sk) { - q[0] ^= sk[0]; - q[1] ^= sk[1]; - q[2] ^= sk[2]; - q[3] ^= sk[3]; - q[4] ^= sk[4]; - q[5] ^= sk[5]; - q[6] ^= sk[6]; - q[7] ^= sk[7]; -} - -static inline void shift_rows(uint64_t *q) { - int i; - - for (i = 0; i < 8; i++) { - uint64_t x; - - x = q[i]; - q[i] = (x & (uint64_t)0x000000000000FFFF) - | ((x & (uint64_t)0x00000000FFF00000) >> 4) - | ((x & (uint64_t)0x00000000000F0000) << 12) - | ((x & (uint64_t)0x0000FF0000000000) >> 8) - | ((x & (uint64_t)0x000000FF00000000) << 8) - | ((x & (uint64_t)0xF000000000000000) >> 12) - | ((x & (uint64_t)0x0FFF000000000000) << 4); - } -} - -static inline uint64_t rotr32(uint64_t x) { - return (x << 32) | (x >> 32); -} - -static inline void mix_columns(uint64_t *q) { - uint64_t q0, q1, q2, q3, q4, q5, q6, q7; - uint64_t r0, r1, r2, r3, r4, r5, r6, r7; - - q0 = q[0]; - q1 = q[1]; - q2 = q[2]; - q3 = q[3]; - q4 = q[4]; - q5 = q[5]; - q6 = q[6]; - q7 = q[7]; - r0 = (q0 >> 16) | (q0 << 48); - r1 = (q1 >> 16) | (q1 << 48); - r2 = (q2 >> 16) | (q2 << 48); - r3 = (q3 >> 16) | (q3 << 48); - r4 = (q4 >> 16) | (q4 << 48); - r5 = (q5 >> 16) | (q5 << 48); - r6 = (q6 >> 16) | (q6 << 48); - r7 = (q7 >> 16) | (q7 << 48); - - q[0] = q7 ^ r7 ^ r0 ^ rotr32(q0 ^ r0); - q[1] = q0 ^ r0 ^ q7 ^ r7 ^ r1 ^ rotr32(q1 ^ r1); - q[2] = q1 ^ r1 ^ r2 ^ rotr32(q2 ^ r2); - q[3] = q2 ^ r2 ^ q7 ^ r7 ^ r3 ^ rotr32(q3 ^ r3); - q[4] = q3 ^ r3 ^ q7 ^ r7 ^ r4 ^ rotr32(q4 ^ r4); - q[5] = q4 ^ r4 ^ r5 ^ rotr32(q5 ^ r5); - q[6] = q5 ^ r5 ^ r6 ^ rotr32(q6 ^ r6); - q[7] = q6 ^ r6 ^ r7 ^ rotr32(q7 ^ r7); -} - -static void interleave_constant(uint64_t *out, const unsigned char *in) { - uint32_t tmp_32_constant[16]; - int i; - - br_range_dec32le(tmp_32_constant, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&out[i], &out[i + 4], tmp_32_constant + (i << 2)); - } - br_aes_ct64_ortho(out); -} - -static void interleave_constant32(uint32_t *out, const unsigned char *in) { - int i; - for (i = 0; i < 4; i++) { - out[2 * i] = br_dec32le(in + 4 * i); - out[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(out); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length) { - unsigned char buf[40 * 16]; - int i; - - /* Use the standard constants to generate tweaked ones. */ - memcpy((uint8_t *)state->tweaked512_rc64, (uint8_t *)haraka512_rc64, 40 * 16); - - /* Constants for sk.seed */ - if (sk_seed != NULL) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, sk_seed, seed_length, state); - - /* Interleave constants */ - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32_sseed[i], buf + 32 * i); - } - } - - /* Constants for pk.seed */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S( - buf, 40 * 16, pk_seed, seed_length, state); - for (i = 0; i < 10; i++) { - interleave_constant32(state->tweaked256_rc32[i], buf + 32 * i); - interleave_constant(state->tweaked512_rc64[i], buf + 64 * i); - } -} - -static void haraka_S_absorb(unsigned char *s, - const unsigned char *m, unsigned long long mlen, - unsigned char p, const harakactx *state) { - unsigned long long i; - unsigned char t[HARAKAS_RATE]; - - while (mlen >= HARAKAS_RATE) { - /* XOR block to state */ - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= m[i]; - } - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512_perm(s, s, state); - mlen -= HARAKAS_RATE; - m += HARAKAS_RATE; - } - - for (i = 0; i < HARAKAS_RATE; ++i) { - t[i] = 0; - } - for (i = 0; i < mlen; ++i) { - t[i] = m[i]; - } - t[i] = p; - t[HARAKAS_RATE - 1] |= 128; - for (i = 0; i < HARAKAS_RATE; ++i) { - s[i] ^= t[i]; - } -} - -static void haraka_S_squeezeblocks(unsigned char *h, unsigned long long nblocks, - unsigned char *s, const harakactx *state) { - while (nblocks > 0) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512_perm(s, s, state); - memcpy(h, s, HARAKAS_RATE); - h += HARAKAS_RATE; - nblocks--; - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc) { - size_t i; - - for (i = 0; i < 64; i++) { - s_inc[i] = 0; - } - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state) { - size_t i; - - /* Recall that s_inc[64] is the non-absorbed bytes xored into the state */ - while (mlen + s_inc[64] >= HARAKAS_RATE) { - for (i = 0; i < (size_t)(HARAKAS_RATE - s_inc[64]); i++) { - /* Take the i'th byte from message - xor with the s_inc[64] + i'th byte of the state */ - s_inc[s_inc[64] + i] ^= m[i]; - } - mlen -= (size_t)(HARAKAS_RATE - s_inc[64]); - m += HARAKAS_RATE - s_inc[64]; - s_inc[64] = 0; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - } - - for (i = 0; i < mlen; i++) { - s_inc[s_inc[64] + i] ^= m[i]; - } - s_inc[64] = (uint8_t)(mlen + s_inc[64]); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc) { - /* After haraka_S_inc_absorb, we are guaranteed that s_inc[64] < HARAKAS_RATE, - so we can always use one more byte for p in the current state. */ - s_inc[s_inc[64]] ^= 0x1F; - s_inc[HARAKAS_RATE - 1] ^= 128; - s_inc[64] = 0; -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state) { - uint8_t i; - - /* First consume any bytes we still have sitting around */ - for (i = 0; i < outlen && i < s_inc[64]; i++) { - /* There are s_inc[64] bytes left, so r - s_inc[64] is the first - available byte. We consume from there, i.e., up to r. */ - out[i] = s_inc[(HARAKAS_RATE - s_inc[64] + i)]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(s_inc[64] - i); - - /* Then squeeze the remaining necessary blocks */ - while (outlen > 0) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512_perm(s_inc, s_inc, state); - - for (i = 0; i < outlen && i < HARAKAS_RATE; i++) { - out[i] = s_inc[i]; - } - out += i; - outlen -= i; - s_inc[64] = (uint8_t)(HARAKAS_RATE - i); - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S(unsigned char *out, unsigned long long outlen, const unsigned char *in, unsigned long long inlen, const harakactx *state) { - unsigned long long i; - unsigned char s[64]; - unsigned char d[32]; - - for (i = 0; i < 64; i++) { - s[i] = 0; - } - haraka_S_absorb(s, in, inlen, 0x1F, state); - - haraka_S_squeezeblocks(out, outlen / 32, s, state); - out += (outlen / 32) * 32; - - if (outlen % 32) { - haraka_S_squeezeblocks(d, 1, s, state); - for (i = 0; i < outlen % 32; i++) { - out[i] = d[i]; - } - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t w[16]; - uint64_t q[8], tmp_q; - unsigned int i, j; - - br_range_dec32le(w, 16, in); - for (i = 0; i < 4; i++) { - br_aes_ct64_interleave_in(&q[i], &q[i + 4], w + (i << 2)); - } - br_aes_ct64_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct64_bitslice_Sbox(q); - shift_rows(q); - mix_columns(q); - add_round_key(q, state->tweaked512_rc64[2 * i + j]); - } - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x0001000100010001) << 5 | - (tmp_q & 0x0002000200020002) << 12 | - (tmp_q & 0x0004000400040004) >> 1 | - (tmp_q & 0x0008000800080008) << 6 | - (tmp_q & 0x0020002000200020) << 9 | - (tmp_q & 0x0040004000400040) >> 4 | - (tmp_q & 0x0080008000800080) << 3 | - (tmp_q & 0x2100210021002100) >> 5 | - (tmp_q & 0x0210021002100210) << 2 | - (tmp_q & 0x0800080008000800) << 4 | - (tmp_q & 0x1000100010001000) >> 12 | - (tmp_q & 0x4000400040004000) >> 10 | - (tmp_q & 0x8400840084008400) >> 3; - } - } - - br_aes_ct64_ortho(q); - for (i = 0; i < 4; i ++) { - br_aes_ct64_interleave_out(w + (i << 2), q[i], q[i + 4]); - } - br_range_enc32le(out, w, 16); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state) { - int i; - - unsigned char buf[64]; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512_perm(buf, in, state); - /* Feed-forward */ - for (i = 0; i < 64; i++) { - buf[i] = buf[i] ^ in[i]; - } - - /* Truncated */ - memcpy(out, buf + 8, 8); - memcpy(out + 8, buf + 24, 8); - memcpy(out + 16, buf + 32, 8); - memcpy(out + 24, buf + 48, 8); -} - - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state) { - uint32_t q[8], tmp_q; - int i, j; - - for (i = 0; i < 4; i++) { - q[2 * i] = br_dec32le(in + 4 * i); - q[2 * i + 1] = br_dec32le(in + 4 * i + 16); - } - br_aes_ct_ortho(q); - - /* AES rounds */ - for (i = 0; i < 5; i++) { - for (j = 0; j < 2; j++) { - br_aes_ct_bitslice_Sbox(q); - shift_rows32(q); - mix_columns32(q); - add_round_key32(q, state->tweaked256_rc32_sseed[2 * i + j]); - } - - /* Mix states */ - for (j = 0; j < 8; j++) { - tmp_q = q[j]; - q[j] = (tmp_q & 0x81818181) | - (tmp_q & 0x02020202) << 1 | - (tmp_q & 0x04040404) << 2 | - (tmp_q & 0x08080808) << 3 | - (tmp_q & 0x10101010) >> 3 | - (tmp_q & 0x20202020) >> 2 | - (tmp_q & 0x40404040) >> 1; - } - } - - br_aes_ct_ortho(q); - for (i = 0; i < 4; i++) { - br_enc32le(out + 4 * i, q[2 * i]); - br_enc32le(out + 4 * i + 16, q[2 * i + 1]); - } - - for (i = 0; i < 32; i++) { - out[i] ^= in[i]; - } -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/haraka.h b/crypto_sign/sphincs-haraka-256s-simple/clean/haraka.h deleted file mode 100644 index 4c60a289..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/haraka.h +++ /dev/null @@ -1,40 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_HARAKA_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_HARAKA_H - -#include -#include - -typedef struct { - uint64_t tweaked512_rc64[10][8]; - uint32_t tweaked256_rc32[10][8]; - uint32_t tweaked256_rc32_sseed[10][8]; -} harakactx; - -/* Tweak constants with seed */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_tweak_constants( - harakactx *state, - const unsigned char *pk_seed, const unsigned char *sk_seed, - unsigned long long seed_length); - -/* Haraka Sponge */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_init(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(uint8_t *s_inc, const uint8_t *m, size_t mlen, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_finalize(uint8_t *s_inc); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_squeeze(uint8_t *out, size_t outlen, uint8_t *s_inc, const harakactx *state); -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S( - unsigned char *out, unsigned long long outlen, - const unsigned char *in, unsigned long long inlen, const harakactx *state); - -/* Applies the 512-bit Haraka permutation to in. */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512_perm(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-512 */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka256(unsigned char *out, const unsigned char *in, const harakactx *state); - -/* Implementation of Haraka-256 using sk.seed constants */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka256_sk(unsigned char *out, const unsigned char *in, const harakactx *state); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/hash.h b/crypto_sign/sphincs-haraka-256s-simple/clean/hash.h deleted file mode 100644 index 71d57371..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/hash.h +++ /dev/null @@ -1,31 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_HASH_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_HASH_H - -#include "hash_state.h" - -#include -#include - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_destroy_hash_function(hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/hash_haraka.c b/crypto_sign/sphincs-haraka-256s-simple/clean/hash_haraka.c deleted file mode 100644 index 63b4e109..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/hash_haraka.c +++ /dev/null @@ -1,96 +0,0 @@ -#include -#include - -#include "address.h" -#include "haraka.h" -#include "hash.h" -#include "params.h" -#include "utils.h" - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_initialize_hash_function( - hash_state *hash_state_seeded, - const unsigned char *pub_seed, const unsigned char *sk_seed) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_tweak_constants(hash_state_seeded, pub_seed, sk_seed, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); -} - -/* The haraka implementation is stack based and won't be replaced in PQClean/OQS, - so we don't need to do anything */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_destroy_hash_function( - hash_state *hash_state_seeded) { // NOLINT(readability-non-const-parameter) - (void)hash_state_seeded; -} - -/* - * Computes PRF(key, addr), given a secret key of PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N bytes and an address - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_prf_addr( - unsigned char *out, const unsigned char *key, const uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_BYTES]; - /* Since PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - unsigned char outbuf[32]; - - (void)key; /* Suppress an 'unused parameter' warning. */ - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_addr_to_bytes(buf, addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka256_sk(outbuf, buf, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); -} - -/** - * Computes the message-dependent randomness R, using a secret seed and an - * optional randomization value as well as the message. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_gen_message_random( - unsigned char *R, - const unsigned char *sk_prf, const unsigned char *optrand, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, sk_prf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, optrand, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_squeeze(R, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, s_inc, hash_state_seeded); -} - -/** - * Computes the message hash using R, the public key, and the message. - * Outputs the message digest and the index of the leaf. The index is split in - * the tree index and the leaf index, for convenient copying to an address. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_hash_message( - unsigned char *digest, uint64_t *tree, uint32_t *leaf_idx, - const unsigned char *R, const unsigned char *pk, - const unsigned char *m, size_t mlen, - const hash_state *hash_state_seeded) { -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_BITS (PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT * (PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_D - 1)) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_BYTES ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_LEAF_BITS PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_LEAF_BYTES ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_LEAF_BITS + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_DGST_BYTES (PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_MSG_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_LEAF_BYTES) - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_DGST_BYTES]; - unsigned char *bufp = buf; - uint8_t s_inc[65]; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_init(s_inc); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, R, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, pk + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_absorb(s_inc, m, mlen, hash_state_seeded); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_finalize(s_inc); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S_inc_squeeze(buf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_DGST_BYTES, s_inc, hash_state_seeded); - - memcpy(digest, bufp, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_MSG_BYTES); - bufp += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_MSG_BYTES; - - *tree = PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_bytes_to_ull(bufp, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_BYTES); - *tree &= (~(uint64_t)0) >> (64 - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_BITS); - bufp += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_BYTES; - - *leaf_idx = (uint32_t)PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_bytes_to_ull( - bufp, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_LEAF_BYTES); - *leaf_idx &= (~(uint32_t)0) >> (32 - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_LEAF_BITS); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/hash_state.h b/crypto_sign/sphincs-haraka-256s-simple/clean/hash_state.h deleted file mode 100644 index 5adb1d9a..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/hash_state.h +++ /dev/null @@ -1,26 +0,0 @@ -#ifndef SPX_HASH_STATE_H -#define SPX_HASH_STATE_H - -/** - * Defines the type of the hash function state. - * - * Don't be fooled into thinking this instance of SPHINCS+ isn't stateless! - * - * From Section 7.2.2 from the SPHINCS+ round-2 specification: - * - * Each of the instances of the tweakable hash function take PK.seed as its - * first input, which is constant for a given key pair – and, thus, across - * a single signature. This leads to a lot of redundant computation. To remedy - * this, we pad PK.seed to the length of a full 64-byte SHA-256 input block. - * Because of the Merkle-Damgård construction that underlies SHA-256, this - * allows for reuse of the intermediate SHA-256 state after the initial call to - * the compression function which improves performance. - * - * We pass this hash state around in functions, because otherwise we need to - * have a global variable. - */ - -#include "haraka.h" -#define hash_state harakactx - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/params.h b/crypto_sign/sphincs-haraka-256s-simple/clean/params.h deleted file mode 100644 index 344a7ecc..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/params.h +++ /dev/null @@ -1,53 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_PARAMS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_PARAMS_H - -/* Hash output length in bytes. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N 32 -/* Height of the hypertree. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FULL_HEIGHT 64 -/* Number of subtree layer. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_D 8 -/* FORS tree dimensions. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT 14 -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES 22 -/* Winternitz parameter, */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_W 16 - -/* The hash function is defined by linking a different hash.c file, as opposed - to setting a #define constant. */ - -/* For clarity */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_BYTES 32 - -/* WOTS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LOGW 4 - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN1 (8 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N / PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LOGW) - -/* PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN2 is floor(log(len_1 * (w - 1)) / log(w)) + 1; we precompute */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN2 3 - -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN (PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN1 + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN2) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_BYTES (PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_PK_BYTES PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_BYTES - -/* Subtree size. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT (PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FULL_HEIGHT / PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_D) - -/* FORS parameters. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_MSG_BYTES ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES + 7) / 8) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_BYTES ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT + 1) * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_PK_BYTES PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N - -/* Resulting SPX sizes. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES (PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_D * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_BYTES +\ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FULL_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_PK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N) -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_SK_BYTES (2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_PK_BYTES) - -/* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_OPTRAND_BYTES 32 - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/sign.c b/crypto_sign/sphincs-haraka-256s-simple/clean/sign.c deleted file mode 100644 index fd444715..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/sign.c +++ /dev/null @@ -1,356 +0,0 @@ -#include -#include -#include - -#include "address.h" -#include "api.h" -#include "fors.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "randombytes.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -/** - * Computes the leaf at a given address. First generates the WOTS key pair, - * then computes leaf by hashing horizontally. - */ -static void wots_gen_leaf(unsigned char *leaf, const unsigned char *sk_seed, - const unsigned char *pub_seed, - uint32_t addr_idx, const uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - unsigned char pk[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_BYTES]; - uint32_t wots_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, addr_idx); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_wots_gen_pk( - pk, sk_seed, pub_seed, wots_addr, hash_state_seeded); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, pk, pub_seed, wots_pk_addr, hash_state_seeded); -} - -/* - * Returns the length of a secret key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_secretkeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_SECRETKEYBYTES; -} - -/* - * Returns the length of a public key, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_publickeybytes(void) { - return PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_PUBLICKEYBYTES; -} - -/* - * Returns the length of a signature, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_bytes(void) { - return PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_BYTES; -} - -/* - * Returns the length of the seed required to generate a key pair, in bytes - */ -size_t PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_seedbytes(void) { - return PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_SEEDBYTES; -} - -/* - * Generates an SPX key pair given a seed of length - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_seed_keypair( - uint8_t *pk, uint8_t *sk, const uint8_t *seed) { - /* We do not need the auth path in key generation, but it simplifies the - code to have just one treehash routine that computes both root and path - in one function. */ - unsigned char auth_path[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - uint32_t top_tree_addr[8] = {0}; - hash_state hash_state_seeded; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_layer_addr( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_D - 1); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - top_tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Initialize SK_SEED, SK_PRF and PUB_SEED from seed. */ - memcpy(sk, seed, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - - memcpy(pk, sk + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_initialize_hash_function(&hash_state_seeded, pk, sk); - - /* Compute root node of the top-most subtree. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - sk + 3 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, auth_path, sk, sk + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, 0, 0, - wots_gen_leaf, top_tree_addr, &hash_state_seeded); - - memcpy(pk + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, sk + 3 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/* - * Generates an SPX key pair. - * Format sk: [SK_SEED || SK_PRF || PUB_SEED || root] - * Format pk: [PUB_SEED || root] - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_keypair( - uint8_t *pk, uint8_t *sk) { - unsigned char seed[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_SEEDBYTES]; - randombytes(seed, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_CRYPTO_SEEDBYTES); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_seed_keypair( - pk, sk, seed); - - return 0; -} - -/** - * Returns an array containing a detached signature. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_signature( - uint8_t *sig, size_t *siglen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - const unsigned char *sk_seed = sk; - const unsigned char *sk_prf = sk + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - const unsigned char *pk = sk + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - const unsigned char *pub_seed = pk; - - unsigned char optrand[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - uint32_t i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - - hash_state hash_state_seeded; - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, sk_seed); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - - /* Optionally, signing can be made non-deterministic using optrand. - This can help counter side-channel attacks that would benefit from - getting a large number of traces when the signer uses the same nodes. */ - randombytes(optrand, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - /* Compute the digest randomization value. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_gen_message_random( - sig, sk_prf, optrand, m, mlen, &hash_state_seeded); - - /* Derive the message digest and leaf index from R, PK and M. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Sign the message hash using FORS. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_fors_sign( - sig, root, mhash, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_BYTES; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - /* Compute a WOTS signature. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_wots_sign( - sig, root, sk_seed, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the authentication path for the used WOTS leaf. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - root, sig, sk_seed, pub_seed, idx_leaf, 0, - wots_gen_leaf, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT; - } - - *siglen = PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - return 0; -} - -/** - * Verifies a detached signature and message under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_verify( - const uint8_t *sig, size_t siglen, - const uint8_t *m, size_t mlen, const uint8_t *pk) { - const unsigned char *pub_seed = pk; - const unsigned char *pub_root = pk + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - unsigned char mhash[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_MSG_BYTES]; - unsigned char wots_pk[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_BYTES]; - unsigned char root[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - unsigned char leaf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - unsigned int i; - uint64_t tree; - uint32_t idx_leaf; - uint32_t wots_addr[8] = {0}; - uint32_t tree_addr[8] = {0}; - uint32_t wots_pk_addr[8] = {0}; - - hash_state hash_state_seeded; - - if (siglen != PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES) { - return -1; - } - - /* This hook allows the hash function instantiation to do whatever - preparation or computation it needs, based on the public seed. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_initialize_hash_function( - &hash_state_seeded, - pub_seed, NULL); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - wots_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_WOTS); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - tree_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_type( - wots_pk_addr, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_WOTSPK); - - /* Derive the message digest and leaf index from R || PK || M. */ - /* The additional PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N is a result of the hash domain separator. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_hash_message( - mhash, &tree, &idx_leaf, sig, pk, m, mlen, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - - /* Layer correctly defaults to 0, so no need to set_layer_addr */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_addr(wots_addr, tree); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_fors_pk_from_sig( - root, sig, mhash, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_BYTES; - - /* For each subtree.. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_D; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_layer_addr(tree_addr, i); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_addr(tree_addr, tree); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_subtree_addr( - wots_addr, tree_addr); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_keypair_addr( - wots_addr, idx_leaf); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_copy_keypair_addr( - wots_pk_addr, wots_addr); - - /* The WOTS public key is only correct if the signature was correct. */ - /* Initially, root is the FORS pk, but on subsequent iterations it is - the root of the subtree below the currently processed subtree. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_wots_pk_from_sig( - wots_pk, sig, root, pub_seed, wots_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_BYTES; - - /* Compute the leaf node using the WOTS public key. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_WOTS_LEN( - leaf, wots_pk, pub_seed, wots_pk_addr, &hash_state_seeded); - - /* Compute the root node of this subtree. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_compute_root( - root, leaf, idx_leaf, 0, sig, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT, - pub_seed, tree_addr, &hash_state_seeded); - sig += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - - /* Update the indices for the next layer. */ - idx_leaf = (tree & ((1 << PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT) - 1)); - tree = tree >> PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT; - } - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_destroy_hash_function(&hash_state_seeded); - /* Check if the root node equals the root node in the public key. */ - if (memcmp(root, pub_root, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N) != 0) { - return -1; - } - - return 0; -} - - -/** - * Returns an array containing the signature followed by the message. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign( - uint8_t *sm, size_t *smlen, - const uint8_t *m, size_t mlen, const uint8_t *sk) { - size_t siglen; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_signature( - sm, &siglen, m, mlen, sk); - - memmove(sm + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES, m, mlen); - *smlen = siglen + mlen; - - return 0; -} - -/** - * Verifies a given signature-message pair under a given public key. - */ -int PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_open( - uint8_t *m, size_t *mlen, - const uint8_t *sm, size_t smlen, const uint8_t *pk) { - /* The API caller does not necessarily know what size a signature should be - but SPHINCS+ signatures are always exactly PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES. */ - if (smlen < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - *mlen = smlen - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES; - - if (PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_crypto_sign_verify( - sm, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES, sm + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES, *mlen, pk)) { - memset(m, 0, smlen); - *mlen = 0; - return -1; - } - - /* If verification was successful, move the message to the right place. */ - memmove(m, sm + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_BYTES, *mlen); - - return 0; -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/thash.h b/crypto_sign/sphincs-haraka-256s-simple/clean/thash.h deleted file mode 100644 index fec5e8b0..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/thash.h +++ /dev/null @@ -1,28 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_THASH_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_THASH_H - -#include "hash_state.h" - -#include - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/thash_haraka_simple.c b/crypto_sign/sphincs-haraka-256s-simple/clean/thash_haraka_simple.c deleted file mode 100644 index 462c9142..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/thash_haraka_simple.c +++ /dev/null @@ -1,83 +0,0 @@ -#include -#include - -#include "address.h" -#include "params.h" -#include "thash.h" - -#include "haraka.h" - -/** - * Takes an array of inblocks concatenated arrays of PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N bytes. - */ -static void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash( - unsigned char *out, unsigned char *buf, - const unsigned char *in, unsigned int inblocks, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char outbuf[32]; - unsigned char buf_tmp[64]; - - (void)pub_seed; /* Suppress an 'unused parameter' warning. */ - - if (inblocks == 1) { - /* F function */ - /* Since PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N may be smaller than 32, we need a temporary buffer. */ - memset(buf_tmp, 0, 64); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_addr_to_bytes(buf_tmp, addr); - memcpy(buf_tmp + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_BYTES, in, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka512(outbuf, buf_tmp, hash_state_seeded); - memcpy(out, outbuf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - } else { - /* All other tweakable hashes*/ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_addr_to_bytes(buf, addr); - memcpy(buf + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_BYTES, in, inblocks * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_haraka_S( - out, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, buf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_BYTES + inblocks * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, hash_state_seeded); - } -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_1( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_BYTES + 1 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash( - out, buf, in, 1, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_2( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_BYTES + 2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash( - out, buf, in, 2, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_WOTS_LEN( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN, pub_seed, addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_FORS_TREES( - unsigned char *out, const unsigned char *in, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - - unsigned char buf[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_BYTES + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash( - out, buf, in, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_TREES, pub_seed, addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/utils.c b/crypto_sign/sphincs-haraka-256s-simple/clean/utils.c deleted file mode 100644 index 8db8be56..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/utils.c +++ /dev/null @@ -1,199 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in) { - - /* Iterate over out in decreasing order, for big-endianness. */ - for (size_t i = outlen; i > 0; i--) { - out[i - 1] = in & 0xff; - in = in >> 8; - } -} - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen) { - unsigned long long retval = 0; - - for (size_t i = 0; i < inlen; i++) { - retval |= ((unsigned long long)in[i]) << (8 * (inlen - 1 - i)); - } - return retval; -} - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - unsigned char buffer[2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - - /* If leaf_idx is odd (last bit = 1), current path element is a right child - and auth_path has to go left. Otherwise it is the other way around. */ - if (leaf_idx & 1) { - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, leaf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - } else { - memcpy(buffer, leaf, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - - for (i = 0; i < tree_height - 1; i++) { - leaf_idx >>= 1; - idx_offset >>= 1; - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_height(addr, i + 1); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - - /* Pick the right or left neighbor, depending on parity of the node. */ - if (leaf_idx & 1) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_2( - buffer + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer, auth_path, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - } else { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_2( - buffer, buffer, pub_seed, addr, hash_state_seeded); - memcpy(buffer + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, auth_path, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - } - auth_path += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N; - } - - /* The last iteration is exceptional; we do not copy an auth_path node. */ - leaf_idx >>= 1; - idx_offset >>= 1; - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_height(addr, tree_height); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_index( - addr, leaf_idx + idx_offset); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_2( - root, buffer, pub_seed, addr, hash_state_seeded); -} - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -static void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash( - unsigned char *root, unsigned char *auth_path, - unsigned char *stack, unsigned int *heights, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, uint32_t tree_height, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], - const hash_state *hash_state_seeded) { - - unsigned int offset = 0; - uint32_t idx; - uint32_t tree_idx; - - for (idx = 0; idx < (uint32_t)(1 << tree_height); idx++) { - /* Add the next leaf node to the stack. */ - gen_leaf(stack + offset * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, - sk_seed, pub_seed, idx + idx_offset, tree_addr, - hash_state_seeded); - offset++; - heights[offset - 1] = 0; - - /* If this is a node we need for the auth path.. */ - if ((leaf_idx ^ 0x1) == idx) { - memcpy(auth_path, stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - } - - /* While the top-most nodes are of equal height.. */ - while (offset >= 2 && heights[offset - 1] == heights[offset - 2]) { - /* Compute index of the new node, in the next layer. */ - tree_idx = (idx >> (heights[offset - 1] + 1)); - - /* Set the address of the node we're creating. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_height( - tree_addr, heights[offset - 1] + 1); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_tree_index( - tree_addr, tree_idx + (idx_offset >> (heights[offset - 1] + 1))); - /* Hash the top-most nodes from the stack together. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_2( - stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, stack + (offset - 2)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, - pub_seed, tree_addr, hash_state_seeded); - offset--; - /* Note that the top-most node is now one layer higher. */ - heights[offset - 1]++; - - /* If this is a node we need for the auth path.. */ - if (((leaf_idx >> heights[offset - 1]) ^ 0x1) == tree_idx) { - memcpy(auth_path + heights[offset - 1]*PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, - stack + (offset - 1)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - } - } - } - memcpy(root, stack, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); -} - -/* The wrappers below ensure that we use fixed-size buffers on the stack */ - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_FORS_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded) { - - unsigned char stack[(PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT + 1)*PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N]; - unsigned int heights[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT + 1]; - - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash( - root, auth_path, stack, heights, sk_seed, pub_seed, - leaf_idx, idx_offset, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_TREE_HEIGHT, gen_leaf, tree_addr, hash_state_seeded); -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/utils.h b/crypto_sign/sphincs-haraka-256s-simple/clean/utils.h deleted file mode 100644 index c3e119ff..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/utils.h +++ /dev/null @@ -1,64 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_UTILS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_UTILS_H - -#include "hash_state.h" -#include "params.h" -#include -#include - -/** - * Converts the value of 'in' to 'outlen' bytes in big-endian byte order. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ull_to_bytes( - unsigned char *out, size_t outlen, unsigned long long in); - -/** - * Converts the inlen bytes in 'in' from big-endian byte order to an integer. - */ -unsigned long long PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_bytes_to_ull( - const unsigned char *in, size_t inlen); - -/** - * Computes a root node given a leaf and an auth path. - * Expects address to be complete other than the tree_height and tree_index. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_compute_root( - unsigned char *root, const unsigned char *leaf, - uint32_t leaf_idx, uint32_t idx_offset, - const unsigned char *auth_path, uint32_t tree_height, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * For a given leaf index, computes the authentication path and the resulting - * root node using Merkle's TreeHash algorithm. - * Expects the layer and tree parts of the tree_addr to be set, as well as the - * tree type (i.e. PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_HASHTREE or PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ADDR_TYPE_FORSTREE). - * Applies the offset idx_offset to indices before building addresses, so that - * it is possible to continue counting indices across trees. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash_FORS_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_treehash_TREE_HEIGHT( - unsigned char *root, unsigned char *auth_path, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t leaf_idx, uint32_t idx_offset, - void (*gen_leaf)( - unsigned char * /* leaf */, - const unsigned char * /* sk_seed */, - const unsigned char * /* pub_seed */, - uint32_t /* addr_idx */, const uint32_t[8] /* tree_addr */, - const hash_state * /* hash_state_seeded */), - uint32_t tree_addr[8], const hash_state *hash_state_seeded); - -#endif diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/wots.c b/crypto_sign/sphincs-haraka-256s-simple/clean/wots.c deleted file mode 100644 index 912161db..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/wots.c +++ /dev/null @@ -1,167 +0,0 @@ -#include -#include - -#include "address.h" -#include "hash.h" -#include "hash_state.h" -#include "params.h" -#include "thash.h" -#include "utils.h" -#include "wots.h" - -// TODO clarify address expectations, and make them more uniform. -// TODO i.e. do we expect types to be set already? -// TODO and do we expect modifications or copies? - -/** - * Computes the starting value for a chain, i.e. the secret key. - * Expects the address to be complete up to the chain address. - */ -static void wots_gen_sk(unsigned char *sk, const unsigned char *sk_seed, - uint32_t wots_addr[8], - const hash_state *hash_state_seeded) { - /* Make sure that the hash address is actually zeroed. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_hash_addr(wots_addr, 0); - - /* Generate sk element. */ - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_prf_addr(sk, sk_seed, wots_addr, hash_state_seeded); -} - -/** - * Computes the chaining function. - * out and in have to be n-byte arrays. - * - * Interprets in as start-th value of the chain. - * addr has to contain the address of the chain. - */ -static void gen_chain(unsigned char *out, const unsigned char *in, - unsigned int start, unsigned int steps, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - /* Initialize out with the value at position 'start'. */ - memcpy(out, in, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N); - - /* Iterate 'steps' calls to the hash function. */ - for (i = start; i < (start + steps) && i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_W; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_hash_addr(addr, i); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_thash_1( - out, out, pub_seed, addr, hash_state_seeded); - } -} - -/** - * base_w algorithm as described in draft. - * Interprets an array of bytes as integers in base w. - * This only works when log_w is a divisor of 8. - */ -static void base_w(unsigned int *output, const size_t out_len, - const unsigned char *input) { - size_t in = 0; - size_t out = 0; - unsigned char total = 0; - unsigned int bits = 0; - size_t consumed; - - for (consumed = 0; consumed < out_len; consumed++) { - if (bits == 0) { - total = input[in]; - in++; - bits += 8; - } - bits -= PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LOGW; - output[out] = (unsigned int)((total >> bits) & (PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_W - 1)); - out++; - } -} - -/* Computes the WOTS+ checksum over a message (in base_w). */ -static void wots_checksum(unsigned int *csum_base_w, - const unsigned int *msg_base_w) { - unsigned int csum = 0; - unsigned char csum_bytes[(PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LOGW + 7) / 8]; - unsigned int i; - - /* Compute checksum. */ - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN1; i++) { - csum += PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_W - 1 - msg_base_w[i]; - } - - /* Convert checksum to base_w. */ - /* Make sure expected empty zero bits are the least significant bits. */ - csum = csum << (8 - ((PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN2 * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LOGW) % 8)); - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_ull_to_bytes( - csum_bytes, sizeof(csum_bytes), csum); - base_w(csum_base_w, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN2, csum_bytes); -} - -/* Takes a message and derives the matching chain lengths. */ -static void chain_lengths(unsigned int *lengths, const unsigned char *msg) { - base_w(lengths, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN1, msg); - wots_checksum(lengths + PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN1, lengths); -} - -/** - * WOTS key generation. Takes a 32 byte sk_seed, expands it to WOTS private key - * elements and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - uint32_t i; - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(pk + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, pk + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, - 0, PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_W - 1, pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a n-byte message and the 32-byte sk_see to compute a signature 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_chain_addr(addr, i); - wots_gen_sk(sig + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, sk_seed, addr, hash_state_seeded); - gen_chain(sig + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, 0, lengths[i], pub_seed, addr, hash_state_seeded); - } -} - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded) { - unsigned int lengths[PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN]; - uint32_t i; - - chain_lengths(lengths, msg); - - for (i = 0; i < PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_LEN; i++) { - PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_set_chain_addr(addr, i); - gen_chain(pk + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, sig + i * PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_N, - lengths[i], PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_W - 1 - lengths[i], pub_seed, addr, - hash_state_seeded); - } -} diff --git a/crypto_sign/sphincs-haraka-256s-simple/clean/wots.h b/crypto_sign/sphincs-haraka-256s-simple/clean/wots.h deleted file mode 100644 index acbb4b29..00000000 --- a/crypto_sign/sphincs-haraka-256s-simple/clean/wots.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_H -#define PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_WOTS_H - -#include "hash_state.h" -#include "params.h" -#include - -/** - * WOTS key generation. Takes a 32 byte seed for the private key, expands it to - * a full WOTS private key and computes the corresponding public key. - * It requires the seed pub_seed (used to generate bitmasks and hash keys) - * and the address of this WOTS key pair. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_wots_gen_pk( - unsigned char *pk, const unsigned char *sk_seed, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -/** - * Takes a n-byte message and the 32-byte seed for the private key to compute a - * signature that is placed at 'sig'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_wots_sign( - unsigned char *sig, const unsigned char *msg, - const unsigned char *sk_seed, const unsigned char *pub_seed, - uint32_t addr[8], const hash_state *hash_state_seeded); - -/** - * Takes a WOTS signature and an n-byte message, computes a WOTS public key. - * - * Writes the computed public key to 'pk'. - */ -void PQCLEAN_SPHINCSHARAKA256SSIMPLE_CLEAN_wots_pk_from_sig( - unsigned char *pk, - const unsigned char *sig, const unsigned char *msg, - const unsigned char *pub_seed, uint32_t addr[8], - const hash_state *hash_state_seeded); - -#endif